Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13
  1. #11
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,093

    Default

    The encapsulated packets can be UDP or TCP, the catch is... you don't want the encapsulation to use TCP ever. You're wrapping a confirmation, with another confirmation... it doesn't end well.

    SMBv3 is another pain point, because the protocol is actually a VPN of sorts all on its own too. So performance will suck over most VPN technologies, unless specifically tuned.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #12
    Untanglit
    Join Date
    May 2020
    Posts
    15

    Default

    Quote Originally Posted by sky-knight View Post
    The encapsulated packets can be UDP or TCP, the catch is... you don't want the encapsulation to use TCP ever. You're wrapping a confirmation, with another confirmation... it doesn't end well.

    SMBv3 is another pain point, because the protocol is actually a VPN of sorts all on its own too. So performance will suck over most VPN technologies, unless specifically tuned.
    I can't get OpenVPN to outperform IPSec, tried several config tweaks and no prevail. Do you have any beneficial config tweaks that might be worth trying?

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,093

    Default

    Well, you could start with pinging at various sizes. Latency is a massive problem with SMB, and one of the primary reasons it lags is fragmentation. The header sizes between the two encapsulations are different, and I can't for the life of me figure out why the larger IPSec frame wouldn't fragment while the OpenVPN one would. OK well I can think of a few things, but this is all ISP based, and not much you can do about it, but you can close the gap a bit by using smaller MTUs in some cases.

    Untangle does both simply because there are situations wherein one just works better than the other due to conditions outside of your control.

    And again, SMBv3 has certificate based machine auth, so it's actually designed to be run straight over the internet without any VPN. Something most ISP's actively prevent for some very large past reasons. So it's a particularly ugly thing to deal with in this age of VPN but not.
    Last edited by sky-knight; 05-14-2020 at 08:18 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2