Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - 0x10C

Pages: [1] 2 3
I actually have the issue on all UDP ports. My VPN provider says to use UDP 2000 or something like that and if that doesn't work try UDP 53. I get the same speed issues on both. But not on TCP 443.

OpenVPN / Re: Packet Loss on WAN when OpenVPN Speed is High
« on: May 09, 2017, 09:22:28 am »
Okay it actually turned out that it was my ISP throttling. When I change OpenVPN to use TCP 443 instead of UDP 53 I have no more WAN packet loss and speeds went up to 200Mb/s like on my desktop.

It seems the OpenVPN file from my VPN provider by default already had the TCP 443 specified in it but of course when I followed their pfSense guide it said use UDP 53 instead which is what accounts for the speed discrepancy due to my ISP's throttling.

Thank you for reading, hope this helps someone!

OpenVPN / [SOLVED] Packet Loss on WAN when OpenVPN Speed is High
« on: May 09, 2017, 07:41:24 am »
I have a bit of a weird problem I'll try to keep it short.

I have two OpenVPN clients configured in pfSense (v2.3.4). I have them configured so that all my LAN traffic goes through one of them except one computer which uses the other OpenVPN client connection.

This all works fine, I can access the internet from any computer on my LAN and their traffic goes out via the OpenVPN clients as intended.

But if the data over any of the OpenVPN clients reaches around 50Mb/s or more both the OpenVPN client handling that traffic and the internet WAN gateway both start suffering bad packet loss. About 30-50% on the OpenVPN and 15-30% on the WAN interface.

Now my first thought was my ISP is throttling OpenVPN or something. So I installed OpenVPN on my desktop computer and ran the same tests and I'm getting 200Mb/s through it to the same OpenVPN server (across the internet) as I'm using with pfSense and this time no WAN packet loss.

So I thought perhaps it's the CPU on my pfSense box? So I ran an OpenSSL benchmark of AES-256-CBC which is what my VPN uses and got a speed result of between 195MB/s and 215MB/s (smallest 16 bytes to largest packets 8000 bytes - single thread test only). Which should be 1.5Gb/s to 1.7Gb/s.

So I'm really just kind of confused about what is going on exactly. Can anyone shed some light on this? - Also my CPU does not have AES-NI I don't know how much or how little that helps on 2.3.4 is AES-NI even utilised by OpenVPN on this version of pfSense yet or is that 2.4 only?

Anyway thank you for any assistance.

General Questions / CSRF Login Issue Solution
« on: November 20, 2016, 11:43:03 am »
I've read a few people on the IRC and on these forums that have this issue where they get a message saying:

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

And they all say the same thing, it doesn't happen when they run Chrome in incognito mode. I also had this problem so I decided to figure out what the issue was and I have found the reason for it occurring.

If you use LastPass, 1Password or another browser based automatic login filler which overrides the input method of your browser and you setup a login before you upgraded to the latest version of pfSense the Username and Password forms which these plugins try to insert your Username and Password into have changed names. (in pfSense 2.2.x -> 2.3.x).

The solution is simple backup your username and password, erase the entries in your password manager (the forms it looks for) and create new generic ones just called username and password. Now when you login using your password manager you won't have the CSRF error message etc

I hope this is helpful to someone after looking at a lot of threads on this error no one seems to have posted a solution yet but I was able to replicate the problem and find this solution with some time yesterday.

OpenVPN / Very poor OpenVPN performance
« on: June 11, 2016, 06:58:19 am »
Hey guys I'm paying for a public VPN service, so I don't control the server side only the client side.

The problem I'm having is when I use the OpenVPN Client on my desktop or laptop computers the speed is excellent around 200Mb/s consistently.

But when I use the OpenVPN Client in PFSense the speed is very low, 5-10Mb/s and if it gets any higher (30-40Mb/s) I get huge amounts of packet loss and very high latency being reported in the PFSense Status Page.

Here are two speed tests to illustrate the problem:

I did these tests within the same minute late at night when the network should have no congestion so you can really see the problem. Both my Windows/Mac OpenVPN Client and the PFSense Client are setup the same except for one difference, the Windows one uses a TAP interface and the PFSense is using a TUN interface. Apart from that they're both using UDP, same port number, same level of compression, same server that they connect to and of course through the same modem and the same ISP on my side. I have tried using OpenVPN over TCP instead and the results are identical.

