Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - JimPhreak

Pages: [1] 2 3
Is this the case?  Having trouble finding confirmation of this.

IPsec / Higher throughput with OpenVPN than IPSec. Can it be?
« on: December 09, 2017, 01:23:37 am »
I setup a new IPSec tunnel between two pfSense boxes (Xeon D-1521 & Avoton C2758) with Gigabit internet.  I can't seem to break 17.5MB/s on SMB file transfers yet I can hit 22MB/s via an OpenVPN tunnel between the same two boxes.

I've tried all different encryption settings and right now and using AES 128 and SHA1 for testing purposes though no setting change has affected the throughput at all.  I've tried enabled MSS clamping and setting MTU to 1300 on both ends but no luck.

Being that OpenVPN is single threaded I realize I can't go beyond the 22MB/s I'm getting because it's making out my C2758 (CPU usage stays at 15-16% which equals 1 core maxed out).  However with both CPU's having AES-NI enabled I thought I'd at least be able to surpass OpenVPN speeds.  And while I realize SMB isn't the greatest test as it's a very chatty protocol and thus not great for WAN transfers, that still doesn't explain why I'm a good 40Mbit slower using IPSec vs. OpenVPN.

General Questions / Restore Certificates Only?
« on: November 30, 2017, 01:27:37 pm »
Is there anyway to restore my certificates on a new install without editing the XML and restoring "ALL"?  Or if I only have the certs in the XML and restore "ALL" will it only import the certs and leave the rest of my manually configured settings?

Installation and Upgrades / Migration Advice - Moving to New CPU/MoBo
« on: November 30, 2017, 10:04:00 am »
I'm upgrading my pfSense box to a new CPU/MoBo combo.  I'm looking for some tips on how to avoid prolonged downtime due to configuration mismatches between my current config and the new setup.

My current system has 4 1GbE NICs.  I'm using 1 for WAN, and 2 are in a LAGG that connects to my core switch for all my local VLANs.  This is my main concern because the new system only has 2 onboard 10GbE NICs and I've got an add-on card with 4 1GbE NICs.

The plan is to re-install pfSense from scratch on the new system and import my config but I know the interfaces are certainly going to get mismatched and I'm not very comfortable with the CLI.  What's my best strategy here?

Hardware / Xeon D-1521 board compatible?
« on: November 21, 2017, 10:30:56 am »
I have the following board and want to upgrade my current pfSense box to use this board for better VPN throughput.  Are there any issues with this board as I have read some past posts about some Xeon D boards causing system crashes?

Hardware / C2758 vs C3758 for Gigabit VPN?
« on: November 02, 2017, 01:46:02 pm »
Need a low powered CPU that can handle close to 1Gbps VPN.  I'd prefer to use OpenVPN but realize that's probably not going to happen based on it's single threaded nature.  Will the C2758 suffice or should go for the C3758?

IPsec / Celeron J1900 only pushing 125Mbps over IKEv2 IPSec?
« on: October 27, 2017, 11:13:29 am »
I currently have a site-to-site OpenVPN tunnel between two sites and I want to migrate that tunnel to an IPsec tunnel to be able to achieve full line speed (1Gbps).  Are there any docs/links that explain how to setup a new IPsec tunnel on pfSense 2.4 for someone who's only experience is with OpenVPN? 

OpenVPN / Minimum CPU for 1Gbps OpenVPN?
« on: October 26, 2017, 04:36:19 pm »
I'm going to assume my Celeron J1900 will not be able to handle Gigabit OpenVPN (AES-256-CBC/SHA256) since when I saturate the current line  (100Mbps) the CPU usage hits 30-32%.  So my question is, what is the minimum CPU needed to be able to saturate 1Gbps OpenVPN (AES-256-CBC/SHA256)?

On a related question, would I be better off just getting a CPU that has AES-NI and using IPSec instead?

OpenVPN / OpenVPN Gotchas for upgrade to 2.4?
« on: October 12, 2017, 11:40:39 am »
Are there any gotchas or precautions that need to be taken with regard to OpenVPN connections before upgrading to 2.4?  I have site-to-site OpenVPN connections and multiple client OpenVPN connections (in a gateway group) to PIA that I want to ensure will remain active after an upgrade.

OpenVPN / Best "Consumer" routers for Site-to-Site VPN?
« on: June 09, 2017, 01:47:33 pm »
I'm looking to setup site-to-site VPN connections for all my family member's homes so my network.  Are their any good consumer routers out there that can do site-to-site OpenVPN out of the box without installing an open source firmware like DD-WRT, etc?  Max throughput needed for each VPN connection is 20-25Mbps.

OpenVPN / Why is /30 not allowed for OpenVPN server tunnel subnet?
« on: March 31, 2017, 12:00:31 pm »
If I only need 2 client IP addresses why is /30 not allowed?  If I try to set /30 the service won't start and I get the following in the log:

Options error: --server directive when used with --dev tun must define a subnet of (/29) or lower

OpenVPN / Tun vs Tap mode...Simple as just flipping both ends?
« on: January 13, 2017, 05:42:47 pm »
I'm looking for devices on one end my site-to-site VPN to be able to discover devices (via Plex GDM) on the other end of the VPN and thus both networks need to be part of the same broadcast domain.

Is it as simple as just flipping the device mode from Tun to Tap on both ends?  And even if it is, what other implications should I be considering other than increased overhead on the VPN tunnel?

Routing and Multi WAN / Routing UDP broadcasts across subnets
« on: July 22, 2016, 10:48:25 am »
Is it possible to route UDP broadcast traffic across different subnets?  My use case is being able to Google Cast from my phone on one subnet ( to a Chromecast on a subnet ( in a different physical location that is accessible via site-to-site VPN.  Nodes on both ends are running pfSense 2.3.1.

I've got an alias list of 40 dynamic DNS hostnames which are allowed inbound on my network over a specific port via a NAT/firewall rule.  However, there is one hostname whose associated IP address always gets blocked inbound over the allowed port.  When I do a DNS lookup for the hostname, the returned IP matches the one showing up in the blocks in the firewall.  All 39 other hostnames pass without issue.  I've tried removing the entry from the alias list and recreating it with no change.

Not sure where to go from here...

I have a tunnel network of configured and a client specific override configured as  When I connect my client gets an IP address of which is the network IP.  It should be getting a .26 address from what I understand.

It does this no matter what the override network is set to.  If I set it to for example, it gives out the network IP in this case

What am I missing?

Pages: [1] 2 3