WAN general config set to DHCP, but always pulls same ipv4 address from Modem. ARP Table shows "Permanent" in Status column and I can't release it.
-
@johnpoz First off, thanks for the quick response. Indeed, the first thing I did was unplug the modem for 10-20 seconds and that did not work. I did read that article yesterday and did that exact same thing and then could not get it to work correctly. Again I'm sure I missed a step or two. For example what does he mean when he says, "spoof the MAC address, but do not number it." I tired a MAC similar to my Routers original and changed the last 2 numbers and no joy. And then unplugged router to reset and then it started back up and after unplugging Modem and restarting it found "via DHCP" the same ipv4 addy for the WAN as always (of course).
Side Note: There have been times that the router only finds the "default" ip addy of the Modem but after I stop and restart the service under Status / Gateways it will find the locked IPV4 address. -
@andykauffman23 he means do not put an IP on that interface
"Leave IPv4 and IPv6 set to None."
But @stephenw10 could be correct - he would be way more familiar with actual performance of the sg1100 than me.. Its possible 400 something could be the performance limits of the sg1100..
Now on the spec sheet it does list
Firewall (10k ACLs) IPERF3 Traffic: 656 Mbps IMIX Traffic: 190 Mbps
So while you would think 600 should be doable - in reality you might be somewhere between that 190 number and the 656 number..
From your test of connecting another device and seeing your 600 tier speed. It could also point to just speed limits of the sg1100 :(
-
@stephenw10 thanks for the response. When you say assign and enable it to "none," I presume you are referring to the IPV4 and IPV6 Configuration Type(s) and set MAC??
As far as testing, I have used Speedtest.net and Iperf3.
When plugged directly into the Modem (with two different laptops mind you) I get the >600 speeds (which is what Xfinity is supposed to be pushing to me) using Speedtest.net.And the limits of the 1100 are at 880 and 650+/- through Firewall as per their website https://shop.netgate.com/products/1100-pfsense
Thanks
-
@andykauffman23 is it possible you had set some sort of shaping or limiting numbers based on your old 400 tier speed?
-
@johnpoz HMMMMMM... I see what you mean and didn't notice that @stephenw10 was NETGATE and ADMIN till after I just responded to him... HA!
I hear what you are saying about the "somewhere" in between those speeds part, but the fact that when I plug into the Modem directly (via laptop) and I receive a 73.xxx.xx.xx or 76.xxx.xxx.xx ip addy and get higher speeds (600+) and then when I plug into the router and only get the one ip addy of 98.xxx.xxx.xxx and speeds of less than 400 makes me wonder. Hence the reason I ponder if I could get the SG-1100/Pfsense to "accept" a new ip from the modem would I therefore get higher speeds? And of course the HOW TO do it properly.
-
@johnpoz nothing under traffic shapers or limiters has been touched and there shows nothing in there while looking at Firewall/Traffic Shaper/By Interface and Firewall/Traffic Shaper/Limiters
-
@johnpoz said in WAN general config set to DHCP, but always pulls same ipv4 address from Modem. ARP Table shows "Permanent" in Status column and I can't release it.:
@andykauffman23 he means do not put an IP on that interface
"Leave IPv4 and IPv6 set to None."So to make sure I troubleshoot correctly, under the existing "MAIN" WAN interface change the config type(s) to none? (as screenshot below shows and hasn't been saved/applied yet) And then try what (if anything) for the MAC Address? Please and thanks for the guidance.
-
Yep, exactly like that.
Try using the MAC address of your laptop since you know that gets 600Mbps.
Steve
-
@stephenw10 Ok.... Here goes nothing!!!
-
@stephenw10 Wait it won't let me change it there because of the (screenshot)
Although that is the "original" WAN Interface (setup,etc...)
So presuming I create another 'Available network port' under Interfaces/Interface Assignments which is already tied (of course) to the MAC address of the router (screenshot)
After creating it to say 'None' in the configs add laptop MAC and enable it, do I just go under the 'original' WAN interface and "un-able" it and then restart both the router and the modem or.......
Just want to make sure I do this correctly, last time I couldn't connect to my router to change stuff back for 15-20 minutes and the kids and wife were 'hating it' HA! -
Doh! Sorry, misread that.
Yeah you need to assign mvneta0 directly to a new interface and set that as type none. Then you can spoof the MAC there.
Be aware it will change the MAC for all VLANs so you might see the 'new network' warnings from Windows as it sees a new DHCP server.
Also, thinking more about this you should use a MAC slightly different to you laptop if you need to use that laptop behind the 1100 as it will otherwise conflict there.
Steve
-
@stephenw10 @johnpoz
I wish I could truly explain what happened, but I'll try to anyways...
So did as told and reset/restarted Modem and Router, etc.
As it came back up I realized that I (we) hadn't addressed the Gateway situation. No gateway, no ip from Modem nada...
I created a new gateway and set it to the "new" interface I created 'WAN_Spoof" and 'disabled' the original. Tried to start the service several times and no joy. At this point the kids and wife are crying, "Hurry Up!" So I said, "screw it, I'm going back to original and will deal with it later."
