Network overhead when using a sys-firewall between AppVM and vpn qube

solene · November 7, 2023, 9:00am

Hi,

Disclaimer: this is a rather technical topic network related.

I’ve been using a netvm for a wireguard VPN for a while, it’s working fine, now I wanted to add a firewall qube between the qubes and the vpn qube, but this drastically reduce the available bandwidth over the VPN.

I have a slow ADSL connection with a maximum upload of 100 kB/s, when using the VPN directly, I can fill the download bandwidth without reaching my upload limit.

When adding a qube firewall, it almost double the bandwidth used for uploading packets (like if it added fragmentation maybe?) and so it reduces my download bandwidth as it’s capped by the upload…

Some metrics

Download speed over the VPN : solid 1 MB/s results in a physical interface upload of 43 kB/s
Download speed over the VPN with extra firewall : barely 1 MB/s results in a physical interface upload of 100 kB/s

Not sure if it’s clear?

apparatus · November 7, 2023, 11:35am

You can try to check the traffic with wireshark.

palainp · November 7, 2023, 11:54am

Could it be that a header somewhere is causing the mtu to be overhelmed after the vpn? (and leads to flow fragmentation).

apparatus · November 7, 2023, 11:59am

It could be possible if sys-firewall is blocking ICMP.

solene · November 7, 2023, 4:31pm

I didn’t had any special rules, I just created a disposable qube with netvm enabled, and put it between the vpn and the qube using the vpn

solene · November 7, 2023, 4:31pm

yeah, I’ll have to do that at least to check for fragmentation