Sky FTTP VPN Issues

[andy_mk3]

I've got Sky FTTP 500Mbit, my setup is with pfSense, running NordVPN on a separate vlan for downloading purposes.

I'm having an issue where if I download large files (20-30GB+), that the download speed through the VPN will plummet and eventually stop. The VPN interface goes down with 100% packet loss. That in itself isn't the end of the world, but it also seems to bring down DNS for anything not on the VPN vlan, so the rest of the house loses internet for 5-20 minutes until it sorts itself out. Rebooting pfSense and/or the ONT rarely fixes anything, it just has to be left to come back to life. While it's not working, my WAN link is still up, some websites will still load and Whatsapp/Discord usually still work, other sites will just not respond at all.

I think I have exhausted every avenue trying to fix this now. I have switched from OpenVPN to Wireguard, exactly the same. Tried PIA as well as NordVPN, both the same. Tried different DNS servers, fresh install of pfSense as well as OPNsense. Tried a different hypervisor for the system, different network configs, firewall rules. Absolutely nothing changes how it behaves. If I download without the VPN, I can download 100's GBs without a hitch, so it's definitely down to the VPN connection.

Today I have plugged the Sky Hub back in, ethernet cable to a Windows PC. Installed the NordVPN app, and downloaded a large file over usenet, and exactly the same happens again. So at this point I can rule out pretty much everything in my network I think.

Done plenty of searching online, I found the Sky Guard was enabled on my account which was causing these kind of issues for many people, so with that I thought I'd cracked it. But with that disabled, it's still exactly the same. There are a few posts with people having issues with VPNs on Sky. I actually seem to remember I had an almost identical issue with Sky at a previous address on FTTC. So at this point I'm led to think that Sky are traffic shaping the VPN connections.

Has anyone else had issues like this? Or have you any further suggestions as I am at a loss at this point really.

Spoiler: Pics

So this is while downloading, no issues at all


Then suddenly the download speed drops like a stone, with small bursts of activity and high packetloss, which eventually leads to 100% packetloss and no connectivity. The VPN will not reconnect at this point.

 

[teaboy5]

Work in IT, and I would users who report issues with random VPN's drop and at time not working at all a lot of seem to be on sky. As bad as 6 out of 10 calls for example.

 

[the-evaluator]

Work in IT, and I would users who report issues with random VPN's drop and at time not working at all a lot of seem to be on sky. As bad as 6 out of 10 calls for example.

Ditto. Looking back at our ticketing system over the last 3 months all the reports of VPN issues (we're using Palo Alto Global Protect, so SSL) from UK users were using Sky. 100% of them.

Usual symptoms are that the connection drops whilst in use and they can't reconnect.

We tell people at that point to tether to their phones. It doesn't directly solve the original issue but I'm not taking responsibility for someone making a poor choice in their ISP.

 

[ChrisD.]

Interesting. I wasn’t aware Sky behaved like this. It could also be an issue they have without realising.

 

[Yaayuh!]

I'm on Sky (FTTC, mind) and haven't had any issues with multiple VPNs and the only VPN issues reported at work are due to them being connected to Sky's utterly **** Sky Q mesh.

Therefore it surprises me you're having issues @andy_mk3 . Maybe worth getting onto them and explaining that you're having issues with it and it's required for work purposes.

 

[ChrisD.]

Therefore it surprises me you're having issues @ChrisD. Maybe worth getting onto them and explaining that you're having issues with it and it's required for work purposes.

I'm not having issues, but I'm not with Sky.

 

[Yaayuh!]

I'm not having issues, but I'm not with Sky.

Sorry, quoted/tagged wrong person!

 

[Caged]

It would be nice to get a traceroute to the VPN server endpoint when the problem comes up again.

 

[Steveocee]

Are you doing DoH or DoT? SKY may be seeing the spike in encrypted traffic and managing it on your connection, if you are doing encrypted DNS then this could affect that also and would explain why it hits the entire house.

 

[andy_mk3]

Work in IT, and I would users who report issues with random VPN's drop and at time not working at all a lot of seem to be on sky. As bad as 6 out of 10 calls for example.

