Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen 
Well,

cipher AES-256-CBC
auth SHA256

thinking to upgrade this to AES-256-GCM

Eero

2017-11-25 21:30 GMT+02:00 Jim Thompson :

> What crypto transform and authentication are you running?  Maybe try
> AES-GCM (which is AES-NI accelerated) at both ends if both devices support
> it. Might need pfSense 2.4 for this.
>
> Try setting the (OpenVPN) MTU to a larger number.
>
> More hints: https://forum.pfsense.org/index.php?topic=123915.0
>
> > On Nov 25, 2017, at 11:37 AM, Lyle  wrote:
> >
> > There is a lot of information missing here.
> >
> >
> > You have a better Netgate unit, but if the internet port on it is
> connected to a 100Mbps switch, performance will suck.  Same on the LAN
> side.  And if the ports are mismatched(half vs full duplex for instance),
> performance will suffer.
> >
> >
> > What percentage of the gigabit link and/or LAN link on Netgate are you
> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed and
> it's uplinks are saturated.
> >
> >
> > You may be pushing too much traffic through the NetGate and it can not
> handle the load.
> >
> >
> > In other words, based on the limited info you provided, you have not
> provided proof that it's a problem with the NetGate.
> >
> >
> > Lyle Giese
> >
> >> On 11/25/17 06:34, Eero Volotinen wrote:
> >> Hi list,
> >>
> >> We are running pfsense 2.3 on netgate sg-8860.
> >>
> >> Device is connected to internet with gigabit link, but openvpn speed is
> >> very slow (about 50Mbit/s). Any idea how to get more speed to vpn
> clients?
> >>
> >> Eero
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen 
thanks for links. looks like it might be wise to upgrade pfsense 2.4 and
enable --cipher AES-256-GCM on openvpn?



Eero

2017-11-25 20:01 GMT+02:00 Joseph L. Casale :

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Saturday, November 25, 2017 5:35 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] pfsense openvpn speed?
>
> > We are running pfsense 2.3 on netgate sg-8860.
> >
> > Device is connected to internet with gigabit link, but openvpn speed is
> > very slow (about 50Mbit/s). Any idea how to get more speed to vpn
> clients?
>
> Assuming the obvious, low hanging fruit is addressed, there is much more
> to getting high throughput with openvpn than just link speed
> considerations.
>
> The openvpn wiki has good articles which may provide insight:
> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
> https://community.openvpn.net/openvpn/wiki/PerformanceTesting
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Jim Thompson 
What crypto transform and authentication are you running?  Maybe try AES-GCM 
(which is AES-NI accelerated) at both ends if both devices support it. Might 
need pfSense 2.4 for this. 

Try setting the (OpenVPN) MTU to a larger number. 

More hints: https://forum.pfsense.org/index.php?topic=123915.0

> On Nov 25, 2017, at 11:37 AM, Lyle  wrote:
> 
> There is a lot of information missing here.
> 
> 
> You have a better Netgate unit, but if the internet port on it is connected 
> to a 100Mbps switch, performance will suck.  Same on the LAN side.  And if 
> the ports are mismatched(half vs full duplex for instance), performance will 
> suffer.
> 
> 
> What percentage of the gigabit link and/or LAN link on Netgate are you 
> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed and 
> it's uplinks are saturated.
> 
> 
> You may be pushing too much traffic through the NetGate and it can not handle 
> the load.
> 
> 
> In other words, based on the limited info you provided, you have not provided 
> proof that it's a problem with the NetGate.
> 
> 
> Lyle Giese
> 
>> On 11/25/17 06:34, Eero Volotinen wrote:
>> Hi list,
>> 
>> We are running pfsense 2.3 on netgate sg-8860.
>> 
>> Device is connected to internet with gigabit link, but openvpn speed is
>> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?
>> 
>> Eero
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen 
Well.

Both lan and wan is connected to full duplex gigabit port. It can do at
least 600Mbit/s nat as tested with speedtest.net

Well. Wan is utilized at max about 100Mbit/s. (10% of total connect speed)

Is this hardware underpowered to do over 100Mbit/s openvpn speed?

