Just a thought, you may want to try using '-c blowfish' on your scp/
rsync transfer. It is a faster and lighter cypher. It may not help
at all, but it would be interesting as a test.
-Joel
On Mar 22, 2008, at 5:22 PM, Eric Baenen wrote:
Hello,
I'm very new to pfSense, but I am very impressed. I've installed it
in my environment and everything is working except I'm getting less
network throughput than I would have expected and was just wondering
if anyone might have some insight into why.
My setup and use of pfSense is admittedly out of the ordinary but it
does seem to be working fine.
I have 8 laboratory facilities on a campus interconnected with a
flat gigabit ethernet standalone backbone (ie. no external access).
Each of the laboratories is firewalled off from each other (pfSense
firewalls) but maintains a permanent OpenVPN based VPN connection to
a centralized 'core' of services (Zimbra for lab-to-lab email/
webmail, OpenFire jabber IM server, Apache/TikiWiki web/
collaboration, BackupPC centralized backup server, centralized file
server, OSSIM security monitor, etc.). In the near future we will
configure individual lab to lab VPN connections to facilitate
collaboration, resource sharing, etc.
Seven of the labs connected have the following setup.
lab machines/servers - lab gigabit switch - pfSense firewall -
backbone gigabit switch
The pfSense firewalls are all Dell 2.6GHz GX270's with 512MB RAM, an
on-board gigabit port, and a second Intel Pro 1000 gigabit NIC.
Both ports in each of the firewalls appear to be running at 1000base
full duplex
The 8th lab setup is a bit goofy - it's not currently connected and
will be the subject of a follow up email to this list.
The VPN connections from each lab to the core are OpenVPN, UDP,
shared key, AES 128bit (for now), LZO compression enabled.
Each lab network is on a unique IP space - for example:
Lab 1: 192.168.10.0/24
Lab 2: 192.168.15.0/24
Lab 3: 192.168.20.0/24
Lab 4: 192.168.25.0/24
Lab 5: 192.168.30.0/24
Lab 6: 192.168.35.0/24
Lab 7: 192.168.40.0/24
Core: 192.168.250.0/24
I'm not sure if this is the right, best or most efficient way to set
up the VPN's but based on the instructions on the pfSense site I set
up a separate OpenVPN tunnel for each lab...
Lab 1: port 1191 on the Core pfSense firewall (vpn subnet:
192.168.249.0/24)
Lab 2: port 1192 on the Core pfSense firewall (vpn subnet:
192.168.248.0/24)
Lab 3: port 1193 on the Core pfSense firewall (vpn subnet:
192.168.247.0/24)
Lab 4: port 1194 on the Core pfSense firewall (vpn subnet:
192.168.246.0/24)
Lab 5: port 1195 on the Core pfSense firewall (vpn subnet:
192.168.245.0/24)
Lab 6: port 1196 on the Core pfSense firewall (vpn subnet:
192.168.244.0/24)
Lab 7: port 1197 on the Core pfSense firewall (vpn subnet:
192.168.243.0/24)
As I said before - all is working fine - except: when doing rsync's
over ssh/scp from the lab machines to the services core, I'm seeing
a maximum sustained throughput of around 60Mbps. With gigabit end
to end - even with the AES encryption overhead of the OpenVPN
connection and the scp encryption overhead of the file transfer, I
would have expected higher throughput than this. The sending
machines and the receiving server are not showing high CPU load so I
don't think the encryption is the issue.
Any thoughts or ideas?
Thank you,
Eric
