VPN issues with Virgin Hub 3

[tomparker95]

Hi all,

I am having issues whilst connected to my works VPN whilst working at home. The connection is absolutley fine until I connect then it drops from 80/90megs to about 15megs.

Then I open a programed called MiCollab used to take calls for the job and it drops to something like 3megs! This is before any calls are even answered etc.

I've tried everything from moving the Virgin router closer to my room slightly, resetting it etc and nothing seems to work.

Would buying a router help? Seen a couple people online say that could help a bit. ( looked at a TP Link archer C7).

The VPN i used is called FortiClient.

Thanks all!

 

[Duke]

Sounds like you're connected via wifi? Can you connect it with a cable for testing?

 

[tomparker95]

Wifi mate yeah.

No the rooms too far away unfotunatley

 

[ED209]

Hi all,

I am having issues whilst connected to my works VPN whilst working at home. The connection is absolutley fine until I connect then it drops from 80/90megs to about 15megs.

Then I open a programed called MiCollab used to take calls for the job and it drops to something like 3megs! This is before any calls are even answered etc.

I've tried everything from moving the Virgin router closer to my room slightly, resetting it etc and nothing seems to work.

Would buying a router help? Seen a couple people online say that could help a bit. ( looked at a TP Link archer C7).

The VPN i used is called FortiClient.

Thanks all!

I have been WFH for over a year now (started in Feb 2020).

I have not had any issues either wired or wireless to the Super Hub and using my works VPN (Cisco) and Web based phone system. (works Laptop)

Is it possible to move the laptop or desktop PC nearer to the hub to connect via a cable for testing? I know this can be a pain if a desktop PC but would be good to know if you have the same issues with a cable to wifi.

Another option is to get some Powerline adaptors, I have these is my son's room as his PC is 3 rooms over and quite far from the super hub so these saves me running cables.

His PC can still get the max download speed of 110mb and upload speed of 10mb, his are similar to these https://www.overclockers.co.uk/tp-l...line-starter-kit-tl-pa7017-kit-nw-21y-tp.html but his are the 500mb version and not the 1GB in the link so the price is cheaper.

He can quite happily play games online, watch YT and do everything as if he had a direct network connection to the super hub

If you wish to compare any super hub settings let me know and ill have a look but to be honest mine are all default and not changed a single setting apart from the password to login to it

 

[Avalon]

Two things to consider:

Run a cable from the router to the PC short term to test, if that’s not possible then move the PC short term next to the router and plug in. Doing this will eliminate WiFi as a variable.

Next up is the VPN using UDP or TCP? VM has an issue with UDP traffic, it can cause issues such as significant and obvious slowdown, if your VPN supports it, TCP would at least allow you to identify if it’s a VM issue.

Other considerations to clarify are the spec of the PC, if it’s doing encryption in software etc. depending on the spec it may struggle if it lacks the capabilities to do it in hardware. Having a look at CPU activity is probably a good place to start, also remember that your VPN connection will only be as fast as the slowest link, if that’s your work’s uplink and fir example it’s on 80/20 FTTC, you will never see more than 20Mbit down even if you are on 10Gb at your end.

 

[Vertigo]

So your Internet connection is 80/90mb but, when you connect to the work VPN, your general Internet traffic speed drops to 15mb?

If so then it sounds like the 15mb is the limit of the VPN connection, either due to encryption overheads or bandwidth limits and the Fortinet client is configured to route all traffic over the VPN, so all your 'other' traffic is actually going via the VPN too and thus limited to the 15mb speed.

 

[SexyGreyFox]

I'm no expert but if he can't use a long cable would those powerline adapters work?
I've never used them so don't know.

 

[ED209]

I'm no expert but if he can't use a long cable would those powerline adapters work?
I've never used them so don't know.

They use the wires in the wall to connect over the rooms.

You plug one into a wall socket by the computer which allows you to connect a network cable to and then you plug the other in by the router and run another network cable from the router to it.

once done it uses the wiring in the walls to connect the computer to the router so they are handy to use

 

[SexyGreyFox]

They use the wires in the wall to connect over the rooms.

You plug one into a wall socket by the computer which allows you to connect a network cable to and then you plug the other in by the router and run another network cable from the router to it.

once done it uses the wiring in the walls to connect the computer to the router so they are handy to use

I know how they work, are they just as good as a long cable?

 

[ED209]

I know how they work, are they just as good as a long cable?

The ones I have for my son's PC work fine, No disconnects, slowness or any other issues.

I can access his PC and send over files over the network if needed and he gets the same speeds as my PC which is right next to the super hub.

I guess for me I only have a 100mb VM connection so him connecting to the network at 500mb instead of 1gb does not really matter, unsure how well with people using 1gb or 500mb broadband will find these

 

[Avalon]

I know how they work, are they just as good as a long cable?

