[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] SMB over IPSEC...
 Date:  Wed, 23 Jul 2008 10:54:17 -0400
On Wed, Jul 23, 2008 at 10:07 AM, Tim Nelson <tnelson at rockbochs dot com> wrote:
> Hello fellow monowallers... I know the issue of SMB/Samba/Netbios over IPSEC has come up many
times. However, the issue always seems to be related to the fact that broadcasts are not being
passed over the IPSEC tunnel. I'm currently trying to use Samba over IPSEC(one site has monowall
1.3b11 and the other has pfSense 1.2-RELEASE) but instead of relying on broadcasting and using
'Network Neighborhood' to find the Samba boxes, we're accessing them directly via IP address by
entering "\\" in the address bar of the clients which are primarily WinXP machines.
They are able to find the server and access it's shares but opening a file... even small ones like
20k... takes FOREVER. I'm wondering if there isn't a different issue such as fragmentation
happening. Both sides of the tunnel have completely open "Allow any to any from any" rules so
firewalling should not be the issue. Has anyone seen this type of behavior before? I can make my
logs available but after looking through them, I'm not seeing anything of consequence. All help is
welcome and appreciated. Thank you!

What is the end to end latency over the VPN? SMB (v1) is *very*
sensitive to latency, it's normal for anything with 60-70+ ms latency
to run pathetically. Anything over 30-40 ms is slow, you need under 10
ms latency for LAN level experiences with SMB. SMB makes an inordinate
amount of round trips to do something as silly as opening a single
file or getting a directory listing.  Unless you have two connections
on the same ISP in the same city there isn't any chance you'll have an
Internet VPN at under 10 ms.

The "good" news is Vista and Server 2008 support SMB v2 which combines
multiple requests into a single request, greatly reducing the dozens
to hundreds of requests. One of the major reasons for this change is
to address the previously mentioned performance problem over higher
latency connections. SMB v2 is only used when connecting from Vista or
2008 to another Vista or 2008 machine, it uses v1 when communicating
with previous Windows versions.

So...ready to upgrade everything to Vista and Server 2008?  ;)

There is a chance some larger packets could be getting black holed and
really exacerbating the normal issues with high latency and SMB, might
want to try dropping MTU on a couple systems to 1400 and see if that
changes anything.