Any way to tune pfSense config for speed enhancement? REALLY slow.

[jimphreak 1]

I've tried connecting to multiple servers in Canada (have the lowest latency) and the US (closest to me geographically) and on no server can I get more than 40Mb/s downloads.  I have a 300/300 WAN connection and while I understand I'm probably not going to get the full speed of that over my VPN, 40Mb/s is just unacceptable to me.  Is there any way for me to configure my pfSense settings to increase the speed of my connection because if I can't even get half my WAN speed (150Mb/s up and down) there's really no point in me continuing to pay for this service.

[rickjames 106]

300/300 is going to take some decent hardware. What's pfsense running on?

 

I only ask because many throw pfsense on tiny little devices and expect it to work miracles while running openvpn.

[jimphreak 1]

300/300 is going to take some decent hardware. What's pfsense running on?

 

I only ask because many throw pfsense on tiny little devices and expect it to work miracles while running openvpn.

 

It's running on a SuperMicro A1SRI-2558F board with a C2558 CPU.  I have a site-to-site OpenVPN connection to my second home (75Mbps link between the two)  and when I transfer files over that VPN connection my CPU doesn't even hit 25% when saturating the link.  So it stands to reason I shouldn't have any trouble at least hitting half the speed of my WAN connection.

[rickjames 106]

Unless something recently changed openvpn is single threaded.

If you're measuring cpu usage globally "all 4 cores" then 25% usage is one core pinned at 100%.

 

Also things like encryption type, keys etc. greatly affect the performance of openvpn.

So if you're site-to-site connection is using a different encryption setup than Air, then seeing a difference in performance is normal.

 

You could search the forums and see what others are getting per specific hardware. But for 300/300 you're going to need a powerful chip. I'd probably shoot for an intel i3 or a xeon.

 

For a test you could install the air eddie client on your main pc or anything with a more powerful cpu. It might at least help you verify whether its a cpu issue or not.

[jimphreak 1]

 

Unless something recently changed openvpn is single threaded.

If you're measuring cpu usage globally "all 4 cores" then 25% usage is one core pinned at 100%.

 

Also things like encryption type, keys etc. greatly affect the performance of openvpn.

So if you're site-to-site connection is using a different encryption setup than Air, then seeing a difference in performance is normal.

 

You could search the forums and see what others are getting per specific hardware. But for 300/300 you're going to need a powerful chip. I'd probably shoot for an intel i3 or a xeon.

 

For a test you could install the air eddie client on your main pc or anything with a more powerful cpu. It might at least help you verify whether its a cpu issue or not.

I don't believe that's how pfSense measures CPU usage.  On the other end of my Site-to-Site connection is another pfSense box with a Celeron J1900 (less powerful than the C2558) in it and that CPU load fluctuates between 27-33% with the connection maxed out.  So if one core being maxed out = 25% usage then that would mean one of the cores in the J1900 was somehow at 132% usaage.

 

I'll give the eddie client a shot anyway though.  Where can I get it?

[zhang888 1066]

First try to use iperf over OpenVPN and measure the raw results.

Sometimes your ISP is the bottleneck, just like in my case. The advertized speed can

never be reached even with a powerful hardware, because QoS, latency and other things

ISPs have to deal with comes to the equasion.

 

Basically anything with a "regular" home speed connection and price will be capped, otherwise

ISPs cannot make profit. There are very few exceptions to this, since users demand more traffic

for the same price, while peering and transit costs only increased over the years.

[jimphreak 1]

First try to use iperf over OpenVPN and measure the raw results.

Sometimes your ISP is the bottleneck, just like in my case. The advertized speed can

never be reached even with a powerful hardware, because QoS, latency and other things

ISPs have to deal with comes to the equasion.

 

Basically anything with a "regular" home speed connection and price will be capped, otherwise

ISPs cannot make profit. There are very few exceptions to this, since users demand more traffic

for the same price, while peering and transit costs only increased over the years.

I get 85 Mbps over my site to site OpenVPN connection between mine and my parents house and I get my full rated speed to Usenet servers so I don't think it's my ISP throttling me.

[rickjames 106]

I don't believe that's how pfSense measures CPU usage.  On the other end of my Site-to-Site connection is another pfSense box with a Celeron J1900 (less powerful than the C2558) in it and that CPU load fluctuates between 27-33% with the connection maxed out.  So if one core being maxed out = 25% usage then that would mean one of the cores in the J1900 was somehow at 132% usaage.

 

I'll give the eddie client a shot anyway though.  Where can I get it?

 

The client is here: https://airvpn.org/enter/

 

@cpu usage

The point was openvpn is single threaded.

If you want to actually know what's going on ssh into the pfsense machine and run top or something.

 

Better yet, Do what zhang888 recommend while ssh'ed into the machine and run top.

 

Quick edit:

The throttling zhang888 was talking about was the openvpn connection being throttled.

[jimphreak 1]

This is the system activity in pfSense during an 85 Mbps OpenVPN transfer.

 

[rickjames 106]

Have you tried.

net.inet.ip.fastforwarding 1
 

Its in the advanced options / system tunables.

 

Imo still grab the client and check the speeds on a pc.

[jimphreak 1]

Have you tried.

net.inet.ip.fastforwarding 1
 

Its in the advanced options / system tunables.

 

Imo still grab the client and check the speeds on a pc.

 

Yes I had already enabled this as described in the pfSense guide on here.  Going to DL the client now and give that a shot.  I'll report back.

[jimphreak 1]

Ok so I downloaded the client and it does look like I'm getting the full speed with the client.  However it doesn't look like it's the CPU in my pfSense box that is limiting me.  

 

So the question is, is it something in my config.  I confirmed I'm using the same cipher (AES-256-CBC) in my pfSense OpenVPN config as the Windows client is using.  Is there something else I should be looking at that could be causing the slowdowns?

 

EDIT:  Ok something strange is going on.  I tried changing the Auth Digest Algorith in the pfSense OpenVPN config (SHA1, SHA2-256, etc) to see if taht was the issue but ever since I changed that and forced the connection to reset my speeds are CRAWLING (I'm talking 1Mbps) and even changed it back to where I had it originally (SHA2-256) does nothing.  Not sure where to go from here.

[zhang888 1066]

Did you make sure AES-NI is on? Did you check the temperature profile currently being used?

Are you NICs on 1000Mbit setting? There are many small misconfigurations you can start with,

make sure you follow the guide from pfSense_fan from the start after you check the things I wrote.

 

Upload your sysctl table if nothing helps.

[jimphreak 1]

Did you make sure AES-NI is on? Did you check the temperature profile currently being used?

Are you NICs on 1000Mbit setting? There are many small misconfigurations you can start with,

make sure you follow the guide from pfSense_fan from the start after you check the things I wrote.

 

Upload your sysctl table if nothing helps.

 

I followed pfSense_fan's guide step by step when setting up my connection.

 

How do I confrim if AES-NI is on?  I don't recall ever setting anything with regard to my NIC speed but considering I get the full 300Mbit download speed when not connected to the VPN I think they are working fine.

[jimphreak 1]

Well I have not been able to solve my speed issues with regard to my pfSense config.  My subscription has now expired and I have no incentive to re-up and continue service with AirVPN now with the kind of performance I was getting so I guess they've lost a customer.  Real shame .