No. Even a lowly copper 5e cable will do 10Gb over typical domestic install lengths, powerline isn’t a great technology, using the AV600 rated stuff as an example, it implies 600Mbit, in reality only manages 300 each way (and in marketing speak 300+300 is 600) and then they cripple the adapters with a 100Mbit capable bridge chipset meaning the absolute maximum you could ever see is 100Mbit (or 200Mbit in Poweline marketing speak). Powerline is for temporary installs or where it really isn’t possible to run a cable for safety reasons and you just need something to do the job.

 

[SexyGreyFox]

No. Even a lowly copper 5e cable will do 10Gb over typical domestic install lengths, powerline isn’t a great technology, using the AV600 rated stuff as an example, it implies 600Mbit, in reality only manages 300 each way (and in marketing speak 300+300 is 600) and then they cripple the adapters with a 100Mbit capable bridge chipset meaning the absolute maximum you could ever see is 100Mbit (or 200Mbit in Poweline marketing speak). Powerline is for temporary installs or where it really isn’t possible to run a cable for safety reasons and you just need something to do the job.

Ta
So no use to the OP then.

 

[ED209]

Never had any issues using powerline adapters as a permanent solution.

Maybe this is because my broadband speed is only 100mb (get 110mbps down and 10mbps up on speed tests) so no where near to maxing out the adapters.

I have used them on my laptop before when having to work in another room where I have no network cables ran and again had no issues there either but guess a lot of this depends on the quality of the cables this uses as mine where all replaced before I moved in (this was 12 years ago tho!)

 

[BigT]

It is a good idea to try it wired but if it is fine as is without VPN enabled and slow with it then I don't personally think you'll find it makes a difference.

Assuming the VPN client is on the machine that suddenly goes slow then I would suspect:

1. As mentioned, work is throttling the VPN connection inbound. I doubt you have a split VPN tunnel or anythign with it so since all your traffic is being now routed via the works VPN that limit they set applies to everything you do while connected. To see if this has any merit can you check say with a phone next to your router if that still gets full speed while your PC is chugging along at a slow 15Mbps connected to the VPN. you could ask your IT department if there's some sort of throttle in place
2. This I would think is quite unlikely but your PC has to do the encryption/decryption if that is where the client is. Maybe the CPU can't cope, which would slow it down. What's your CPU usage like when connected with the VPN? and does it go even higher when the MiCollab application is running too?

And as I write this I notice @Avalon has suggested the same which I didn't read plus another good point. Check what he said

 

[mejinks]

My experience with Virgin has been awful using it with a vpn until I enforced tcp over port 443. It seems that they are nerfing vpn and doing some sort of inspection. Im on the 00mbps service and work is on a a 100/100. I tested out of sheer frustration all the settings I could, now Im getting 70-80mbps speedtests which is great. Previously I was getting 12mbps at best, sometimes less. There are a few recent threads on their forums for this very thing.

 

[Avalon]

My experience with Virgin has been awful using it with a vpn until I enforced tcp over port 443. It seems that they are nerfing vpn and doing some sort of inspection. Im on the 00mbps service and work is on a a 100/100. I tested out of sheer frustration all the settings I could, now Im getting 70-80mbps speedtests which is great. Previously I was getting 12mbps at best, sometimes less. There are a few recent threads on their forums for this very thing.

VM has a known UDP traffic issue and using TCP avoids it for a minimal hit in performance. I agree you shouldn't have to, and progress on a fix is bordering on glacial, but it's mentioned often enough in the kind of threads you describe, or any thread where people use lots of UDP traffic and complain of slowdowns.

 

[Rainmaker]

VM has a known UDP traffic issue and using TCP avoids it for a minimal hit in performance. I agree you shouldn't have to, and progress on a fix is bordering on glacial, but it's mentioned often enough in the kind of threads you describe, or any thread where people use lots of UDP traffic and complain of slowdowns.

I keep seeing this mentioned, but I've never experienced it personally (WireGuard is UDP as you know). Do you have any suggested reading material, or a pointer on what the fault/issue is so I can look it up myself?

Edit: Interesting. If I do an iperf3 I get ~890Mbps on VPN and ~940Mbps without VPN. Bear in mind the VPN is UDP encapsulated. If I add the -u switch to iperf3, for a UDP test, it instantly tanks to a solid 10.5 Mbps. On or off VPN. Is this the issue you were talking about? I've tried to Linux and BSD hosts, and same deal - on or off VPN. Given that WG is UDP I wouldn't have expected the encapsulated traffic to make a difference, since it's already inside a UDP stream.

 

[Avalon]

I keep seeing this mentioned, but I've never experienced it personally (WireGuard is UDP as you know). Do you have any suggested reading material, or a pointer on what the fault/issue is so I can look it up myself?

