Re: [pfSense] pfsense openvpn speed?
Well, cipher AES-256-CBC auth SHA256 thinking to upgrade this to AES-256-GCM Eero 2017-11-25 21:30 GMT+02:00 Jim Thompson: > What crypto transform and authentication are you running? Maybe try > AES-GCM (which is AES-NI accelerated) at both ends if both devices support > it. Might need pfSense 2.4 for this. > > Try setting the (OpenVPN) MTU to a larger number. > > More hints: https://forum.pfsense.org/index.php?topic=123915.0 > > > On Nov 25, 2017, at 11:37 AM, Lyle wrote: > > > > There is a lot of information missing here. > > > > > > You have a better Netgate unit, but if the internet port on it is > connected to a 100Mbps switch, performance will suck. Same on the LAN > side. And if the ports are mismatched(half vs full duplex for instance), > performance will suffer. > > > > > > What percentage of the gigabit link and/or LAN link on Netgate are you > utilizing before adding in OpenVPN ? Your ISP may be over subscribed and > it's uplinks are saturated. > > > > > > You may be pushing too much traffic through the NetGate and it can not > handle the load. > > > > > > In other words, based on the limited info you provided, you have not > provided proof that it's a problem with the NetGate. > > > > > > Lyle Giese > > > >> On 11/25/17 06:34, Eero Volotinen wrote: > >> Hi list, > >> > >> We are running pfsense 2.3 on netgate sg-8860. > >> > >> Device is connected to internet with gigabit link, but openvpn speed is > >> very slow (about 50Mbit/s). Any idea how to get more speed to vpn > clients? > >> > >> Eero > >> ___ > >> pfSense mailing list > >> https://lists.pfsense.org/mailman/listinfo/list > >> Support the project with Gold! https://pfsense.org/gold > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense openvpn speed?
thanks for links. looks like it might be wise to upgrade pfsense 2.4 and enable --cipher AES-256-GCM on openvpn? Eero 2017-11-25 20:01 GMT+02:00 Joseph L. Casale: > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero > Volotinen > Sent: Saturday, November 25, 2017 5:35 AM > To: pfSense Support and Discussion Mailing List > Subject: [pfSense] pfsense openvpn speed? > > > We are running pfsense 2.3 on netgate sg-8860. > > > > Device is connected to internet with gigabit link, but openvpn speed is > > very slow (about 50Mbit/s). Any idea how to get more speed to vpn > clients? > > Assuming the obvious, low hanging fruit is addressed, there is much more > to getting high throughput with openvpn than just link speed > considerations. > > The openvpn wiki has good articles which may provide insight: > https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux > https://community.openvpn.net/openvpn/wiki/PerformanceTesting > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense openvpn speed?
What crypto transform and authentication are you running? Maybe try AES-GCM (which is AES-NI accelerated) at both ends if both devices support it. Might need pfSense 2.4 for this. Try setting the (OpenVPN) MTU to a larger number. More hints: https://forum.pfsense.org/index.php?topic=123915.0 > On Nov 25, 2017, at 11:37 AM, Lylewrote: > > There is a lot of information missing here. > > > You have a better Netgate unit, but if the internet port on it is connected > to a 100Mbps switch, performance will suck. Same on the LAN side. And if > the ports are mismatched(half vs full duplex for instance), performance will > suffer. > > > What percentage of the gigabit link and/or LAN link on Netgate are you > utilizing before adding in OpenVPN ? Your ISP may be over subscribed and > it's uplinks are saturated. > > > You may be pushing too much traffic through the NetGate and it can not handle > the load. > > > In other words, based on the limited info you provided, you have not provided > proof that it's a problem with the NetGate. > > > Lyle Giese > >> On 11/25/17 06:34, Eero Volotinen wrote: >> Hi list, >> >> We are running pfsense 2.3 on netgate sg-8860. >> >> Device is connected to internet with gigabit link, but openvpn speed is >> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients? >> >> Eero >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense openvpn speed?