Does anyone have any thoughts about what this could be? I'm also going to list my router specs although I think it's beefy enough to handle much higher speeds than this.

The router is running an Intel Haswell G3220 Pentium chip (3GHz Dual Core with 3MB Cache). 16GB of DDR3 Memory, on-board Intel NIC on the motherboard (WAN) and another Intel NIC in one of the PCIe slots (LAN). The system I'm using for both of those speed tests also has Intel NIC's from an X79 motherboard. It is equpped with a 3930K and 32GB of DDR3.

When doing the speed test on PFSense the CPU load is only around 10-15% and the RAM usage is like 2GB out of 16GB. So I'm really not thinking it's the hardware but some kind of configuration issue or some setting I'm overlooking.

By the way I'm still using PFSense 2.2.6 - I've not yet upgraded to the latest version but I do plan to soon.


General Questions / Re: Periodic since 2.2 pages load blank, certs invalid
« on: February 10, 2015, 01:53:27 pm »
They will work okay with OpenDNS? - Thanks :)


I read that but I just wanted to confirm because I wasn't sure if you mistyped what you said due to the way it was worded.

General Questions / Re: Periodic since 2.2 pages load blank, certs invalid
« on: February 10, 2015, 01:40:46 pm »
Have you tried checking:

Harden Glue

Harden DNSSEC data

These two in particular, if you don't have them enabled, enable them. I changed things to enable both those by default, and we'll add config upgrade code to turn those on for anyone who doesn't have them enabled upon upgrade to 2.2.1.

Okay I've enabled both of those. They will work okay with OpenDNS? - Thanks :)

General Questions / Re: Periodic since 2.2 pages load blank, certs invalid
« on: February 10, 2015, 01:35:20 pm »
Ok so I've turned Hardened Glue on, what else should I enable?

General Questions / Re: Periodic since 2.2 pages load blank, certs invalid
« on: February 10, 2015, 01:21:35 pm »
I just started getting this problem today for the first time since I installed the 2.2-RELEASE.

I was also using the and DNS from Google. I've changed to using OpenDNS now which seems to have stopped the problem?

The thread is really long I read the first few pages, should I activate the Harden Glue feature? - Just a worried noobie.

Hardware / Re: [Solved] In/out errors on LAN
« on: January 31, 2015, 08:19:46 am »
I can't redo my network right now with this box as it's in production otherwise I would test to verify.

But based on what I saw when this was happening to me I think you're right. Hopefully this can be corrected in an update to PFSense so we don't get more threads like these with worried noobies like myself.  ;D

Hardware / Re: Need more than 1Gb/s LAN - How can I get there?
« on: January 22, 2015, 03:05:44 pm »
I get over 600MB/s sustained with my current setup in RAID6. Not worried about that not being able to cope at all :)

Hardware / Re: Need more than 1Gb/s LAN - How can I get there?
« on: January 22, 2015, 02:21:40 pm »
That's correct. My network right now has a nice sustained transfer speed of 112MB/s aka 1Gb/s with overhead.

For example if I were to transfer a 30GB file right now from my server to my desktop it transfers the entire way (SMB 3.0 on both sides) at 112MB/s with no dips. My server is running 9 x 4TB Hitachi disks in RAID6 on a high end hardware card. The desktop is using SSD's with 500MB/s write rates, high end SSD's

What I'm looking for is performance around 4Gb/s or lets say around 400MB/s (3.2Gb/s). Anything above that would be nice but not needed.

I think what I'm going to do is buy two Intel 10Gb cards and link the Desktop to the Server directly and see what that yields.

Hardware / Re: Need more than 1Gb/s LAN - How can I get there?
« on: January 18, 2015, 03:08:36 am »
Yes I could definitely do point to point and forego the switch. It's something I'm considering to lower costs actually.

Hardware / Re: Need more than 1Gb/s LAN - How can I get there?
« on: January 16, 2015, 03:53:27 am »
I figure I'll have to shell out quite a bit. But I'm willing to make that investment. My motto is, you buy cheap you buy twice. So if I have to pay a bit for quality I'll do it as long as I get the right stuff from the start.

Hardware / Re: Need more than 1Gb/s LAN - How can I get there?
« on: January 16, 2015, 03:35:46 am »
And be careful.  SFP+ cards will still need transceiver modules.

I figured they needed something like that from the shops I saw bundling the cards with transceivers. I think I'll stick with Ethernet for simplicity sake.

Pages: [1] 2 3