So, I would like to admit I'm an idiot. My problem was I couldn't get full speed on Wi-Fi. Well, turns out my computer was defaulting to connecting to my 2.4GHz network. When I upped the ram and restarted the pfSense VM, for some reason my computer reconnected to the 5GHz network.

On the 2.4GHz network my WAN tops out at 80-90 Mbps
On the 5 GHz network, the WAN tops out at my rated max of 230 Mbps

So, I didn't actually have a problem... just thought I did and managed to convince myself of it.

@limez17 yes easy tek.png that's the setup the problem is that in aws you can't add specific routes so my next guess is to portforward in the dmz are websites and rdp is a must for admin emp dev network

thx for the help

It seems this could be an ISP issue now, I am still troubleshooting, changed nothing and am now getting around 850 mbps
https://twitter.com/MathesonStep/status/1362429291838001154

@raitd said in vmx NIC ordering for pfSense on vSphere 5.5+:

@jimp I've seen many linux distro's handle having several nics in vmware and handle adding more perfectly fine.

Linux is vastly different in their default naming schemes. The current default names in Linux are based on bus locations which likely wouldn't change in those cases. FreeBSD counts up from 0 for each instance of the driver it finds when probing, so if the probe order changes, so does the NIC assignment order.

Does pfSense / FreeBSD have an option where you can force binding to a particular MAC address? If so I imagine many people would love to have this as a selectable option.

No.

@bullz3y3 Have same issue in 2021, and fixed by changing the Network Type from Virtio to e1000 also. Your finding in 2015 is still helping others. Thanks.

My case is having a PCI Passthrough WAN, and 2 bridge LAN, hosted on KVM on debian 10

@talaverde the only thing that is actually of interest to me is whether a solution is within reach / uncomplicated nearness. Therefore I think it is unnecessary to open an extra thread ...

Hi,

I decide to do a clean install of 2.5.0 RC on my backup firewall.
Everything is vanilla, and same problem appear. I was thinking maybe this was only an VMware/pfSense bug.

image001(1).jpg
After RESET LOG FILES under Status - System logs
image001.jpg

@thejaguar I already figured it out... working now with no problems. You only need to change to static ip every time you connect to mngt port.

@teamits Oh man I completely missed that! I'll submit something now. Thanks!

@robca402 If anyone ever see this, my problem was that I needed to toggle the AES CPU flag on in proxmox

@oiyae

How has it been going since?

How did you get them to offer up a SH4 by the way, the people you usually speak to are non-=technical and quite often refuse

@maverickws

have you checked iperf3 speeds between pfsense and xcp-ng itself?
Mine is bad. Additionally from pfsense to xcp-ng it has many retries during transfer

@viragomann

Hi.

I hadn't followed that guide, I had completed everything but disable the hardware checksum offload, once disabled it did the trick, all working fine now.

Does that mean the connection was just simply timing out?

Thank you for the hint, much appreciated.

Phill

@johnpoz said in iperf3 speeds confusing - fast = bad internet slow = good internet?:

I would still like to see test through pfsense vs to or from pfsense.

If you can give me an idea of how to perform that test I would be happy to do so.

Otherwise, yes I can get my full 1500/1000 (or slightly above on the downstream) WAN throughput consistently even with pfNG + Suricata running).

However just like the iperf tests show, the upload speeds are not quite as good as download/ingress speeds.

What I mean by that is - while I can generally get 1500-1600 Mbit/s down, the upload is rarely faster than 800-850 Mbit. I'm testing from a 10Gbe connected VM by the way. While understand there is overhead involved I couldn't help be curious about the iperf tests showing FAR slower network speeds TO pfsense compared to FROM pfsense.

I don't always put too much weight on internet speed testing as it's out of my control when it's past the gateway anyways.

@eiger3970 said in Can my hotspot send Internet into my hypervisor machine?:

The machine with the hypervisor Proxmox seems to have trouble installing this.

it will help: https://pve.proxmox.com/wiki/Pci_passthrough
😉

@elewsmer How were you able to set vtnet netmap queues to greater than 1 virtualizing with Proxmox? I have tried multiple ways to no avail, pfSense only recognizes one.

Hi, same problem today NOT WITH VMWARE, but using KVM and virtio... guess the problem is bigger than expected and impacting way more systems

@routethebyte said in PFSense on KVM Proxmox - Suricata/Snort performance issues:

@bmeeks I've tried every mode. They give the same result. I'm honestly considering running it bare metal on something but I love Proxmox and really like it virtualized.

I am not familiar with Proxmox. I use VMware products. An IDS/IPS can be very demanding on a system, but I would not generally expect a performance hit as large as you are seeing. If you want to run virtualized, I would try a VMware product such as ESXi (there is a free version you could experiment with). Many folks run pfSense and its packages on ESXi without issue. There have been quite a few reports of various issues on other hypervisors. Hypervisors will all use virtual NICs (unless you pass-through a dedicated hardware NIC to the virtual machine). How well the software undergirding the virtual NIC works with applications like an IDS/IPS is what determines performance.

Bare metal is always going to be faster than virtualization given the same underlying hardware. But do not expect full line speed with an IDS/IPS running with a fairly heavy ruleset.

@daddygo said in Multiqueue on virtio NIC:

BTW:

Ok, so in summary it is not possible to use multiqueue because the virtio driver is compiled with ALTQ support enabled. Either you recompile the kernel (so you will have a kernel with multiqueue support on the virtio but without support for ALTQ) or it is not possible.

Very thanks !!!

Luca

It is stange but ping appeared after 5 minutes from last pinging try.
ShooterScreenshot-29-02-01-21.png

You can now add other tagged vlans in the pfSense on VMX0, and pass them to the C3750.
Remember vlan allow add <Vlanxx> on the Cisco IF.

Hi,

Hyper-V and USB support is pretty close to nothing.

For those experiencing the 'No buffer space available' followed by full NIC failure on the WAN side when running PFsense in hyper-v try the following, it worked for me:

Pfsense Version: 2.4.5-RELEASE-p1

Hyper-V versions tested: Hyper Server 2019 (Core), Windows Server 2019 w/destop experience and hyper-v role, Windows Server 2016 w/desktop experience and hyper-v role

Cable Internet Speed: 200/10

For the USB NIC - I validated it did not matter if it was hooked to USB 3.x or 2.x - same issues occured with the disconnect. Validated there was not any thermal issues, maybe luke warm to the touch (tried 2 differnt adaptors, 2 different chipsets - same issues)

Drivers: Updated every driver and win updates - in the end this did not even matter, but it's still a good idea.
Services running on PFSense: I have pfblockerNg running, dhcp server, snort (non-blocking), dnsbl with the resolver, and I redirect my domain dns queries back to my internal DCs for private AD dns routing.

Avg 24hour cpu/memory usage: 7% / 13% (no change even when the issue was occuring)

Correlating errors: Resolver: 'No buffer space available' - Gateways: 'dpinger WAN_DHCP 1.2.3.4: Alarm latency 10331us stddev 2932us loss 21%' [this triggered the default gateway action and causes the issue with hyper-v nic comms]

Fix for me:

Make sure you have the Hyper-v host's performance options set to high performance. If you are using a USB NIC on the WAN side also make sure to disable the 'USB selective suspend' setting (advanced settings --> usb settings).

Recommend turning VMQ off in hyper-v and the NIC settings (if available). I cannot see this being needed with Pfsense and might be tricky to get working correctly (if at all) If you have a more advanced scenario where you need to deal with vRSS mapping the VMQs to distribute the packet load across cpus then maybe it's worth diving into.

This was the key for me with Hyper-v: In PFSense make sure to turn off the Gateway Monitoring Action here: System --> Routing --> Gateways --> Edit --> check the box 'Disable Gateway Monitoring Action'. Without this I would get around 20-24 hours max before the gateway alarm action would kick off (probably from junk latency on the cable network providers side), suspend the Nic and then it would never come back -- had to reboot then everything worked fine for another 20-24 hours.

Note: I've tried proxmox and esxi and did not experience this issue so it appears to be Hyper-v specific.

And how does ESXi 7.0 install relate to pfSense ?
You ought to do a better 1'st post.

Btw: 7.0 removed the linux subsystem , rendering ALL realtek-drivers useless.

/Bingo

SOLVED:

I wish I knew why for those that follow after. I changed a few things at once so I'm not sure if one of or combination of them was responsible or the fix.

I turned off TCP/IP on the WAN NIC. I rebooted the modem and router at the same time with cables connected.

Well, the next thing I would check via Google searches is whether or not there are any outstanding bugs in ESXi with regards to IGMP. The fact it works when you enable NIC pass-through really does seem to point to the vSwitch as the most likely culprit. Might also be the virtual NIC, though. Try searching for hits on the VMXNET3 driver and multicast.

@kiokoman you save me man!
Now its ok

samba ok

Oww, Thank you for help friends!

Great

Douglas

@kiokoman said in Internet provider by Microtik - PFsense - virtualbox (samba share connection):

try if you can access with
smb://server.localdomain.local/share_folder_name
if you can,
you are probably missing

dns-search localdomain.local

this is automatically added on windows but not on Linux
substitute localdomain.local with what you have for your Lan network

Thank you for the answer but my CPU doesn't allow me to use exsi, I can only use vm player or vm workstation.

The fastest way I've tried is the one that
I found on the internet. I mean, I had to buy a usb ethernet adapter and use the vm workstation property so that it can map the usb adapter as its own (vm only) and then the os host (win10) cannot see the adapter so the configuration is simple and clean :)

p.s.
Before purchasing a usb adapter, please check if pfsense / freeBSD supports this hardware / chipset

As an update on the topic, I have updated to 2.4.5-p1 and changed the virtual driver to virtio instead of e1000.
This has greatly improved the stability of the pfSense and the high traffic induced network loss have disappeared.

We still experience some random network loss that are under investigation.

@gusto said in Very slow upload on pfSense in KVM:

Now I need to see if it will be stable.

On a router, LRO, TSO and hardware checksum offload must always be disabled.
These features are good for endpoint devices but not for a router.

There are millions of posts on this forum about this theme:
https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html

34967398-51c1-4dd7-9c99-67a14d95de9b-image.png

but even better if you disable it in loader.conf.local, where the other unnecessary functions include EEE, flow control, etc. (so stay protected from FW upgrades)

3cac9ebd-d04a-4095-a48b-e1d8224b48e8-image.png

And these about Realtek:

https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release/76

(A lot of people use this driver and if I know well it's really just that good and / or better solution.)

https://forum.netgate.com/topic/133536/official-realtek-driver-v1-95-binary?_=1600417473785

It's not easy to get it to work well.
You can almost forget about using Suricata and Snort with Realtek.

For me, ESXi and Xen (for web server / VPS) remain eternal love 😉

@Erutan409 I've been running with it for a couple of days and discovered that my pfSense box has significantly increased CPU load, and services behind that particular interface feel throttled.

Again, I'm running on KVM and I don't think it has any such paravirtual time synchronization—I run NTP on the host and have pfSense update from the host ntpd once an hour.

In the meantime, I've managed to break my pfSense install by powering it off at the wrong point, so I'm going to reinstall the latest version from ISO and switch back to PV NICs. I'll update here again if I learn anything.

Edit 2: I think it's either a bug in 2.45-p1 version of pfsense or something really weird is going on. I just switched back to a bare metal installation and it's still happening. Same exact problem....never noticed such a behavior before. Any idea fellas?