DMZ connections throttled

uruloki

I am running pfSense in a split configuration (WAN:LAN/DMZ). Every device (physical and virtual) that gets put in the DMZ ends up with a B/s download speed. My ISP provides 300MB/s service, which I get on the LAN. My DMZ is configured for 100MB/s (switch limited), but does not reach that speed at all.
Does anyone have any ideas?

DMZ (100baseT <full-duplex>)
em0@pci0:1:0:0:	class=0x020000 card=0x115e8086 chip=0x105e8086 rev=0x06 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '82571EB/82571GB Gigabit Ethernet Controller D0/D1 (copper applications)'
    class      = network
    subclass   = ethernet
LAN (1000baseT <full-duplex>)
em1@pci0:1:0:1:	class=0x020000 card=0x115e8086 chip=0x105e8086 rev=0x06 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '82571EB/82571GB Gigabit Ethernet Controller D0/D1 (copper applications)'
    class      = network
    subclass   = ethernet
WAN (1000baseT <full-duplex>)
re0@pci0:2:0:0:	class=0x020000 card=0x213d103c chip=0x816810ec rev=0x0c hdr=0x00
    vendor     = 'Realtek Semiconductor Co., Ltd.'
    device     = 'RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller'
    class      = network
    subclass   = ethernet

iperf3 (device to pfsense):
[SUM]   0.00-10.00  sec   118 MBytes  0.10 Gbits/sec    1             sender
[SUM]   0.00-10.03  sec   113 MBytes  0.09 Gbits/sec                  receiver

iperf3 (device to WAN port)
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   109 MBytes  91.8 Mbits/sec    1             sender
[  5]   0.00-10.00  sec   109 MBytes  91.6 Mbits/sec                  receiver

speedtest-cli 
Retrieving speedtest.net configuration...
Testing from ISP ()...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by SOMEONE_ELSE [90.87 km]: 47.647 ms
Testing download speed................................................................................
Download: 0.06 Mbit/s
Testing upload speed......................................................................................................
Upload: 4.64 Mbit/s

Firewall rules:
	States	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
PASS		1 /385 B	IPv4 TCP/UDP	DMZ net	*	This Firewall	53 (DNS)	*	none	 	Allow internal DNS	    
BLOCK		0 /0 B	IPv4 TCP/UDP	DMZ net	*	*	53 (DNS)	*	none	 	Block all other internal/external DNS	    
PASS		0 /0 B	IPv4 *	DMZ net	*	DMZ address	*	*	none	 	Allow access to DMZ network interface	    
BLOCK		0 /0 B	IPv4 TCP/UDP	DMZ net	*	privateNetworks	*	*	none	 	Block all other internal/private networks	    
PASS		0 /0 B	IPv4 *	DMZ net	*	! privateNetworks	*	*	none	 	Allow access to all other traffic v2

Random info:

Firewall stuff
- privateNetworks is an alias for 10.0.0.0/16, 172.16.0.0/16, 192.168.0.0/16
- block network rules not logging any states or traffic
- disabling all rules blocks all traffic from the DMZ
- minimum set to get traffic is DNS and allow all outbound
- Allow any source to any destination does not improve speed
Outbound NAT is automatic and has both LAN and DMZ subnets in the autorule
Disable hardware checksum is NOT checked
Traffic shaping not configured
Running pfBlockerNG-devel & acme packages
Same server internal gets full 300MB/s download (tested moving a VM in proxmox from DMZ to LAN)
- DL380P with 4 port NIC, moved the physical wire between pfSense ports to test, moved a container on virtual cards bound to different ports connected to DMZ and LAN

In summary: My DMZ blocks no outbound traffic but is slow as molasses in January

SteveITS

@uruloki Intel is usually pretty good with drivers, however, in the distant past I did run into somebody's NIC which was super slow at I think set down to 100 vs at the default 1000, in Windows. IIRC at the time we suspected a bad/unoptimized driver. Had another more recently where a client with old wiring got a phone system from us, and putting the 1000 phone in between the PC and the 100 switch seemed fine until they ran the overnight backups and those were like 5x longer than just running at 100. We forced the PCs to 100 to speed it up. (and yes we did finally replace the wiring this year)

Does it work fast if you set that port to 1000? If so you could try setting a limiter on it instead, in pfSense. Alternately you could try a different switch.

uruloki

@SteveITS The original configuration used em0 as the WAN with a direct connection to the modem. I saw weird behavior on it, to include a 10baseT reading with correct cabling. When I switched ports to re0, I got the full gigabit connection. This was verified at the router, em0 never synced at 1000baseT, re0 did it instantly.

Going to em0 as the DMZ, I thought it was a driver issues possibly, but the iperf results would seem to indicate otherwise. This also accounts for going from one NIC to another in the pfSense box because I explicitly bound the WAN interface from the internal box (second test results).

I will research Intel driver updates and report back.

uruloki

@SteveITS From what I can tell, drivers are up to date.