Project

General

Profile

Bug #7815

IPSec MSS Clamping is matching traffic not related to IPSec

Added by Spike R.D. almost 3 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
08/26/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4
Affected Architecture:

Description

Hello,

IPSec setting "Maximum MSS" (MSS clamping) is acting on traffic that doesn't pass across IPSec, perhaps WAN traffic or even local traffic (LAN-to-LAN, each LAN physically connected to same pfsense).

This causes a huge performance impact on networks where MTU > MSS Clamping value, as for example in my setup where I have MTU 9000 on LAN interfaces:

  • LAN-to-LAN + IPSec MSS clamping (1350) on:
# iperf3 -c 192.168.13.23
Connecting to host 192.168.13.23, port 5201
[  4] local 10.32.155.3 port 38924 connected to 192.168.13.23 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec   173 MBytes  1.46 Gbits/sec  1478    110 KBytes       
[  4]   1.00-2.00   sec   254 MBytes  2.13 Gbits/sec  2069    116 KBytes       
[  4]   2.00-3.00   sec   237 MBytes  1.99 Gbits/sec  1522    159 KBytes       
[  4]   3.00-4.00   sec   266 MBytes  2.23 Gbits/sec  1300    123 KBytes       
[  4]   4.00-5.00   sec   251 MBytes  2.11 Gbits/sec  1120    167 KBytes       
[  4]   5.00-6.00   sec   259 MBytes  2.17 Gbits/sec  1531    125 KBytes       
[  4]   6.00-7.00   sec   259 MBytes  2.17 Gbits/sec  1544    131 KBytes       
[  4]   7.00-8.00   sec   258 MBytes  2.16 Gbits/sec  1228    139 KBytes       
[  4]   8.00-9.00   sec   255 MBytes  2.14 Gbits/sec  1456    122 KBytes       
[  4]   9.00-10.00  sec   244 MBytes  2.05 Gbits/sec  1736    103 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec  2.40 GBytes  2.06 Gbits/sec  14984             sender
[  4]   0.00-10.00  sec  2.40 GBytes  2.06 Gbits/sec                  receiver

iperf Done.

pfSense CPU usage around 80%
  • LAN-to-LAN + IPSec MSS clamping (1350) off: h3
    # iperf3 -c 192.168.13.23
    Connecting to host 192.168.13.23, port 5201
    [  4] local 10.32.155.3 port 38940 connected to 192.168.13.23 port 5201
    [ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
    [  4]   0.00-1.00   sec   902 MBytes  7.56 Gbits/sec  621   1.46 MBytes       
    [  4]   1.00-2.00   sec  1.03 GBytes  8.89 Gbits/sec  465   1.15 MBytes       
    [  4]   2.00-3.00   sec  1.13 GBytes  9.68 Gbits/sec  298   1.12 MBytes       
    [  4]   3.00-4.00   sec  1.13 GBytes  9.67 Gbits/sec   62   1.06 MBytes       
    [  4]   4.00-5.00   sec  1.17 GBytes  10.1 Gbits/sec   72   1.08 MBytes       
    [  4]   5.00-6.00   sec  1.14 GBytes  9.79 Gbits/sec   64   1.31 MBytes       
    [  4]   6.00-7.00   sec  1.12 GBytes  9.63 Gbits/sec  130   1.16 MBytes       
    [  4]   7.00-8.00   sec  1.14 GBytes  9.77 Gbits/sec   76   1.22 MBytes       
    [  4]   8.00-9.00   sec  1.20 GBytes  10.3 Gbits/sec  103   1.38 MBytes       
    [  4]   9.00-10.00  sec  1.09 GBytes  9.40 Gbits/sec  165    883 KBytes       
    - - - - - - - - - - - - - - - - - - - - - - - - -
    [ ID] Interval           Transfer     Bandwidth       Retr
    [  4]   0.00-10.00  sec  11.0 GBytes  9.48 Gbits/sec  2056             sender
    [  4]   0.00-10.00  sec  11.0 GBytes  9.48 Gbits/sec                  receiver
    
    iperf Done.
    

    pfSense CPU usage around 25%

-Happens in 2.3 and 2.4-RC

Please restrict IPSec MSS Clamping only to IPSec traffic.

History

#1 Updated by Jim Pingle 11 months ago

  • Category set to IPsec
  • Priority changed from High to Normal

#2 Updated by Viktor Gurov 4 months ago

This can be caused by too wide traffic selector

Example:
pfSense routes traffic between local networks 10.1.0.0/16 and 10.2.0.0/16
If remote TS = 10.0.0.0/8, then <vpn_networks> = 10.0.0.0/8
and scrub rules

scrub from any to <vpn_networks> max-mss {$maxmss}
scrub from <vpn_networks>  to any max-mss {$maxmss}

do mss clamping for the entire LAN

Also available in: Atom PDF