Eero

2017-11-25 19:37 GMT+02:00 Lyle :

> There is a lot of information missing here.
>
>
> You have a better Netgate unit, but if the internet port on it is
> connected to a 100Mbps switch, performance will suck.  Same on the LAN
> side.  And if the ports are mismatched(half vs full duplex for instance),
> performance will suffer.
>
>
> What percentage of the gigabit link and/or LAN link on Netgate are you
> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed and
> it's uplinks are saturated.
>
>
> You may be pushing too much traffic through the NetGate and it can not
> handle the load.
>
>
> In other words, based on the limited info you provided, you have not
> provided proof that it's a problem with the NetGate.
>
>
> Lyle Giese
>
>
> On 11/25/17 06:34, Eero Volotinen wrote:
>
>> Hi list,
>>
>> We are running pfsense 2.3 on netgate sg-8860.
>>
>> Device is connected to internet with gigabit link, but openvpn speed is
>> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?
>>
>> Eero
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Joseph L. Casale 
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
Volotinen
Sent: Saturday, November 25, 2017 5:35 AM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfsense openvpn speed?
 
> We are running pfsense 2.3 on netgate sg-8860.
> 
> Device is connected to internet with gigabit link, but openvpn speed is
> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?

Assuming the obvious, low hanging fruit is addressed, there is much more
to getting high throughput with openvpn than just link speed considerations.

The openvpn wiki has good articles which may provide insight:
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
https://community.openvpn.net/openvpn/wiki/PerformanceTesting

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Lyle 

There is a lot of information missing here.


You have a better Netgate unit, but if the internet port on it is 
connected to a 100Mbps switch, performance will suck.  Same on the LAN 
side.  And if the ports are mismatched(half vs full duplex for 
instance), performance will suffer.



What percentage of the gigabit link and/or LAN link on Netgate are you 
utilizing before adding in OpenVPN ?  Your ISP may be over subscribed 
and it's uplinks are saturated.



You may be pushing too much traffic through the NetGate and it can not 
handle the load.



In other words, based on the limited info you provided, you have not 
provided proof that it's a problem with the NetGate.



Lyle Giese

On 11/25/17 06:34, Eero Volotinen wrote:

Hi list,

We are running pfsense 2.3 on netgate sg-8860.

Device is connected to internet with gigabit link, but openvpn speed is
very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-25 Thread Elijah Savage 
The device was only up for 4 hours before patching. Neither here nor there I 
was not intending to blame anything was more or less treating it as an advisory 
to take necessary precautions as well as see if anyone else had this happen and 
potentially knew of a fix.

Did not mean to turn this into a blame game.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Thompson
Sent: Saturday, November 25, 2017 9:20 AM
To: pfSense Support and Discussion Mailing List ; 
Manuel Dejonghe 
Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate

If you're going to even consider blaming widely-used software for hardware 
problems, then absolutely, yes, please do this, if only to stop the accusations.
If you don't reboot regularly, now's a good time to change that policy, too.  
We aren't running NetWare 3.1 any more.  No reboots = no patches.
And of course be aware that many hardware problems only show up at reboot.  The 
Intel Atom flaw being the most recent prominent example I can think of.
-Adam

On November 25, 2017 5:47:13 AM CST, Manuel Dejonghe  wrote:
>On 24 November 2017 at 01:35, Jim Thompson  wrote:
>> If there is no response from the bootloader (coreboot) on the serial
>port, then the hardware died, and the upgrade’s only involvement was 
>the reboot at the end.
>
>Sounds like it's a good advice to reboot manually before the upgrade, 
>so that if it fails, you know why it failed. Would you agree ?
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-25 Thread Manuel Dejonghe 
On 25 November 2017 at 15:19, Adam Thompson  wrote:
> If you're going to even consider blaming widely-used software for hardware
> problems, then absolutely, yes, please do this, if only to stop the
> accusations.
> If you don't reboot regularly, now's a good time to change that policy, too.

I'm sorry, I meant it to specifically be able to distinguish between
reboot failures due to hardware failure (no software
change->reboot->failure?) and boot failures due to software problems.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-25 Thread Adam Thompson 
If you're going to even consider blaming widely-used software for hardware 
problems, then absolutely, yes, please do this, if only to stop the accusations.
If you don't reboot regularly, now's a good time to change that policy, too.  
We aren't running NetWare 3.1 any more.  No reboots = no patches.
And of course be aware that many hardware problems only show up at reboot.  The 
Intel Atom flaw being the most recent prominent example I can think of.
-Adam

On November 25, 2017 5:47:13 AM CST, Manuel Dejonghe  wrote:
>On 24 November 2017 at 01:35, Jim Thompson  wrote:
>> If there is no response from the bootloader (coreboot) on the serial
>port, then the hardware died, and the upgrade’s only involvement was
>the reboot at the end.
>
>Sounds like it's a good advice to reboot manually before the upgrade,
>so that if it fails, you know why it failed. Would you agree ?
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsense openvpn speed?

