Bug #7815
closed
IPSec MSS Clamping is matching traffic not related to IPSec
0%
Description
Hello,
IPSec setting "Maximum MSS" (MSS clamping) is acting on traffic that doesn't pass across IPSec, perhaps WAN traffic or even local traffic (LAN-to-LAN, each LAN physically connected to same pfsense).
This causes a huge performance impact on networks where MTU > MSS Clamping value, as for example in my setup where I have MTU 9000 on LAN interfaces:
- LAN-to-LAN + IPSec MSS clamping (1350) on:
# iperf3 -c 192.168.13.23 Connecting to host 192.168.13.23, port 5201 [ 4] local 10.32.155.3 port 38924 connected to 192.168.13.23 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 173 MBytes 1.46 Gbits/sec 1478 110 KBytes [ 4] 1.00-2.00 sec 254 MBytes 2.13 Gbits/sec 2069 116 KBytes [ 4] 2.00-3.00 sec 237 MBytes 1.99 Gbits/sec 1522 159 KBytes [ 4] 3.00-4.00 sec 266 MBytes 2.23 Gbits/sec 1300 123 KBytes [ 4] 4.00-5.00 sec 251 MBytes 2.11 Gbits/sec 1120 167 KBytes [ 4] 5.00-6.00 sec 259 MBytes 2.17 Gbits/sec 1531 125 KBytes [ 4] 6.00-7.00 sec 259 MBytes 2.17 Gbits/sec 1544 131 KBytes [ 4] 7.00-8.00 sec 258 MBytes 2.16 Gbits/sec 1228 139 KBytes [ 4] 8.00-9.00 sec 255 MBytes 2.14 Gbits/sec 1456 122 KBytes [ 4] 9.00-10.00 sec 244 MBytes 2.05 Gbits/sec 1736 103 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 2.40 GBytes 2.06 Gbits/sec 14984 sender [ 4] 0.00-10.00 sec 2.40 GBytes 2.06 Gbits/sec receiver iperf Done.
pfSense CPU usage around 80%
- LAN-to-LAN + IPSec MSS clamping (1350) off: h3
# iperf3 -c 192.168.13.23 Connecting to host 192.168.13.23, port 5201 [ 4] local 10.32.155.3 port 38940 connected to 192.168.13.23 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 902 MBytes 7.56 Gbits/sec 621 1.46 MBytes [ 4] 1.00-2.00 sec 1.03 GBytes 8.89 Gbits/sec 465 1.15 MBytes [ 4] 2.00-3.00 sec 1.13 GBytes 9.68 Gbits/sec 298 1.12 MBytes [ 4] 3.00-4.00 sec 1.13 GBytes 9.67 Gbits/sec 62 1.06 MBytes [ 4] 4.00-5.00 sec 1.17 GBytes 10.1 Gbits/sec 72 1.08 MBytes [ 4] 5.00-6.00 sec 1.14 GBytes 9.79 Gbits/sec 64 1.31 MBytes [ 4] 6.00-7.00 sec 1.12 GBytes 9.63 Gbits/sec 130 1.16 MBytes [ 4] 7.00-8.00 sec 1.14 GBytes 9.77 Gbits/sec 76 1.22 MBytes [ 4] 8.00-9.00 sec 1.20 GBytes 10.3 Gbits/sec 103 1.38 MBytes [ 4] 9.00-10.00 sec 1.09 GBytes 9.40 Gbits/sec 165 883 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 11.0 GBytes 9.48 Gbits/sec 2056 sender [ 4] 0.00-10.00 sec 11.0 GBytes 9.48 Gbits/sec receiver iperf Done.
pfSense CPU usage around 25%
-Happens in 2.3 and 2.4-RC
Please restrict IPSec MSS Clamping only to IPSec traffic.
Updated by Jim Pingle over 5 years ago
- Category set to IPsec
- Priority changed from High to Normal
Updated by Viktor Gurov over 4 years ago
This can be caused by too wide traffic selector
Example:
pfSense routes traffic between local networks 10.1.0.0/16 and 10.2.0.0/16
If remote TS = 10.0.0.0/8, then <vpn_networks> = 10.0.0.0/8
and scrub rules
scrub from any to <vpn_networks> max-mss {$maxmss}
scrub from <vpn_networks> to any max-mss {$maxmss}
do mss clamping for the entire LAN
Updated by Marcos M about 3 years ago
- Status changed from New to Closed
This is addressed by https://redmine.pfsense.org/issues/7801 which separates mss clamping between VPN and other networks.