Well. Both lan and wan is connected to full duplex gigabit port. It can do at least 600Mbit/s nat as tested with speedtest.net Well. Wan is utilized at max about 100Mbit/s. (10% of total connect speed) Is this hardware underpowered to do over 100Mbit/s openvpn speed? Eero 2017-11-25 19:37 GMT+02:00 Lyle: > There is a lot of information missing here. > > > You have a better Netgate unit, but if the internet port on it is > connected to a 100Mbps switch, performance will suck. Same on the LAN > side. And if the ports are mismatched(half vs full duplex for instance), > performance will suffer. > > > What percentage of the gigabit link and/or LAN link on Netgate are you > utilizing before adding in OpenVPN ? Your ISP may be over subscribed and > it's uplinks are saturated. > > > You may be pushing too much traffic through the NetGate and it can not > handle the load. > > > In other words, based on the limited info you provided, you have not > provided proof that it's a problem with the NetGate. > > > Lyle Giese > > > On 11/25/17 06:34, Eero Volotinen wrote: > >> Hi list, >> >> We are running pfsense 2.3 on netgate sg-8860. >> >> Device is connected to internet with gigabit link, but openvpn speed is >> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients? >> >> Eero >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense openvpn speed?
-Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Saturday, November 25, 2017 5:35 AM To: pfSense Support and Discussion Mailing ListSubject: [pfSense] pfsense openvpn speed? > We are running pfsense 2.3 on netgate sg-8860. > > Device is connected to internet with gigabit link, but openvpn speed is > very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients? Assuming the obvious, low hanging fruit is addressed, there is much more to getting high throughput with openvpn than just link speed considerations. The openvpn wiki has good articles which may provide insight: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux https://community.openvpn.net/openvpn/wiki/PerformanceTesting ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense openvpn speed?
There is a lot of information missing here. You have a better Netgate unit, but if the internet port on it is connected to a 100Mbps switch, performance will suck. Same on the LAN side. And if the ports are mismatched(half vs full duplex for instance), performance will suffer. What percentage of the gigabit link and/or LAN link on Netgate are you utilizing before adding in OpenVPN ? Your ISP may be over subscribed and it's uplinks are saturated. You may be pushing too much traffic through the NetGate and it can not handle the load. In other words, based on the limited info you provided, you have not provided proof that it's a problem with the NetGate. Lyle Giese On 11/25/17 06:34, Eero Volotinen wrote: Hi list, We are running pfsense 2.3 on netgate sg-8860. Device is connected to internet with gigabit link, but openvpn speed is very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients? Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.4 Bricked my APU4 Netgate
The device was only up for 4 hours before patching. Neither here nor there I was not intending to blame anything was more or less treating it as an advisory to take necessary precautions as well as see if anyone else had this happen and potentially knew of a fix. Did not mean to turn this into a blame game. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Thompson Sent: Saturday, November 25, 2017 9:20 AM To: pfSense Support and Discussion Mailing List; Manuel Dejonghe
Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate If you're going to even consider blaming widely-used software for hardware problems, then absolutely, yes, please do this, if only to stop the accusations. If you don't reboot regularly, now's a good time to change that policy, too. We aren't running NetWare 3.1 any more. No reboots = no patches. And of course be aware that many hardware problems only show up at reboot. The Intel Atom flaw being the most recent prominent example I can think of. -Adam On November 25, 2017 5:47:13 AM CST, Manuel Dejonghe wrote: >On 24 November 2017 at 01:35, Jim Thompson wrote: >> If there is no response from the bootloader (coreboot) on the serial >port, then the hardware died, and the upgrade’s only involvement was >the reboot at the end. > >Sounds like it's a good advice to reboot manually before the upgrade, >so that if it fails, you know why it failed. Would you agree ? >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.4 Bricked my APU4 Netgate
On 25 November 2017 at 15:19, Adam Thompsonwrote: > If you're going to even consider blaming widely-used software for hardware > problems, then absolutely, yes, please do this, if only to stop the > accusations. > If you don't reboot regularly, now's a good time to change that policy, too. I'm sorry, I meant it to specifically be able to distinguish between reboot failures due to hardware failure (no software change->reboot->failure?) and boot failures due to software problems. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.4 Bricked my APU4 Netgate
If you're going to even consider blaming widely-used software for hardware problems, then absolutely, yes, please do this, if only to stop the accusations. If you don't reboot regularly, now's a good time to change that policy, too. We aren't running NetWare 3.1 any more. No reboots = no patches. And of course be aware that many hardware problems only show up at reboot. The Intel Atom flaw being the most recent prominent example I can think of. -Adam On November 25, 2017 5:47:13 AM CST, Manuel Dejonghewrote: >On 24 November 2017 at 01:35, Jim Thompson wrote: >> If there is no response from the bootloader (coreboot) on the serial >port, then the hardware died, and the upgrade’s only involvement was >the reboot at the end. > >Sounds like it's a good advice to reboot manually before the upgrade, >so that if it fails, you know why it failed. Would you agree ? >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsense openvpn speed?