Edit: Interesting. If I do an iperf3 I get ~890Mbps on VPN and ~940Mbps without VPN. Bear in mind the VPN is UDP encapsulated. If I add the -u switch to iperf3, for a UDP test, it instantly tanks to a solid 10.5 Mbps. On or off VPN. Is this the issue you were talking about? I've tried to Linux and BSD hosts, and same deal - on or off VPN. Given that WG is UDP I wouldn't have expected the encapsulated traffic to make a difference, since it's already inside a UDP stream.

https://community.virginmedia.com/t5/Speed/UDP-issues-on-SuperHub3-collective-thread/td-p/4382720

That was the first time I spotted a mention of it back when I was waiting for my install post move. I really didn't notice anything initially, however I got a new Ventoy drive a while back, so grabbed a bunch of ISO's. Grabbing the first one, I limited the traffic to 10/0.5 which on M500 should be fine. About 60 seconds later things started to buffer. I checked the client limiter and it was working as confirmed locally and at the router level. Pause downloads and it's all good, so I thought it may be a tunnel bandwidth issue and pushed my torrent traffic to another provider with the same issue. I then pulled the tunnels and ran naked (stop it...), same issue. It was only when I remembered I had read the post above that I figured i'd try TCP, and it worked. Being objective, I haven't technically *proved* anything at this stage, but anecdotal evidence suggests TCP is fine and UDP isn't. Ideally i'd switch back to the SH3 in router mode and test with that rather than in modem mode with my own hardware (especially as it's still using Realtek NIC's), or swap out my router set-up, but said hardware has hit line speed consistently without issue without encryption and near line speed with it since install.

 

[MagicBoy]

We (work) haven't seen any problems like this with VM. We're not running Fortinet.

The one problem we have seen numerous times is an advertising facility for mistyped web addresses which hijacking DNS on the router which breaks our VPN from resolving some domain names. Some third party service called Barefruit.

 

[Rainmaker]

https://community.virginmedia.com/t5/Speed/UDP-issues-on-SuperHub3-collective-thread/td-p/4382720

That was the first time I spotted a mention of it back when I was waiting for my install post move. I really didn't notice anything initially, however I got a new Ventoy drive a while back, so grabbed a bunch of ISO's. Grabbing the first one, I limited the traffic to 10/0.5 which on M500 should be fine. About 60 seconds later things started to buffer. I checked the client limiter and it was working as confirmed locally and at the router level. Pause downloads and it's all good, so I thought it may be a tunnel bandwidth issue and pushed my torrent traffic to another provider with the same issue. I then pulled the tunnels and ran naked (stop it...), same issue. It was only when I remembered I had read the post above that I figured i'd try TCP, and it worked. Being objective, I haven't technically *proved* anything at this stage, but anecdotal evidence suggests TCP is fine and UDP isn't. Ideally i'd switch back to the SH3 in router mode and test with that rather than in modem mode with my own hardware (especially as it's still using Realtek NIC's), or swap out my router set-up, but said hardware has hit line speed consistently without issue without encryption and near line speed with it since install.

Interesting. I tried the 'replication steps' in the thread (pinging the router while flooding UDP DNS requests) and it doesn't break for me. No issues. As I said WG is UDP anyway and that's full speed without adding more UDP via iperf3; albeit I'd be curious as to why the speed is so specifically capped at 10.5 Mbps using a secondary later of UDP traffic. Since WG is already UDP it clearly isn't related to the apparent VM 'issue' (whatever it is). I wonder if it's an iperf3 bug, or something else? I'm going to ask Jason Donenfeld and maybe the STH forum and see if anyone has any ideas.

Edit: Never mind @Avalon ... On further reading, over UDP in iperf3 the -u option has a default connection test throughput/speed of 1Mbps per connection. Hence -P 10 gives 10Mbps as a result, which is what I saw.

Changing the options to -b 1000M gave full speed even over udp, even while connected over VPN. Local host is Fedora 34 pre-release, remote host was Centos 8 this time (I just click whichever, I've tested on every Linux and BSD DigitalOcean offer today lol):

# iperf3 -c 139.xxx.xxx.xxx -P 10 -4 -R -V -O 3 -Z -b 1000M -u
iperf 3.9
Linux My-PC 5.11.7-300.fc34.x86_64 #1 SMP Wed Mar 17 18:43:52 UTC 2021 x86_64
Control connection MSS 1368
Setting UDP block size to 1368
Time: Mon, 22 Mar 2021 20:44:15 GMT
Connecting to host 139.xxx.xxx.xxx, port 5201
Reverse mode, remote host 139.xxx.xxx.xxx is sending
      Cookie: xxxxxxxxxxxxxxxxxxxxxxxxx
      Target Bitrate: 1000000000
...
Test Complete. Summary Results:
...
[SUM]   0.00-10.02  sec  2.67 GBytes  2.29 Gbits/sec  0.000 ms  0/2105350 (0%)  sender
[SUM]   0.00-10.00  sec  1.06 GBytes   907 Mbits/sec  0.070 ms  1262124/2090441 (60%)  receiver

As you were...