Hi all,
Having an odd issue with an IPSec tunnel, I've run out of ideas so
I figure it's time to consult the brainstrust.
I recently setup an instance of pfSense on a VPS in aid of getting fully
routed IPv6 connectivity to my home (because my ISP has no plans to roll
out IPv6 and they just got bought by the biggest cheapskates in the ISP
business over here, so that's unlikely to change any time soon).
So I have a pfSense box "in the cloud" which has IPv4 and IPv6
connectivity, I'm announcing my personal \48 via BGP into the VPS provider,
who is routing traffic to me, then that pfSense box stuffs any traffic for
that \48 down an IPSec tunnel to my pfSense edge router at home (I've
basically got an IPsec tunnel with an IPv4 phase one and an IPv6 phase two
setup between the two).
The issue is that I'm seeing abysmal download speeds via IPv6.
Downloading a file from the remote pfSense instance over the tunnel is
fine, I get a good 3+MB/sec throughput, but as soon as I go any further
than that router things get slow (download speeds ~75kB/sec) so the tunnel
itself isn't the proble. As well as testing "remote" IPv6 hosts I also spun
up another VPS on the same 10GigE segment, 100MB transferred pretty much
instantly to the "cloud" router, but speeds to home were still lousy.
My initial thinking was that PMTUD was sucking as it usually does, and I
confirmed that I was seeing fragmented packets by way of tcpdump, so I set
MSS clamping on both ends of the tunnel to 1300, still seeing fragmented
packets so bought it down to 1200, no more fragmented ESP packets, but
download speed still sucks (uploads are fine though).
I suspect that the issue may still be related to fragmentation as the
"remote" pfSense box will need to fragment what it's receiving from "the
internet" to get it down to a size that'll fit within my 1300 byte MSS
clamp, so the logical choice would be to reduce the MTU on the WAN
interface on the "remote" pfSense box, unfortunately the IPSec tunnel also
terminates on the same interface so if I lower the MTU of the interface
then I'd have to lower the MSS clamping value on the tunnel, this is
somewhat of a chicken-and-egg problem...
Does this make sense to other people? Am I completely barking up the wrong
tree? If it does make sense to people, can anybody come up with any clever
options whereby I could constrain the MTU of the WAN interface to "the
internet" but not to my "home" router?
Thanks in advance.
Morgan
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
