Slow upload speeds with pfsense virtual appliance

Question

I have a pfSense virtual appliance set up in front of a Windows server. The pfSense appliance has been configured with two L2L IPSec VPN sites and not too much else. The appliance has two vNics which both exist on the same VLAN, but one is "WAN" and the other is "LAN."

When I run speedtest.net on my Windows server when I have configured it to use a static WAN address and gateway, I get great speeds - maybe around 50 down, 15 up. However, when I configure it with a private IP address, I get similar download speeds but terrible upload speeds - around 2 or 3 Mbps consistently. I used Wireshark to see what gives but there didn't appear to be too much helpful information there, or I just could not find it.

Besides the L2L VPNs, other configurations include:

Automatic Outbound NAT
Virtual P-ARP IP for the Windows Server
WAN Firewall rule to allow * to * on RDP
WAN Firewall rule to allow * to * (enabled this just for testing... didn't help!)
No DHCP or any other services besides IPSec VPN
No Errors LAN or WAN
No collisions LAN or WAN

I would be happy to post the full config file if it would help. I've been scratching my head at this one all day!

I'm not that familiar with pfSense, but most likely, having two vNics is a bad idea. You should just have one with two addresses/netmasks. My bet is that you're dropping packets because they were received on the "wrong" vNic. — David Schwartz, Nov 11 '11 at 22:52
I am seeing a lot of ARP messages relating to a packet being sent on em0 but received on em1, etc... but pfSense requires two interfaces to work... — tacos_tacos_tacos, Nov 11 '11 at 23:04

David Schwartz · Answer 1 · 2011-11-11T23:28:50.930

1

You are doing "NAT on a stick". pfSense, unfortunately, does not have good support for this configuration yet. Your configuration of two different interfaces will not work -- on the same VLAN, they'll see each other's packets.

Here's a horrible hack if it's VLAN 1. Set the outside vNic to tagged VLAN and the other to untagged. If that doesn't solve the problem, flip the ports. (Note that you should do this locally, not remotely, as you may lose contact.)

edited Nov 11 '11 at 23:28

answered Nov 11 '11 at 23:23

David Schwartz

31,215
2
53
82

If I went ahead and configured two VLANs (two labels), as in Internet <----- vlan0 -----> pfSense <----- vlan 1 -----> Host would that work? – tacos_tacos_tacos Nov 12 '11 at 03:46
Yes. Then it would know which interface to associate each packet with by VLAN. – David Schwartz Nov 12 '11 at 05:18
Ok I've went ahead and assigned the LAN interface to a disjoint and private vLAN but there is no noticeable improvement - even with a router reset. – tacos_tacos_tacos Nov 16 '11 at 03:47

score 0 · Answer 2 · answered Nov 12 '11 at 19:51

Not clear exactly what you have there with two NICs on the same broadcast domain, you have a public and private subnet on the same broadcast domain? Don't do that in general, really bad practice, separate those out. One vswitch (using ESX terminology, replace as appropriate for your hypervisor) for the public IP subnet, one for the internal network.

In general there isn't anything to keep that from working properly, it's fully supported and works fine in pfSense (assuming the network in general is sane, not enough here to tell that).

Slow upload speeds with pfsense virtual appliance

2 Answers2