Hi list, We are running pfsense 2.3 on netgate sg-8860. Device is connected to internet with gigabit link, but openvpn speed is very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients? Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.4 Bricked my APU4 Netgate
On 24 November 2017 at 01:35, Jim Thompsonwrote: > If there is no response from the bootloader (coreboot) on the serial port, > then the hardware died, and the upgrade’s only involvement was the reboot at > the end. Sounds like it's a good advice to reboot manually before the upgrade, so that if it fails, you know why it failed. Would you agree ? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multiple OpenVPNs (site to site) to one head end
> On Nov 22, 2017, at 9:34 AM, Ryan Colemanwrote: > > I want to pass the entire traffic from a few locations through one master. > > I have one site working. But when I try to connect the second site it kills > the first. > > I have IPSec for some basic network connections as a backup for the moment > that allows me to get to customer servers but I want to run all my traffic > because… Comcast. > > I have Gig Fiber at the headend, bandwidth is not an issue. > > Does anyone have a tried/tested example of getting either OpenVPN full tunnel > working on a (multiple sites)-to-(one site) or an IPSec configuration example > that would allow for 100% routing? > > My guinea pig is my home network. I have one customer that is also on Comcast > that is using the full site-to-site tunnel and I cannot afford to drop during > store hours. > > Thanks! > If you are trying to use a server-mode connection (SSL/TLS with larger than a /30 tunnel network) and you are getting one connection then the second kills the first it sounds like you are trying to use the same credentials for each site but don’t have Duplicate Connections enabled on the server. My suggestion would be to leave Duplicate Connections disabled and use discrete credentials for each site. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.4 Bricked my APU4 Netgate
Thought you were on to something and thanks for the directions but I have an APU4 took my board off and there is no removing of the bios. The cmos batter is even permanently attached. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer Sent: Friday, November 24, 2017 9:02 AM To: pfSense Support and Discussion Mailing ListSubject: Re: [pfSense] 2.4 Bricked my APU4 Netgate If really the BIOS is bricked you could give this a try: For APU1-Boards: http://pcengines.ch/lpc1aapu.htm For APU2-Boards: http://pcengines.ch/spi1a.htm Regards Holger 2017-11-24 13:56 GMT+01:00 Peder Rovelstad
: > Is there a CMOS battery onboard? Just a thought. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Elijah > Savage > Sent: Friday, November 24, 2017 6:01 AM > To: 'pfSense Support and Discussion Mailing List' > > Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate > > To this point, has anyone replaced the mSATA drive in these? The > lights and everything still comes on in the front. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim > Thompson > Sent: Thursday, November 23, 2017 7:35 PM > To: pfSense Support and Discussion Mailing List >
> Subject: Re: [pfSense] 2.4 Bricked my APU4 Netgate > > If there is no response from the bootloader (coreboot) on the serial > port, then the hardware died, and the upgrade’s only involvement was > the reboot at the end. > > Jim > > > On Nov 23, 2017, at 10:59 AM, Ryan Coleman
> wrote: > > > > There’s likely a package you added to your APU4 that is stopping the > upgrade. > > > > If you use reddit you can get some assistance from more NetGate > > staff > > there: http://reddit.com/r/pfsense/ > > > >> On Nov 23, 2017, at 10:08 AM, Elijah Savage > >> > wrote: > >> > >> I know it is an older model but after my attempt to upgrade my APU4 > >> it would not reboot. I let it sit for 24 hours as it was still > >> passing traffic but no reboot. Logged into the console from my > >> laptop and rebooted it and nothing comes back. It doesn't give > >> anything on the console and doesn't beep anymore when booting up, I > >> believe it > doesn't get to that point. > >> > >> > >> > >> Interesting enough I was able to get 2.4 loaded on an older dell > >> optiplex > >> 780 with 3 nics to replace it just fine. > >> > >> > >> > >> This is not intended to bash pfSense, I like it so much that I do > >> contribute monetarily. This meant to be nothing more than a public > >> service announcement for others with this platform. Maybe it was > >> just time for mine to dye and it potentially has nothing to do with > >> pfSense. > >> > >> ___ > >> pfSense mailing list > >> https://lists.pfsense.org/mailman/listinfo/list > >> Support the project with Gold! https://pfsense.org/gold > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold