[ previous ] [ next ] [ threads ]
 From:  Jim Spaloss <jspaloss at gmail dot com>
 To:  m0n0wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: Dropped Traffic on IPSec VPN after switching ISPs
 Date:  Tue, 12 Apr 2011 18:15:28 -0400
On Mon, Apr 11, 2011 at 6:03 PM, Jim Spaloss <jspaloss at gmail dot com> wrote:

> Hello all,
> I have a m0n0wall to m0n0wall VPN IPSec VPN that worked wonderfully for
> several years. The link is between two nursing home facilities that are
> about 100 miles apart. One has an 8M/2M cable modem service (Comcast), the
> other had a 1.5M/384K DSL service (Verizon). Both sides have static IPs.
> I finally got the management to agree switch out the DSL for a much faster
> 30M/5M Cable Service (Optimum) on the one side. However, after switching, my
> users immediately began to complain about dropped/slow connections across
> the VPN, and "I thought this was supposed to be faster."
> I tried allowing fragmented IPSec traffic, but that really didn't help.
> I began experimenting with lowering the MTU across the tunnel, and found
> that a significant portion of my traffic was being dropped. The sweet spot
> seems to be 1418 (1419 drops some traffic). I went searching for a way
> to permanently lower the tunnel's MTU, but all I could find was a post where
> the recommendation was to lower the MTU of the WAN interface via ifconfig in
> a <shellcmd> tag. That seems to make the connection better in my initial
> testing, but I can't help but think that there is a better way.
> Most of my user base is in Comcast Territory so I have little experience
> with Optimum online. I've never had to change a MTU setting on Comcast
> before. Can anyone tell me if this is normal for Optimum Online? (Cisco
> Router + Cable Modem w/ 5 Static IPs)
> I should note that I can connect in to either facility via PPTP and in both
> cases it is quite fast. Both facilities also show no issues when I try
> running a bandwidth test like the one at www.speakeasy.net/speedtest.
> I'll post back tomorrow after the users get back on and I'll have a better
> idea of whether or not lowering the MTU on the WAN interface worked.
> Thanks,
> Jim
> P.S.
> Both M0n0walls are identical hardware:
> Generic PC
> Sempron 2600+ CPU
> 256MB RAM
> 3x Intel Pro1000 PCI adapters + 1 VIA Rhine (On Board)
> 32MB CF Card

Update -- Users are still complaining of slow connection and freezing.
Dropped the MTU on each individual machine to 1100. I know it's an ugly
hack, but it seems to be better. From the users' point of view.
I have to wait until tomorrow when they all get on at the same time to see
if it's really better.