Slow NIC port?

TAC57

@stephenw10

em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: DMZ
options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
capabilities=953d9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP>
ether 00:1a:a0:8b:de:10
inet6 fe80::21a:a0ff:fe8b:de10%em2 prefixlen 64 scopeid 0x3
inet 192.168.31.1 netmask 0xffffff00 broadcast 192.168.31.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
supported media:
media autoselect
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTP
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

stephenw10

Mmm, I assume that is not a 100Mb link if it previously carried 200Mbps?

What does the port at the other end show?

If it was linked at 1G and is now negotiating 100M with autoselect I'd be looking at hardware. Losing a pair in the cable would do that. If the other end is still showing 1G the speed difference would cause massive problems. Check Status > Interfaces for errors.

Hard to see how a cable would fail on both devices though. Something changed that would affect both?

Steve

TAC57

@stephenw10 said in Slow NIC port?:

Mmm, I assume that is not a 100Mb link if it previously carried 200Mbps?

I'm sorry my previous comment of 200Mbps on the DMZ port was incorrect. I've recently upgraded from cable to fiber and my LAN connection is 200Mbps (and WAN). I guess I didn't specifically check the DMZ port. But it the past it has been the max speed of the cable which was ~100Mbps. I could stream video off the DMZ but I can't any longer. This is what I get with speettest.

What does the port at the other end show?

At the other end of the DMZ portCAT5 cable? If I plug my laptop directly into the DMZ port on the back of the pfSense box or at the end of the DMZ cable that is plugged into the ASUS router I get the results shown above.

This is what I'm getting out of the LAN port. Nice ping huh! Ran it again and got a 1ms.

stephenw10

Ok. What about errors on the interface? Any shown in Status > Interfaces?

Do you see the same speeds in a local test? Between LAN and DMZ for example?

Steve

TAC57

@stephenw10 I see no errors in Status -> Inteface

How do I run a local test between LAN and DMZ?

stephenw10

Well I would try to use iperf to test because it give most repeatable results and you can test in different ways. You can get iperf clients for any OS so test between hosts on each subnet.
But you could just try moving a file for example. You are just trying to see if it's still limited to 3Mbps which should be pretty obvious.

Steve

TAC57

@stephenw10
The following is iperf3 data between my wireless laptop and my desktop. The first run is with both machines on my LAN. The second I logged the laptop on to my DMZ WiFi. Of course I had to temporarily add a pfSense rule to allow traffic from the laptop on my DMZ network to the desktop on my LAN.

-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 192.168.30.207, port 53077
[  5] local 192.168.30.204 port 5201 connected to 192.168.30.207 port 53078
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-1.00   sec  8.50 MBytes  71.2 Mbits/sec
[  5]   1.00-2.00   sec  8.92 MBytes  74.9 Mbits/sec
[  5]   2.00-3.00   sec  9.62 MBytes  80.7 Mbits/sec
[  5]   3.00-4.00   sec  10.2 MBytes  85.7 Mbits/sec
[  5]   4.00-5.00   sec  10.2 MBytes  85.5 Mbits/sec
[  5]   5.00-6.00   sec  9.37 MBytes  78.6 Mbits/sec
[  5]   6.00-7.00   sec  10.2 MBytes  85.3 Mbits/sec
[  5]   7.00-8.00   sec  10.9 MBytes  91.4 Mbits/sec
[  5]   8.00-9.00   sec  11.1 MBytes  93.0 Mbits/sec
[  5]   9.00-10.00  sec  10.5 MBytes  88.0 Mbits/sec
[  5]  10.00-10.07  sec   771 KBytes  87.5 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.07  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.07  sec   100 MBytes  83.5 Mbits/sec                  receiver
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 192.168.31.196, port 49231
[  5] local 192.168.30.204 port 5201 connected to 192.168.31.196 port 49233
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-1.00   sec   185 KBytes  1.52 Mbits/sec
[  5]   1.00-2.00   sec  7.13 KBytes  58.4 Kbits/sec
[  5]   2.00-3.00   sec   205 KBytes  1.68 Mbits/sec
[  5]   3.00-4.00   sec   632 KBytes  5.17 Mbits/sec
[  5]   4.00-5.00   sec   419 KBytes  3.44 Mbits/sec
[  5]   5.00-6.00   sec   200 KBytes  1.63 Mbits/sec
[  5]   6.00-7.00   sec  99.8 KBytes   817 Kbits/sec
[  5]   7.00-8.00   sec  20.0 KBytes   164 Kbits/sec
[  5]   8.00-9.00   sec   238 KBytes  1.95 Mbits/sec
[  5]   9.00-10.00  sec   197 KBytes  1.61 Mbits/sec
[  5]  10.00-10.18  sec  58.5 KBytes  2.71 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.18  sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-10.18  sec  2.21 MBytes  1.82 Mbits/sec                  receiver

stephenw10

Do you see the same restriction in both directions?