2017-11-25 Thread Eero Volotinen 
Hi list,

We are running pfsense 2.3 on netgate sg-8860.

Device is connected to internet with gigabit link, but openvpn speed is
very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-25 Thread Manuel Dejonghe 
On 24 November 2017 at 01:35, Jim Thompson  wrote:
> If there is no response from the bootloader (coreboot) on the serial port, 
> then the hardware died, and the upgrade’s only involvement was the reboot at 
> the end.

Sounds like it's a good advice to reboot manually before the upgrade,
so that if it fails, you know why it failed. Would you agree ?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multiple OpenVPNs (site to site) to one head end

2017-11-25 Thread Chris L 

> On Nov 22, 2017, at 9:34 AM, Ryan Coleman  wrote:
> 
> I want to pass the entire traffic from a few locations through one master. 
> 
> I have one site working. But when I try to connect the second site it kills 
> the first.
> 
> I have IPSec for some basic network connections as a backup for the moment 
> that allows me to get to customer servers but I want to run all my traffic 
> because… Comcast. 
> 
> I have Gig Fiber at the headend, bandwidth is not an issue.
> 
> Does anyone have a tried/tested example of getting either OpenVPN full tunnel 
> working on a (multiple sites)-to-(one site) or an IPSec configuration example 
> that would allow for 100% routing? 
> 
> My guinea pig is my home network. I have one customer that is also on Comcast 
> that is using the full site-to-site tunnel and I cannot afford to drop during 
> store hours.
> 
> Thanks!
> 

If you are trying to use a server-mode connection (SSL/TLS with larger than a 
/30 tunnel network) and you are getting one connection then the second kills 
the first it sounds like you are trying to use the same credentials for each 
site but don’t have Duplicate Connections enabled on the server.

My suggestion would be to leave Duplicate Connections disabled and use discrete 
credentials for each site.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-25 Thread Elijah Savage 
Thought you were on to something and thanks for the directions but I have an 
APU4 took my board off and there is no removing of the bios. The cmos batter is 
even permanently attached.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer
Sent: Friday, November 24, 2017 9:02 AM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate

If really the BIOS is bricked you could give this a try:
For APU1-Boards: http://pcengines.ch/lpc1aapu.htm For APU2-Boards: 
http://pcengines.ch/spi1a.htm

Regards
Holger

2017-11-24 13:56 GMT+01:00 Peder Rovelstad :

> Is there a CMOS battery onboard?  Just a thought.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Elijah 
> Savage
> Sent: Friday, November 24, 2017 6:01 AM
> To: 'pfSense Support and Discussion Mailing List' 
> 
> Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate
>
> To this point, has anyone replaced the mSATA drive in these? The 
> lights and everything still comes on in the front.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim 
> Thompson
> Sent: Thursday, November 23, 2017 7:35 PM
> To: pfSense Support and Discussion Mailing List 
> 
> Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate
>
> If there is no response from the bootloader (coreboot) on the serial 
> port, then the hardware died, and the upgrade’s only involvement was 
> the reboot at the end.
>
> Jim
>
> > On Nov 23, 2017, at 10:59 AM, Ryan Coleman 
> wrote:
> >
> > There’s likely a package you added to your APU4 that is stopping the
> upgrade.
> >
> > If you use reddit you can get some assistance from more NetGate 
> > staff
> > there: http://reddit.com/r/pfsense/
> >
> >> On Nov 23, 2017, at 10:08 AM, Elijah Savage 
> >> 
> wrote:
> >>
> >> I know it is an older model but after my attempt to upgrade my APU4 
> >> it would not reboot. I let it sit for 24 hours as it was still 
> >> passing traffic but no reboot. Logged into the console from my 
> >> laptop and rebooted it and nothing comes back. It doesn't give 
> >> anything on the console and doesn't beep anymore when booting up, I 
> >> believe it
> doesn't get to that point.
> >>
> >>
> >>
> >> Interesting enough I was able to get 2.4 loaded on an older dell 
> >> optiplex
> >> 780 with 3 nics to replace it just fine.
> >>
> >>
> >>
> >> This is not intended to bash pfSense, I like it so much that I do 
> >> contribute monetarily. This meant to be nothing more than a public 
> >> service announcement for others with this platform. Maybe it was 
> >> just time for mine to dye and it potentially has nothing to do with 
> >> pfSense.
> >>
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold