Windows file sharing over l2tp ipsec vpn

Check the MTUs.  There are some ISPs that mistakenly set MTUs at 576.

Cheers - Bob

The ISP provided gateway was set at mtu 1500 bytes.  This mirrors the setting on the UTM's wan and lan ports.  When connected through l2tp/ipsec, windows negotiates a mtu of 1380.  I'll make that change to both the gateway and utm wan ports (lan too?).

The gateway is in a pseudo passthrough mode.  It passes the public ip to the utm but isn't a true bridge mode as there's still some NATting going on.  Gateway's NAT table is still in use based on the dynamic number of sessions available vs total.  Constantly changing.  This is about as good as it's going to get.. Arris BGW210-700.

I did some more testing last night using my cell phone hotspot.  Adjusting mtu to 1472 on the gateway and utm's wan & land ports improved both download and upload to ~8mbps, cricket's throttle cap limit.  I'll have access to a cable connection later today to test further with real speeds.  I'm still able to hit the isp's gigabit speeds with local lan clients (not through vpn), also, client-client speeds on the local lan are unaffected (didn't expect them to be).

Finally some good news to report. The cable connection I used for testing had a dl/ul speed of 175/25 mbps respectively.  I need a faster connection to find my utm box's actual limits given gigabit internet speeds in both directions.  Establishing the l2tp/ipsec tunnel on the local lan to the utm (a sort of loopback mode?) achieves speeds around 300-350 mbps in either direction with ips off and about 250 mbps in either direction with ips on.  These numbers are from speedtest.net and dslreports speed test.

Setting the isp gateway, utm WAN and LAN MTU all to 1472 allowed for full bandwidth of the above cable connection when connecting over L2TP/ipsec even with IPS enabled (albeit utm cpu usage was high).  Files copied over from remote windows shares at ~20 MB/s which equates to ~160mbps.  Figuring overhead this reasonably good speed.  This correlates given the above max local speeds achieved (250-350 mbps).

I played around with setting the above 3 MTU's at various combinations of 1472 and 1500 bytes.  It seems setting any of those to 1500 would induce slower throughput so I left them all at 1472. I suppose this makes some sense.  If any are at the higher value then fragmentation results.

Performance with SSL vpn (openvpn) was much slower, ~40 mbps.  I think it's an mtu issue also but don't see any place to adjust it in the UTM or custom settings.  Changes can be made to the client config file so i'll try making some tweaks there.

@sachingurung

Any thoughts on how to track snort/ips to figure out why it's ignoring the IPS exeption?

Please start a new thread with an appropriate title and how relevant lines from the Intrusion Prevention log along with the Edit of the Exception that should have applied.

Cheers - Bob

Wanted to update this thread while the information was still fresh.

My internet is FTTH. ISP equipment consists of 2 pieces of hardware.  The ONT which converts fiber to ethernet and residential gateway (RGW) which authenticates the connection and provides IP passthrough or acts as a router for the lan depending on how its configured.

Previously the RGW was used in passthrough mode to establish connectivity.  Dropping the MTU on all interfaces fixed the throughput issue.

More recently the RGW is no longer inline between UTM and the ONT.  Private message for more info or review the bypass threads on dslreports/uverse section.  Now the ONT is connected directly to the WAN interface of the UTM.  MTU on both wan/lan interfaces in utm has been reset back to 1500.  No speed issues at all with either openvpn or l2tp/ipsec methods.

I'd surmise that because of the way the RGW handled packets in passthrough mode, some additional bytes were added to the frames, thus reducing the max packet payload size.  Not much information is available on how the passthrough mode works, but it does appear to be a pseudo1:1 NAT mode of sorts on the RGW. This is evidenced by the fact that the RGW's NAT table is constantly changing with just a single connected device - the UTM.  If it were a true bridge then no NATting would be taking place. In other words it was passing the public ip but there was still double natting going.  The gateway's IP is also the 2nd hop in any traceroute.

Quite the obscure issue to resolve.