Yes a lot of the issues I can find on Sky forums seem to be relating to VPN issues related to WFH. The thing is, my VPN can stay connected for weeks with no issues, I can use it without a problem until I start downloading large files it all goes to ****.

Interesting. I wasn’t aware Sky behaved like this. It could also be an issue they have without realising.

It's possible an issue yes, I will try and raise it with them.

I'm on Sky (FTTC, mind) and haven't had any issues with multiple VPNs and the only VPN issues reported at work are due to them being connected to Sky's utterly **** Sky Q mesh.

Therefore it surprises me you're having issues @andy_mk3 . Maybe worth getting onto them and explaining that you're having issues with it and it's required for work purposes.

Yeah as above I'm going to try and raise it with them and see what they say.

It would be nice to get a traceroute to the VPN server endpoint when the problem comes up again.

I will have a go next time it happens. Although I am trying to avoid it as it's very annoying

Are you doing DoH or DoT? SKY may be seeing the spike in encrypted traffic and managing it on your connection, if you are doing encrypted DNS then this could affect that also and would explain why it hits the entire house.

I'm not currently using either DoH or DoT. It's possible they are seeing the encrypted traffic though. Something else I have just tried is setting up a cheap VPS with a Wireguard server, connecting pfSense to that and using that as my VPN. Exact same issue, after downloading 30GB+ then the speed starts to tank, then both NordVPN and my VPS VPN show as offline. So it's not like they're even targetting known VPN hosts.

 

[Steveocee]

Exact same issue, after downloading 30GB+ then the speed starts to tank, then both NordVPN and my VPS VPN show as offline. So it's not like they're even targetting known VPN hosts.

May be a daft question and apologies if you've already answered. What happens if you download +30GB outside of a VPN? Smash a couple of steam games going, does it tank then?

 

[Caged]

If Sky are really doing something as daft as deciding anytime that large amounts of data move over an SSL VPN that it must be dodgy, after the last two years, then someone needs a good shake.

 

[andy_mk3]

May be a daft question and apologies if you've already answered. What happens if you download +30GB outside of a VPN? Smash a couple of steam games going, does it tank then?

Yep, VPN off can download a 100GB file full speed without a hutch, using the same download program.

If Sky are really doing something as daft as deciding anytime that large amounts of data move over an SSL VPN that it must be dodgy, after the last two years, then someone needs a good shake.

It does seem odd doesn't it? I don't think it'd really be their interest to look out for these things and throttle it. Makes me wonder is something is broken in their routing or something odd.

 

[Lmg80]

Yep, VPN off can download a 100GB file full speed without a hutch, using the same download program.



It does seem odd doesn't it? I don't think it'd really be their interest to look out for these things and throttle it. Makes me wonder is something is broken in their routing or something odd.

What's the issue then - assume Sky are putting two and two together and assuming you're pirating?

But yeah, poor show on their part but they are just balancing the service across other users

 

[Caged]

If the network is built to assume that moving large amounts of data inside a VPN tunnel is piracy then Sky need to advertise up-front that their service is not suitable for home workers.

 

[ChrisD.]

It's more likely that they have some kind of internal fault or issue, and due to the way that the majority of ISPs treat most issues as the customers fault and never their own, it probably hasn't been flagged up to the right people yet.

 

[Liquidfox]

Disabling IPv6 on your NIC fixes most VPN issues with Sky connections I've found.

 

[andy_mk3]

Disabling IPv6 on your NIC fixes most VPN issues with Sky connections I've found.

Just on the LAN side? I'm using IPV6 PD for WAN.

 

[Liquidfox]

Just on the LAN side? I'm using IPV6 PD for WAN.

Yeah, just on your local adapter. I haven't touched any of the router settings.

 

[andy_mk3]

Yeah, just on your local adapter. I haven't touched any of the router settings.

Disabling IPv6 did nothing sadly. Downloaded ~30GB and it did the usual. I've had no internet for over 15 minutes now! Super frustrating.

I have found another issue too. Last night I set up my backups to a new location which meant a full upload was done. During this time I had a huge amount of packet loss. My wife said the internet wasn't working this morning when she got up.

This is getting super frustrating.