Jump to content
Not connected, Your IP: 3.209.80.87
jimphreak

Any way to tune pfSense config for speed enhancement? REALLY slow.

Recommended Posts

I've tried connecting to multiple servers in Canada (have the lowest latency) and the US (closest to me geographically) and on no server can I get more than 40Mb/s downloads.  I have a 300/300 WAN connection and while I understand I'm probably not going to get the full speed of that over my VPN, 40Mb/s is just unacceptable to me.  Is there any way for me to configure my pfSense settings to increase the speed of my connection because if I can't even get half my WAN speed (150Mb/s up and down) there's really no point in me continuing to pay for this service.

Share this post


Link to post

300/300 is going to take some decent hardware. What's pfsense running on?

 

I only ask because many throw pfsense on tiny little devices and expect it to work miracles while running openvpn.

Share this post


Link to post

300/300 is going to take some decent hardware. What's pfsense running on?

 

I only ask because many throw pfsense on tiny little devices and expect it to work miracles while running openvpn.

 

It's running on a SuperMicro A1SRI-2558F board with a C2558 CPU.  I have a site-to-site OpenVPN connection to my second home (75Mbps link between the two)  and when I transfer files over that VPN connection my CPU doesn't even hit 25% when saturating the link.  So it stands to reason I shouldn't have any trouble at least hitting half the speed of my WAN connection.

Share this post


Link to post

Unless something recently changed openvpn is single threaded.

If you're measuring cpu usage globally "all 4 cores" then 25% usage is one core pinned at 100%.

 

Also things like encryption type, keys etc. greatly affect the performance of openvpn.

So if you're site-to-site connection is using a different encryption setup than Air, then seeing a difference in performance is normal.

 

You could search the forums and see what others are getting per specific hardware. But for 300/300 you're going to need a powerful chip. I'd probably shoot for an intel i3 or a xeon.

 

For a test you could install the air eddie client on your main pc or anything with a more powerful cpu. It might at least help you verify whether its a cpu issue or not.

Share this post


Link to post

 

Unless something recently changed openvpn is single threaded.

If you're measuring cpu usage globally "all 4 cores" then 25% usage is one core pinned at 100%.

 

Also things like encryption type, keys etc. greatly affect the performance of openvpn.

So if you're site-to-site connection is using a different encryption setup than Air, then seeing a difference in performance is normal.

 

You could search the forums and see what others are getting per specific hardware. But for 300/300 you're going to need a powerful chip. I'd probably shoot for an intel i3 or a xeon.

 

For a test you could install the air eddie client on your main pc or anything with a more powerful cpu. It might at least help you verify whether its a cpu issue or not.

I don't believe that's how pfSense measures CPU usage.  On the other end of my Site-to-Site connection is another pfSense box with a Celeron J1900 (less powerful than the C2558) in it and that CPU load fluctuates between 27-33% with the connection maxed out.  So if one core being maxed out = 25% usage then that would mean one of the cores in the J1900 was somehow at 132% usaage.

 

I'll give the eddie client a shot anyway though.  Where can I get it?

Share this post


Link to post

First try to use iperf over OpenVPN and measure the raw results.

Sometimes your ISP is the bottleneck, just like in my case. The advertized speed can

never be reached even with a powerful hardware, because QoS, latency and other things

ISPs have to deal with comes to the equasion.

 

Basically anything with a "regular" home speed connection and price will be capped, otherwise

ISPs cannot make profit. There are very few exceptions to this, since users demand more traffic

for the same price, while peering and transit costs only increased over the years.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

First try to use iperf over OpenVPN and measure the raw results.

Sometimes your ISP is the bottleneck, just like in my case. The advertized speed can

never be reached even with a powerful hardware, because QoS, latency and other things

ISPs have to deal with comes to the equasion.

 

Basically anything with a "regular" home speed connection and price will be capped, otherwise

ISPs cannot make profit. There are very few exceptions to this, since users demand more traffic

for the same price, while peering and transit costs only increased over the years.

I get 85 Mbps over my site to site OpenVPN connection between mine and my parents house and I get my full rated speed to Usenet servers so I don't think it's my ISP throttling me.

Share this post


Link to post

I don't believe that's how pfSense measures CPU usage.  On the other end of my Site-to-Site connection is another pfSense box with a Celeron J1900 (less powerful than the C2558) in it and that CPU load fluctuates between 27-33% with the connection maxed out.  So if one core being maxed out = 25% usage then that would mean one of the cores in the J1900 was somehow at 132% usaage.

 

I'll give the eddie client a shot anyway though.  Where can I get it?

 

The client is here: https://airvpn.org/enter/

 

@cpu usage

The point was openvpn is single threaded.

If you want to actually know what's going on ssh into the pfsense machine and run top or something.

 

Better yet, Do what zhang888 recommend while ssh'ed into the machine and run top.

 

Quick edit:

The throttling zhang888 was talking about was the openvpn connection being throttled.

Share this post


Link to post

Have you tried.

net.inet.ip.fastforwarding 1
 

Its in the advanced options / system tunables.

 

Imo still grab the client and check the speeds on a pc.

Share this post


Link to post

Have you tried.

net.inet.ip.fastforwarding 1
 

Its in the advanced options / system tunables.

 

Imo still grab the client and check the speeds on a pc.

 

Yes I had already enabled this as described in the pfSense guide on here.  Going to DL the client now and give that a shot.  I'll report back.

Share this post


Link to post

Ok so I downloaded the client and it does look like I'm getting the full speed with the client.  However it doesn't look like it's the CPU in my pfSense box that is limiting me.  

 

So the question is, is it something in my config.  I confirmed I'm using the same cipher (AES-256-CBC) in my pfSense OpenVPN config as the Windows client is using.  Is there something else I should be looking at that could be causing the slowdowns?

 

EDIT:  Ok something strange is going on.  I tried changing the Auth Digest Algorith in the pfSense OpenVPN config (SHA1, SHA2-256, etc) to see if taht was the issue but ever since I changed that and forced the connection to reset my speeds are CRAWLING (I'm talking 1Mbps) and even changed it back to where I had it originally (SHA2-256) does nothing.  Not sure where to go from here.

Share this post


Link to post

Did you make sure AES-NI is on? Did you check the temperature profile currently being used?

Are you NICs on 1000Mbit setting? There are many small misconfigurations you can start with,

make sure you follow the guide from pfSense_fan from the start after you check the things I wrote.

 

Upload your sysctl table if nothing helps.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Did you make sure AES-NI is on? Did you check the temperature profile currently being used?

Are you NICs on 1000Mbit setting? There are many small misconfigurations you can start with,

make sure you follow the guide from pfSense_fan from the start after you check the things I wrote.

 

Upload your sysctl table if nothing helps.

 

I followed pfSense_fan's guide step by step when setting up my connection.

 

How do I confrim if AES-NI is on?  I don't recall ever setting anything with regard to my NIC speed but considering I get the full 300Mbit download speed when not connected to the VPN I think they are working fine.

Share this post


Link to post

Well I have not been able to solve my speed issues with regard to my pfSense config.  My subscription has now expired and I have no incentive to re-up and continue service with AirVPN now with the kind of performance I was getting so I guess they've lost a customer.  Real shame .

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...