Hot Topics:


OT: Site to site IPSEC VPN speed question

From: mdquerng 
Hi all

Short question: Can anyone tell me if a site to site VPN tunnel (IPSEC in
this case) is limited in both the upstream and downstream bandwidth by the
slowest bandwidth (usually upstream) of the slowest endpoint.

Much longer explanation: I have a customer in Chattanooga that has EPB's 100
Professional service (100 down/100 up, SLA, etc.). They have a branch office
that has Comcast Business (asymmetric) service and another one that has
Charter Business (asymmetric) service (I know). I have created site to site
static VPN connections from the branch offices to the Chattanooga office
using Cisco ASA-5505 devices at each location.

The bandwidth requirements over the VPN are extreme for this particular
client. Basic internet speed testing from all the branches establishes the
following rough internet connection speeds:

Chattanooga office: (EPB speed test) 94 down/85 up
Branch office 1: (Comcast Business speed test) 91 down/11 up
Branch office 2: (Charter Business speed test) 83 down/7 up

When I do an iperf speed test across the VPN tunnel where the Chattanooga
office is the iperf server and each branch office is the client, I get the
following results:

Branch office 1: (iperf to Chattanooga) 10 down/10 up
Branch office 2: (iperf to Chattanooga) 6 down/6 up

I have never really thought about this before since my client's VPN speed
requirements have been very modest to this point. It appears that the speeds
I'm measuring over the tunnel with iperf at each branch office almost
exactly match the limited upload bandwidth at the respective branch. This
leads me to believe that IPSEC VPN tunnel bandwidth must need to be

I understand that IPSEC will certainly require some overhead on the
bandwidth available and I've also looked into tweaking TCP MTU/MSS settings,
possible interface issues, etc. However, it seems very odd to me that the up
and down bandwidth through the VPN tunnel at each branch almost exactly
matches the maximum available upload bandwidth of that branch's ISP. I've
gone so far as to test this theory with another client that has fast
symmetric bandwidth at their main office and slower asymmetric bandwidth at
their branch office and I get identical results.

Before I move forward with further troubleshooting, opening a TAC case,
investigating other/better ISP options, I thought I'd ask the Chugalug
collective brain on this one. Thoughts?


View this message in context:
Sent from the Chugalug mailing list archive at

EPB Gigabit

From: asg 
Yesterday, I upgraded my EPB account to 1Gbps instead of 100Mbps. EPB =
made the changes on their end and said they wouldn=E2=80=99t take effect =
until midnight. This morning I=E2=80=99m still running at 100Mbps. The =
tech person at EPB says the equipment is provisioned properly but that =
it is auto negotiating a 100M link with my router. I have a Ubiquiti =
EdgeRouter Lite so I know it is capable of 1Gbps. I plugged my laptop =
directly into the EPB jack in my house and the laptop negotiated a 100M =
connection as well. When I plug my laptop into my gigabit switch, it =
negotiates a 1Gbps connection. Any other things I should try before =
calling EPB back?

Stephen Haywood
Owner: ASG Consulting

Ubiquiti Networks EdgeRouter ERPOE-5

From: Eric Wolf 
Summary: The EdgeRouter is a great device. It's a true router. The web
interface leaves a lot to be desired but it can be configured at the CLI.
Don't bother with the ERPOE-5 and just get the 3-port EdgeRouter Lite. Use
the savings to buy a proper POE switch.

Folks asked about this and it seems relevant with EPB trying to push 10Gbe

A couple weeks ago, I got fiber to my house via my municipal utility. The
local utility built the network in 1997 but a state level law passed at the
urging of Comcast and Qwest (our Baby Bell, now part of CenturyLink)
prevented the city from selling internet access to customers. A local
referendum in 2012 changed this and the city has been rolling out fiber to
the home as fast as possible.

My service is 1Gbps-symmetric. I spoke with the installers and the city ran
10GB to each distribution node which serves a maximum of 8 households. So I
don't have to worry about noisy neighbors, at least in the bandwidth

Once I unplugged my DSL modem from my NetGear R6200 router and plugged in
the ONT, I was disappointed to see a maximum of about 320Mbps. Then I
plugged my laptop directly into the ONT, I got right around 930Mbps.
Evidently the problem is the NetGear R6200 can't process NAT fast enough
for a 1Gbps connection. A little Googling returned that there are two
integrated WIFI routers like the R6200 that can handle the bandwidth.

I also read about the Ubiquiti EdgeRouter Lite, which is a dedicated router
that can also handle the bandwidth. Being a geek, I ordered the 5-port
version of the EdgeRouter for $170 from Amazon. I splurged for next-day
delivery. The router itself is the size of a small switch. It has a nice
metal case and a detached power brick, not a wall-wart. The power brick has
a three-prong connector so it really feels like a serious piece of gear.

First, I upgraded the firmware on the EdgeRouter. This was fairly painless.
I had to download the binary to my desktop and then upload it via the web
interface. I wish it just had a "check for updates" button in the web
interface but that's something they can add later on.

I use static IPs for a lot of my network to help avoid conflicts with my
work network when I use the VPN. So I started by putting the NetGear (still
plugged into CenturyLink DSL) on a different subnet and configuring the
EdgeRouter for my static network.

Configuring the EdgeRouter is not at all like the NetGear or any other
consumer-oriented router. Each port on the EdgeRouter is individually
configurable. Typically port 1 would be the WAN port. I plugged this into
the ONT and set it up to grab a DHCP address. You can also designate up to
three of the ports as a switch and configure routing for a switch as a
group. You then have to write enable masquerading to get the switch to
route through the WAN port. Once that's done, you can start writing
firewall rules for each port (or the switch group). The web interface gets
clunkier and clunkier the deeper you get into configuration. I was lazy and
ended up deleting my firewall settings because I thought they were
conflicting with my new Ooma VOIP device.

I set my NetGear R6200 in AP mode and plugged it into one of the switch
ports. That will suffice until I start getting devices that want more than
802.11ac. I don't have any POE devices but I've read that the EdgeRouter
doesn't provide a standard POE voltage. UBNT makes a nice line of APs that
use their POE voltage. Once my wifi needs iterate again, I will add the
UBNT devices.

I had to rearrange my office network some. I put the NetGear in a more
central location in the house and moved my 5-port Gig-E switch closer to
the router. That last step would not have been necessary if I could have
configured the fourth port to be part of the switch group in the router. So
far there has been zero advantage to getting the 5-port EdgeRouter over the

I haven't really worked with the CLI yet. But it's a Linux box underneath.
It's pretty straightforward. But I haven't done routing and firewalls at
the CLI in 15+ years. There are wizards in the Web UI but they assume a
particular subnet and I didn't want to have to renumber all my static

Speedwise, the EdgeRouter has kept up with everything I can throw at it.
See the before/after results from Ookla on my Amazon review:

EPB Announcement (Conference, 2PM)

From: John Dills 
EPB is holding a conference at 2PM today to make an announcement. You can
watch here:

John Dills

EPB introduces CGNAT on Residential Circuits

From: Dave Brockman 
Hash: SHA1

Just curious if anyone else received the CGNAT upgrade from EPB last
night?  If your "WAN" IP is between -, you
are now behind CGNAT.  Checking your outside IP from or
similar should give you a different IP address, the range mentioned
above is not globally routed (think RFC1918, like 192.168.X.X).
  I suspect the NAT portion wasn't working correctly first thing this
morning, but even after they restored "Internet" connectivity to my
circuit, I could not complete IPSEC tunnels across the CGNAT.  Debug
logs show the initial ISAKMP packets are correct (the Tunnel-Group Name
and Secret are successfully exchanged), but subsequent ISAKMP packets
appeared to be manged by the state/NAT machine (ISAKMP proposals were
stripped from ISAKMP packets beyond the initial exchange, although the
modified packets did reach both ends).  Very strange behavior indeed.
  To be fair, EPB did put me back on a real IP address upon request.
But I really wish they had applied the effort and expense spent upon
CGNAT deployment on IPv6 deployment.  I hope this current round of
short-sightedness from whoever dictates what they will sell to whom for
how many donuts has not spread to the people who design the network and
plan its future expansion.  100Mb/s or 1000Mb/s just makes CGNAT suck
harder and faster, not any less.


Version: GnuPG v2


Fiber SPs

From: David Rucker 
I am unfortunately not in an area for EPB service. I am moving to a new
home that is in the service for Ringgold Telephone Company (RTC) which is
within their fiber footprint. Does anyone have any experience with them?

David R.

IPv6 EPB from EPB

From: Mike Harrison 
=46rom a good technical source inside EPB when asked about IPv6:

"Yes but it's on specific nodes. We are still installing equipment in =
the network. Users have to request a conversion as well.=E2=80=9D

So in some places, it=E2=80=99s possible, it will be probably eventually =
be everywhere.


> On Sep 11, 2015, at 10:12 AM, David White  =
> I just spoke with someone at EPB Support (who happens to be someone =
> worked with in person in the past and I can confirm he knows his stuff
> fairly well), and he told me that this is still just a rumor. They =
> been told anything yet, and he said they must still be working on
> deployment.
> As for the tunnel, yes, I'm aware of that. But per Ben's comment, it =
> be really nice to have something natively.
> On Fri, Sep 11, 2015 at 9:33 AM, Benjamin Stewart =
> wrote:
>> As I recall, the fun thing about tunnels was that, by design, =
>> prefers IPv6 over IPv4, if both are available. My tunnel provider did =
>> provide a tunnel that was anywhere close to as fast as EPB, meaning =
it was
>> good for testing, and then I turned it off.
>> On Thu, Sep 10, 2015 at 10:10 PM, Dave Brockman 
>> wrote:
>>> Hash: SHA1
>>> On 9/10/2015 9:13 PM, David White wrote:
>>>> Would it work if I only have a dynamic connection? I don't have a =
>>> ic
>>>> but would love to have IPv6 for testing purposes...
>>> You can turn up a tunnel and test several years ago (free).  Pretty =
>>> you can configure it with a dynamic connection, just you'll =
>>> have to edit things on the far end when your IP changes.
>>> Regards,
>>> dtb
>>> Version: GnuPG v2
>>> iQEcBAEBAgAGBQJV8jgfAAoJEMP+wtEOVbcd/zMH/1fvbWKc3i7GMJzs6ToiAy2s
>>> liM2g9PHxji+IDE6XWnCY+6WM4X3sx40nYXYwLSyjzmoD/SZbMH0XgHfxnzh5nmW
>>> hrcyQcTeOxrhju9+jQ0BKDzNXeYgZThdjtDp4b63IErV5e9sZnalCoL3wZhiNJqv
>>> gF9tpLeHV+9OeF4VDF95v/fUcXGdxqhnGjCvKpmczo79aK2FAnTNak9ISa9xb+sd
>>> uvLfoY91CDHUImiu5xKfoVZBYevpGjnj3ZZ8JC61Lw0f/tGJr/Jd6rLXFwXIQcEn
>>> XSjKxI7hHPMdpooZqwaMQ/p1HHm2EJtndGMj/pH4AcKk4TyFXVgGOnUwvjpcbvA=3D
>>> =3DsnYA
>>> -----END PGP SIGNATURE-----


From: "Daniel L. Appleget" 
COO of EPB (David Wade) just told me that IPv6 was tested and ready and 
could be enabled by request.

(Prepare your firewalls.)

Daniel Appleget
Chattanooga Computer Service

Tu ne cede malis, sed contra audentior ito

This email has been checked for viruses by Avast antivirus software.

What to do with a Gig?

From: Eric Wolf 
More bandwidth! Yeah!

I just scheduled my installation of NextLight internet service. NextLight
is my local public utility's fiber network. I believe it is the second such
network in the country, following in the footsteps of the EPB. Unlike EPB's
service, NextLight is offering people who sign up right away a full gigabit
synchronous for $50/month.

I wonder, what do you guys on EPB's network do online now that you didn't
do before?

Is it just the same thing, only faster?

Can I upload my consciousness to the 'net?

Off the top of my head, two things I will start doing right away are:

1. Run my own Usenet index service (newznab).
2. Start using an online backup system (crashplan).


Eric B. Wolf                           720-334-7734

Is EPB having uplink packet loss today?

From: Jason Brown 
Is EPB having a ton of packet loss today? I'm seeing up to 75% for anything
going outside the EPB network.

Anyone else having similar difficulty?

Chrome and zimbra glitch

From: Rod-Lists 
EPB webmail system is glitching under chrome.
They say it is due to a chrome update.
Anyone else know of other zimbra installations affected by this?

FreePBX Call Recording Issue (Stephen Kraus)

From: Justin McAteer 
Could be that the call is being setup with media directly between the phone=
s. What type of interface are you using for your external calls?

Justin McAteer=0A=

(256) 694-9195

> From:
> Subject: Chugalug Digest=2C Vol 36=2C Issue 22
> To:
> Date: Tue=2C 21 Jul 2015 23:00:54 +0000
> Send Chugalug mailing list submissions to
> To subscribe or unsubscribe via the World Wide Web=2C visit
> or=2C via email=2C send a message with subject or body 'help' to
> You can reach the person managing the list at
> When replying=2C please edit your Subject line so it is more specific
> than "Re: Contents of Chugalug digest..."
> Today's Topics:
>    1. FreePBX Call Recording Issue (Stephen Kraus)
>    2. Review of Ubuntu Phone Was | Long Post: Smartphone rant	(Take
>       2?) (Rod-Lists)
>    3. Re: Review of Ubuntu Phone Was | Long Post: Smartphone rant
>       (Take 2?) (John Aldrich)
>    4. Re: Review of Ubuntu Phone Was | Long Post: Smartphone rant
>       (Take 2?) (Michael Scholten)
>    5. Re: Review of Ubuntu Phone Was | Long Post: Smartphone rant
>       (Take 2?) (Rod-Lists)
>    6. Forum Software (David Rucker)
>    7. Re: Forum Software (David White)
> ----------------------------------------------------------------------
> Message: 1
> Date: Tue=2C 21 Jul 2015 16:17:47 -0400
> From: Stephen Kraus 
> Subject: [Chugalug] FreePBX Call Recording Issue
> Message-ID:

FreePBX Call Recording Issue

From: Stephen Kraus 

Having a weird issue with our FreePBX: I can record outbound calls and
internal calls just fine, but not matter what it is set at, inbound calls
will not be recoded.

I've checked at Extension, Call Recording, Inbound Route, etc. Won't even
work if I set it to 'Force'


txt parse challenge (already awarded trophy to Dan)

From: Dave Brockman 
Hash: SHA1

So I spent part of the weekend playing with this little gem, plus some
additional scripting to delete and move some files, and I haven't seen
Dan throw us a perl 1liner in a day or two, so I thought I'd invite the
rest of the list to share their solutions.  I always enjoy seeing the
different ways the list deals with text parsing.  Come one, come all,
any language, any shell.  Except Dan, who is restricted to perl and 22
characters.  (# randomly pulled out of my arse, feel free to ignore it).

Source File:
#########BEGIN FILE#########
 Directory of C:\usr\share\data

06/03/2015  06:55 PM             4,288 HELP.TXT
               1 File(s)          4,288 bytes

 Directory of C:\usr\share\xxxx

06/03/2015  01:12 PM             4,288 HELP.TXT
               1 File(s)          4,288 bytes

 Directory of C:\usr\share\Shares\xxxCONTENT - XXXX

06/03/2015  11:42 AM             4,288 HELP.TXT
               1 File(s)          4,288 bytes
########END FILE############

Desired Result File:
###############BEGIN FILE####
 Directory of C:\usr\share\data
 Directory of C:\usr\share\xxxx
 Directory of C:\usr\share\Shares\xxxCONTENT - XXXX
###########END FILE###########

Bonus Result File:
############BEGIN FILE#########
C:\usr\share\Shares\xxxCONTENT - XXXX
###########END FILE################
Version: GnuPG v2


Chugabeer / Chugadinner Thurs Jun 16

From: DaWorm 
On Wed, Jun 17, 2015 at 9:56 AM, Rod-Lists  wrote:

> Uh today (weds)is the 17th.
> Not friday or thursday.
> I should know, it is my birthday

Hippo Nerf day two ewe.

GPS time signal fallback 60khz - on topic response

From: Mike Harrison 

> On Jun 5, 2015, at 11:12 AM, Rod-Lists  wrote:
> Steven I not worried about the Aurora. I worried about the event that generated the THAT aurora.
> A lot smart people at NASA are too.
> in 1859 something hammered our geomagnetic field so hard that it generated an arora strong enough to be seen at the 23rd latitude.
> Brighter as a full moon. It induced current on telegraph wires all over world causing fires.

The answer to all of these technology doomsday scenarios is: 

   Vacuum tube powered computers running Linux. (It’d be huge, and take a lot of power)

   Photonic quantum computers running Linux. Hmmm.. I like this idea. 



Anyone know what these EPB IP addresses are? they are hitting one of our locations hard

From: Lynn Dixon 
These IPs:

look like they are coming from EPB and are hitting a few of our locations
pretty heavily. I know we have some EPB folks on the list, and was
wondering if these IP's might be their Netflix appliances or even a caching
server.  Or it could be someone running a hell of a torrent seed box. heh.

Soliciting Recommendations for home office router

From: Lisa Ridley 
It’s time to replace my router.

I’ve got an Apple Time Machine that I bought back in 2006 that has started dropping connections and, I fear, is finally giving up the ghost.  I’m looking for recommendations for a wireless router, and while I love the ease of use of my trusty ole Time Machine, there are a few features it doesn’t have that would be nice to have in a new one.

* Reliability is first and foremost.  I don’t want to spend an inordinate amount of time troubleshooting and sending the damn thing back to the store, and I don’t want to go through 5 or 6 different one trying to find a reliable one.
* I have EPB at the house, so something that will let me take full advantage of the speed would be awesome.  I have the 1G plan.
* Needs to have a configurable firewall on board.
* I would like to connect several devices to it, some wireless, some wired (more than 4 but less than 10), including my workstation, a CI server and two small footprint computers I use for testing builds during development.
* Would like to route web traffic to different physical devices based on URL (makes the automated builds triggered by Github commits easier).  This is the single biggest drawback to my Time Machine; traffic can be routed based on port, but not URL.
* I don’t mind paying extra for reliability and features but I would prefer to NOT break the bank.

Recommendations are most welcome.

pfSense and the Gig

From: Nick Smith 
Hello Chugalug!

I was thinking about spinning up a new firewall, dedicated computer
hardware for pfsense, maybe even the new vmware appliance they just came
out with.

My question, is anyone doing this and getting their full gig from EPB, or
at least very close to it?

I use to have a cisco 2911 that would only give me about 2-300 Mbs of it,
and i swapped that out for an Asus AC1900 and i get around 6-700 Mbs from
that, with the little amount of port forwarding i do.  I realize every port
forward creates overhead and thus lowers your overall throughput.

If anyone is doing this id love to know your specs that your using to get
as close to the full gig as possible. Is there even a way to calculate
whats needed? for example 1ghz cpu/1gig ram for every 100Mbs throughput or

I dont even know if what im even asking is possible, was just hoping.
I know that the gig speed is only on EPB's network as well, and has no
effect when it leaves, but i dont want my firewall/router to be the
limiting factor.

Thanks for the help and advice!

Nick Smith
nick at nicksmith dot us

Fwd: Woot Daily Digest

From: Jonathan Calloway 

Jonathan Calloway

Begin forwarded message:

> From: Woot 
> Date: May 15, 2015 at 2:52:01 AM EDT
> To: 
> Subject: Woot Daily Digest
> Reply-To: Woot 
> =20
>  	                                              =20
> =20
> =20
> Parrot AR.Drone 2.0 Wi-Fi Quadricopter
> $179.99
> Factory Reconditioned
> Perfect for the shoulder of a 21st Century Pirate! Only not really, that w=
ould be unsafe.
>  =20
> =20
> =20
>  		=20
>  	Woot + top brands =3D tons of stuff, sold cheap.
> =20
> 	 	=20
> Gotta Wear Em All
> =20
> Our favorite character is Bloodsquirt.                                    =
> =20
>                                                      	 	Ends on May=
 21 at 12AM CT                                                    =20
>  	=20
> =20
> 	 	=20
> Tom Ford's Sunglasses
> =20
> Oh, Tom's got a bunch of his own. Go ahead and help yourself.
> =20
>                                                      	 	Ends on May=
 19 at 9AM CT                                                    =20
>  	=20
> =20
> =20
> Don't miss these Woot Plus events and more: Pillows O' Plenty, Fila: Fila-=
in' Groovy
> =20
> =20
>                  =09
> Hey look! An abandoned mine.
> =20
> =20
>                  =09
> Hello?
> =20
> =20
>                  =09
> =20
> =20
>                  =09
> =20
> =20
>  =09
> Hey, give me back my sleep mask.
>                 =20
> =20
> =20
> =20
>                                                       =20
> Hisense LED HDTVs=20
> $129.99 - $1,149.99=09
>                                                       =20
> HP 15.6" AMD A6 Quad-Core Laptop=20
> $279.99
>                                                       =20
> Fissler Cutlery Block Sets - 3 Styles=20
> $249.99 - $299.99
>                                                       =20
> Stanley Wet/Dry Vacs=20
> $62.99 - $124.99
>                                                       =20
> Nike Sunglasses=20
> $39.99
>                                                       =20
> Body Beautiful Shapewear=20
> $11.99 - $13.99=09
>                                                       =20
> Mercedes ML-350 6V Ride-On=20
> $139.99
>                                                       =20
> The Force is Strong With This One=20
> $7
>                                                       =20
> C. G. Di Arie Mixed Case=20
> $219.99
>                                                       =20
> Muk Luk Sandals - Your Choice=20
> $15.99 - $20.99
> =20
> =20
> =20
> Manage my newsletter and account settings or unsubscribe from future daily=
> Woot, Inc. | 4121 International Parkway | Carrollton, Texas 75007