TAC57

@stephenw10
I've added the following floating temporary rule and I can ping from the DMZ (192.168.31.196) to my desktop (192.168.30.204), but I can't ping from my desktop back to the notebook computer on the DMZ.

stephenw10

The notebook in the DMZ may be blocking it.

Really though the only things that can be causing this in pfSense are a low level network issue, but that looks OK, or traffic shaping. So do you have any shaping configured? Either Limiters or AltQ?

If not then I'd be looking at the other equipment in the path, so the AP or any switches. Try connecting the notebook directly to em2.

Steve

TAC57

@stephenw10 I turned off the MS Firewall on the notebook computer and I could ping both ways..... go figure.

Running iperf server on the DMZ notebook I get the following.

C:\Users\TAC\Desktop\Utilities\iPerf 3.1.3\iperf-3.1.3-win64\iperf-3.1.3-win64>
C:\Users\TAC\Desktop\Utilities\iPerf 3.1.3\iperf-3.1.3-win64\iperf-3.1.3-win64>iperf3 -c 192.168.31.196
Connecting to host 192.168.31.196, port 5201
[  4] local 192.168.30.204 port 49168 connected to 192.168.31.196 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  11.2 MBytes  94.3 Mbits/sec
[  4]   1.00-2.00   sec  11.2 MBytes  94.4 Mbits/sec
[  4]   2.00-3.00   sec  11.2 MBytes  94.3 Mbits/sec
[  4]   3.00-4.00   sec  11.4 MBytes  95.5 Mbits/sec
[  4]   4.00-5.00   sec  11.2 MBytes  94.3 Mbits/sec
[  4]   5.00-6.00   sec  11.1 MBytes  93.5 Mbits/sec
[  4]   6.00-7.00   sec  11.0 MBytes  92.2 Mbits/sec
[  4]   7.00-8.00   sec  11.4 MBytes  95.4 Mbits/sec
[  4]   8.00-9.00   sec  11.2 MBytes  94.5 Mbits/sec
[  4]   9.00-10.00  sec  11.4 MBytes  95.3 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   112 MBytes  94.4 Mbits/sec                  sender
[  4]   0.00-10.00  sec   112 MBytes  94.3 Mbits/sec                  receiver

iperf Done.

Previous data was running iperf server on the LAN desktop.

Also, not traffic shaping and I get the same slow DMZ results if I plug my notebook computer directly into the DMZ port on the back of the pfSense box.

stephenw10

OK, so by default in iperf the client sends to the server. So it looks like your restriction is inbound on the DMZ interface.
If there are no errors on the DMZ interface the only thing that could do that in pfSense is shaping. If you have no shaping in place I'd be looking at something else. Since you say this happens on a backup pfSense box (is that swapping out the box completely?) it must be something common to both.

Steve

TAC57

@stephenw10 I really appreciate your help on this!

My backup box is an identical old Dell computer (Intel Core2 CPU 4300 @ 1.80GHz).

I previously posted the error status of the DMZ interface so that should be good.

I've never messed with shaping, but where should I double check that?

TAC57

This looks good, this is the DMZ interface.

stephenw10

Check the 'By Queue' tab and make sure there are none. Then check the Limiters tab and make sure none show there either.

Next test I'd do would be running iperf on pfSense itself so you're only testing one NIC. There is an iperf3 package you can install to do that.

However this all points to some hardware commonality.

Steve

TAC57

@stephenw10
By Queue was blank

Limiters | Limit_in and Limit Out were both enabled. I have no idea why. I'll uncheck the Enable button on both and see what happens. Where would these settings be tied to the DMZ interface?

TAC57

@stephenw10
OGM I un-enabled them and now get this on my DMZ.

I know you think I'm an idiot, but I honestly don't remember messing with any of that stuff. I don't consider myself skilled enough to mess with anything but a few rules..... and I'm still not too sure about that.

Thanks again for all your help!

Even if I messed with it on my main pfSense box, I don't know how it would have got changed on my backup box.

stephenw10

Aha! That would do it.

They will be applied via a firewall rules on the DMZ interface. You will see it gas advanced options set. Though your floating rule should have applied before that so check for other floating rules that might apply.

Steve