Hi. I’m new to this forum, but all the videos from Lawrence Systems has made me choose pfsense for my home lab.
Lately I have been trying to set up a offsite backup for my proxmox cluster on a QNAP TS-453 8-G pro nas.
The situation is this:
I have a working open vpn tunnel working, but it won’t hit more than about 3mb/s speeds, so I have decided to go for L2TP/IPSec instead, as I get the full bandwidth of the internet connection at the remote site (about 11mb/s)
With L2TP i can download form the nas at full speed with no problems, but if I upload the connection seems to “close”. The speed goes down to 0B/s after a few seconds,but the nas still thinks that the connection is open and I have to manually reconnect.
Can’t find much about this behavior online. Not sure if this could be a configuration, firewall or nas issue.
Hope someone has some experience with this setup or knowledge about what’s causing this issue 
What do the logs on either end say?
IPSec log from pfsense:
|Jul 28 23:00:53|charon||01[NET] <con-mobile|223> received packet: from 0.0.0.0[4500] to 0.0.0.0[4500] (92 bytes)|
|—|---|—|---|
|Jul 28 23:00:53|charon||01[ENC] <con-mobile|223> parsed INFORMATIONAL_V1 request 595222727 [ HASH N(DPD_ACK) ]|
|Jul 28 23:00:53|charon||01[IKE] <con-mobile|223> activating new tasks|
|Jul 28 23:00:53|charon||01[IKE] <con-mobile|223> nothing to initiate|
L2TP log from pfsense:
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPADDR 10.0.0.254 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPCP: state change Req-Sent --> Ack-Rcvd |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_l-1] LCP: rec’d Protocol Reject #2 (Opened) |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_l-1] LCP: protocol CCP was rejected |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] CCP: protocol was rejected by peer |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] CCP: state change Req-Sent --> Stopped |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] CCP: LayerFinish |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPCP: rec’d Configure Request #2 (Ack-Rcvd) |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPADDR 10.0.0.250 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] 10.0.0.250 is OK |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] PRIDNS 192.168.1.1 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] SECDNS 8.8.8.8 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPCP: SendConfigAck #2
|
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] COMPPROTO VJCOMP, 16 comp. channels, allow comp-cid |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPADDR 10.0.0.250 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] PRIDNS 192.168.1.1 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] SECDNS 8.8.8.8 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPCP: state change Ack-Rcvd --> Opened |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IPCP: LayerUp |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] 10.0.0.254 -> 10.0.0.250 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IFACE: Up event |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IFACE: Rename interface ng0 to l2tp1 |
| Jul 28 22:12:12 |
l2tps |
|
[l2tp_b-1] IFACE: Add group l2tp to ng0 |
| Jul 28 22:57:16 |
l2tps |
|
[l2tp_l-1] LCP: no reply to 1 echo request(s) |
| Jul 28 22:57:26 |
l2tps |
|
[l2tp_l-1] LCP: no reply to 2 echo request(s) |
| Jul 28 22:58:16 |
l2tps |
|
[l2tp_l-1] LCP: no reply to 1 echo request(s) |
| Jul 28 22:58:26 |
l2tps |
|
[l2tp_l-1] LCP: no reply to 2 echo request(s) |
| Jul 28 22:58:56 |
l2tps |
|
[l2tp_l-1] LCP: no reply to 1 echo request(s) |
| Jul 28 22:59:06 |
l2tps |
|
[l2tp_l-1] LCP: no reply to 2 echo request(s) |
| Jul 28 22:59:16 |
l2tps |
|
[l2tp_l-1] LCP: no reply to 3 echo request(s) |
(My external IP addresses is replaced by 0.0.0.0)
The logs from QNAP Qvpn application don’t say anything. Seems to only log when i manually disconnect and reconnect.
I have ssh’d in to the nas to see if can find some better logs. but nothing is found so far.
Just a quick update.
Have set up VM on the qnap running pfsense, could still not establish IPSec connection.
There is something strange with the network at my office. Think I have to go over it tomorrow.
Nice when the guy with the homelab don’t get to setup the office network 
From what i cloud see with a quick peek in the server room today, we have a ONT connected to a cisco 800 series router connected to a asus router connected to a switch connected to another switch connected to a server that handles domain and dhcp. It’s router, switch and cable-mania
Have a QNAP too, they seem to have security issues from time to time. I would think twice before using the NAS as a router too. While I have tested QVPN I’m nervous about that too … but as a NAS it’s ok
I agree that QVPN probably isn’t the best VPN app
Got the IPSec up and running today on a pfsense VM. Seems to be a problem with L2TP/IPSec on QVPN. It handels outbound traffic well, but can’t handle inbound traffic. Also with OpenVPN it has really bad performance, but i think that oVPN can’t use more than one core (I might be wrong). The setup now is, QNAP connected to the office network with vSwitch on interface 1 for WAN on pfSense, LAN connected to interface 2 with a vSwitch, and for some reason i can’t reach the NFS share on the IP assigned to interface 2. So I grabbed a cable and connected interface 2 to interface 3. Then i can reach the share on the IP assigned to iface 3. To me it seems like a huge waste of CPU resources with all the virtual switching going on. I’m not sure if nic’s can offload this.
Luckily we are soon changing ISP at the office, then i have a chance to put in a pfSense box with a vlan with IPSec gateway that I can use for my nas. It’s best to keep my homelab backup solution isolated from the office network.
At home however, I’m running pfSense on a overkill Dell R610 six core 3.07ghz 48gb machine with quad intel 1G nic and dual 10G nic 
I mostly get about 95% of the speed of my line on AirVPN who also use oVPN, usually also get around 95% of my upload speed on my site-to-site oVPN so I’d say it’s working ok in my scenario.
oVPN I’ve read is single core too. An idea that might squeeze more performance out of your connection if you can set-up pfsense on both ends. Then have 3 oVPN servers at each site, then put the clients in a gateway group. This is how I have my AirVPN set-up which ought to take the connection with the lowest latency though I have done it more for redundancy. I’m intending to setup my site-site connections in this way again for redundancy.
You might also wanna check you have oVPN client packages updated.
That sound like an interesting idea. I will look into that and see how i can make that setup work for my needs. I’m aiming for at least 200/200 mbit, as that is the bandwidth at work
Yesterday a qnap firmware update was released. When i saw that QVPN was mentioned I got a sligh hope for the L2TP, but the problem is still there. Have tried to tweak every parameter on the server side with the same outcome.
Cheers