Using scp -c blowfish definitely improved things - went from 60Mbps transfer to 70Mbps and cpu load on the pfSense firewalls varied from 50% to 70%.
On one of the other suggestions I switched from OpenVPN connections to IPSEC based connections with AES128 encryption - now I'm getting about 105Mbps and cpu load on the pfSense firewalls is pretty much 100%. So I think this is probably the top end of what I can get without replacing the firewall boxes with something with more horsepower. Thank you very much to everyone for the great suggestions! Most appreciated. Eric ----- "Joel Robison" wrote: > Just a thought, you may want to try using '-c blowfish' on your scp/rsync > transfer. It is a faster and lighter cypher. It may not help at all, but it > would be interesting as a test. > > -Joel > > On Mar 22, 2008, at 5:22 PM, Eric Baenen wrote: Hello, > > I'm very new to pfSense, but I am very impressed. I've installed it in > my environment and everything is working except I'm getting less > network throughput than I would have expected and was just > wondering if anyone might have some insight into why. > > My setup and use of pfSense is admittedly out of the ordinary but it > does seem to be working fine. > > I have 8 laboratory facilities on a campus interconnected with a flat > gigabit ethernet standalone backbone (ie. no external access). Each > of the laboratories is firewalled off from each other (pfSense firewalls) > but maintains a permanent OpenVPN based VPN connection to a > centralized 'core' of services (Zimbra for lab-to-lab email/webmail, > OpenFire jabber IM server, Apache/TikiWiki web/collaboration, > BackupPC centralized backup server, centralized file server, OSSIM > security monitor, etc.). In the near future we will configure individual > lab to lab VPN connections to facilitate collaboration, resource sharing, > etc. > > As I said before - all is working fine - except: when doing rsync's over > ssh/scp from the lab machines to the services core, I'm seeing a > maximum sustained throughput of around 60Mbps. With gigabit end > to end - even with the AES encryption overhead of the OpenVPN > connection and the scp encryption overhead of the file transfer, I would > have expected higher throughput than this. The sending machines > and the receiving server are not showing high CPU load so I don't think > the encryption is the issue. >
