Results 1 to 24 of 24

  1. Post
    #1

    er-4 with s2s vpn = really slow internet performance

    Hey guys,

    we got a ER-4, went through the wizard and setup a PPPoE with VLAN 10. ISP is spark.

    I then followed this guide and setup our aws site to site vpns
    https://help.ubnt.com/hc/en-us/artic...r-IKEv1-IPsec-

    s2s vpn works.

    but internet is excruciatingly slow.

    I then enable hwnat/ipsec offload

    rebooted router.

    internet was still shit. Even the GP ad's didn't load.

    Has anyone got any experience with this router or experienced this error before?

    Did I miss something? Do we have to change the MTU settings on br0/eth1-3?

    Any helpful hints would be awesome.

    Cheers.

  2. Post
    #2
    what version firmware are you running?

  3. Post
    #3
    Yep. Running the latest.

    I noticed the same thing when did the instructions against the unifi security gateway I have.

  4. Post
    #4
    i wasn't asking if you're running the latest. the latest is 2.0 and only crazy people run .0 software - try downgrading to a 1.10.x release and test again

  5. Post
    #5
    sorceror wrote:
    i wasn't asking if you're running the latest. the latest is 2.0 and only crazy people run .0 software - try downgrading to a 1.10.x release and test again
    Yes running the latest available -1.10.1

  6. Post
    #6
    1.10.1 is pretty old, they're up to 1.10.8 - but it should be fine.

    i see you mention br0, did you bridge any of the ethernet interfaces together?

  7. Post
    #7
    Correct.

    From the wizard, I setup eth0 as wan with vlan10 + pppoe. eth1/2/3 are all bridged together to a 10.9.0.0/24 lan and no dhcp.

    We are on a business 100/100 plan and downstream was 20 while upstream was 96-100mbit.

    Also an interesting issue we noticed was that https sites would time out on first attempt. Then you refreshed the site and it would load. AWS workspaces client was also slow and would timeout on a login attempt.

  8. Post
    #8
    the ER-4 is a router, not a switch, and trying to make it act like one by bridging is highly discouraged as it stops all of the offload features from working and generally destroys performance (every single packet gets shunted to the CPU). i'd bet that's what your issue is - try removing the bridge to confirm.

  9. Post
    #9
    HTTPS page issues and VPN, sounds like an MTU issue, drop it to 1420 with no fragmentation (if you can).

  10. Post
    #10
    Thanks V.

    Iíll try that after hours and see if it fixes it. I had a feeling the MTU was an issue.

    But just to reiterate - I did this:

    9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.
    Code:
    set firewall options mss-clamp interface-type vti
    set firewall options mss-clamp mss 1379

  11. Post
    #11
    that's just changing it for the VPN, do the same thing on your pppoe interface.

    but you will still get performance issues until you remove the bridge - you are using the device wrong.

  12. Post
    #12
    sorceror wrote:
    that's just changing it for the VPN, do the same thing on your pppoe interface.

    but you will still get performance issues until you remove the bridge - you are using the device wrong.
    okay.

    I've reset the device.

    This time no bridging.

    We will see how it works tomorrow.

  13. Post
    #13
    more info here on what's eligible for offload and what's not: https://help.ubnt.com/hc/en-us/artic...are-Offloading

    you also have to use specific IPSec hashing/encryption settings in order to be eligible for offload but I'm assuming that's all good since you used a UBNT guide to set it up in the first place

  14. Post
    #14
    Exactly.

    We would be using aes-128-cbc which is all good.

    What I’m finding quite frustrating to understand is the similarity of performance I had with unifi use and the edgerouter.

    Both used the exact same setup/commands and both had the same performance after the configuration was changed.

    So is it really the bridge that ****ed it up? Or the aws site to site or the fact that I had a VPN setup.

    Interestingly, my boss has a er-lite where I created a test site to site VPN and he saw no performance decrease.

    He doesn’t have any VLAN tag - he’s with citylink. So my thinking is that pppoe (1492) with VLAN 10 ( add up to 1500.

    Maybe this is the issue? I don’t know.

  15. Post
    #15
    Issue is the switching, buy a $40 gigabit switch and let that handle the swiching and let the router route

  16. Post
    #16
    Mental69 wrote:
    Issue is the switching, buy a $40 gigabit switch and let that handle the swiching and let the router route
    What makes you think that?

  17. Post
    #17
    Mental69 wrote:
    Issue is the switching, buy a $40 gigabit switch and let that handle the swiching and let the router route
    Yeah keen to know what makes you think this?

    The eth1 port was connected to a 24port switch. A dumb one at that but a switch.

    I some how donít think the issue is because I had the ports bridged.

    In the case of the unifi usg having degraded performance - the router was connected to a switch as well.

    I donít think switching or the bridging is/was an issue.

  18. Post
    #18
    i told you already, as soon as you bridge interfaces all packets have to get processed by the CPU and bypass ASICs/hardware offloading aka the whole reason to buy an EdgeRouter in the first place. RTFM

    it can be unnoticeable depending on your Internet speed but I'm guessing the permanent IPSec tunnels and encrypted traffic pushes it over the limit.

  19. Post
    #19
    Shoulda got a sonicwall.

  20. Post
    #20
    Swapped the router. Internet is working fine.

    Iíll do the tunnels over the weekend

  21. Post
    #21
    sorceror wrote:
    i told you already, as soon as you bridge interfaces all packets have to get processed by the CPU and bypass ASICs/hardware offloading aka the whole reason to buy an EdgeRouter in the first place. RTFM

    it can be unnoticeable depending on your Internet speed but I'm guessing the permanent IPSec tunnels and encrypted traffic pushes it over the limit.
    Just an update:

    Redid config to try with bridge and no. Made no difference.

    Turns out the issue was MSS/MTU was too high. lowered and life is good.

    Thanks for your help. I tried RTFM but there was nothing around for this issue.

    Churr for help.
    Last edited by Undefineed; 2nd February 2019 at 4:32 pm. Reason: perhaps I was initially harsh to the sorc...

  22. Post
    #22
    i thought you had already done that as per

    sorceror wrote:
    that's just changing it for the VPN, do the same thing on your pppoe interface.
    anyway, good result . keep on eye on the CPU utilization when you're downloading/transferring from the VPN.

  23. Post
    #23
    So if you have an MSS/MTU that is right and turn the bridge back on what happens?

  24. Post
    #24
    Mental69 wrote:
    So if you have an MSS/MTU that is right and turn the bridge back on what happens?
    Haven't tried turning on bridge.

    The boss went and got Citylink as a backup ISP. Now I have to configure eth2 as WAN for citylink.