I un-did everything and applied changes and then rebooted router and then to my surprise I received a new 73.xxx.xxx.xx IP in the Gateway (haven't tried the direct connection to the Modem via laptop yet but will later when kids in bed). Unfortunately I am not getting the speeds I was when directly plugged into Modem (see above), but at least the Router pulled a new (DHCP) address out the sky :)
So at this point, I would presume I need to bug the heck out of the ISP (Xfinity) and ask them to do WHAT? Please and thanks in advance for the help on this question to them.
And of course thanks for troubleshooting with me today and if there is anything else anyone else can come up with I would greatly appreciate it and be willing to try it out and report back.
Thanks again. -
@andykauffman23 yeah if you got a new IP you know its not speed tier tied to your old IP.
Problem is - tech will come out, connect his laptop and if he gets 600.. Its your device, period end of story.. And you have already shown that if you connect direct to modem you see 600..
So the problem seems is sg1100 just can not do 600 via how your testing?? Maybe its faulty, maybe there is some config thing you could do to boost it to 600ish..
Might be time for upgrade from the 1100, the 2100 perhaps?
-
Ok, so you removed the MAC spoofing entirely but after speaking with Comcast the 1100 is now correctly pulling a random public IP as expected?
But you are still seeing reduced speeds?
What speeds are you actually seeing now? How are you testing?4-500Mbps against speedtest.net is about what's expected from the 1100.
You can try connecting to the console and running at the command line:
top -aSH
.
That will show you the cpu usage so if you run it whilst you're testing you can see if you're hitting a limit there.Steve
-
@johnpoz The thing is I just bought this 3 months ago... :( sad face
@stephenw10 Still seeing reduced speeds (see one testing method in screenshot below)
Took this snapshot while running the speedtest.net (screenshot)
Also did as asked at the command line and I got this (screenshot)
I was watching a video from Lawrence Systems on YouTube "https://www.youtube.com/watch?v=_bM3XqK5JzE" and he was talking about the SG-1100 and reviewing it (2 Years ago mind you) and he got better speeds his setup was Laptop(LAN)>SG-1100 >Switch(Wan)>LinuxServer (for testing with iperf3) and he's getting avg. 700 (TCP) & 900+/- (UDP with about 24% packet loss)
But he said something in there and something kind of clicked in my head and I thought about my setup having the 3 ports WAN/LAN/OPT and then I added a VLAN. Would that in anyway disperse or spread out the "shared" data plane and therefore limit the data so that they can all maintain the 1Gig across the 3 ports not Labeled WAN (3 original + 1 VLAN). I know in my head that shouldn't be, I think, but just thought I would ask you all.My next thought is, since I don't have a server but I do have a Raspberry Pi with iperf3 on it that I put it directly (or hooked up to a switch) to the WAN port, assign it an IP and then my laptop to directly to LAN (nothing in between) and run iperf3 across to each other. Of course when I have time and no one needs the internet. What do you think?
-
Mmm, that top output can't be correct. Did you actually run it at the command line? In the gui via Diag > Command Prompt will not give useful output. You have to use the serial console or SSH.
You will see something like:
last pid: 39370; load averages: 2.02, 1.14, 0.76 up 0+12:13:50 01:09:42 136 threads: 5 running, 113 sleeping, 18 waiting CPU: 7.8% user, 0.0% nice, 38.4% system, 45.7% interrupt, 8.0% idle Mem: 42M Active, 45M Inact, 138M Wired, 68M Buf, 736M Free PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 12 root -92 - 0B 304K CPU0 0 1:18 89.84% [intr{gic0,s42: mvneta0}] 29645 root 4 0 15M 5956K RUN 1 0:47 61.80% /usr/local/bin/iperf3 -s 11 root 155 ki31 0B 32K RUN 1 712:51 12.02% [idle{idle: cpu1}] 11 root 155 ki31 0B 32K RUN 0 714:59 4.57% [idle{idle: cpu0}] 366 root 52 0 104M 36M accept 1 0:49 1.94% php-fpm: pool nginx (php-fpm){p 40872 root 20 0 13M 3528K CPU0 0 0:00 0.21% top -aSH 12 root -76 - 0B 304K WAIT 1 0:00 0.16% [intr{swi0: uart}] 12 root -60 - 0B 304K WAIT 1 0:53 0.15% [intr{swi4: clock (0)}] 10984 root 20 0 32M 21M nanslp 0 0:38 0.14% /usr/local/sbin/pcscd{pcscd} 88807 root 20 0 28M 8400K kqread 1 0:00 0.09% nginx: worker process (nginx) 8 root -16 - 0B 16K pftm 1 0:44 0.06% [pf purge] 6 root -16 - 0B 16K e6000s 1 0:19 0.04% [e6000sw tick kproc] 71943 root 20 0 18M 6020K select 0 0:06 0.04% /usr/local/sbin/ntpd -g -c /var 21 root -16 - 0B 48K psleep 1 0:04 0.03% [pagedaemon{dom0}] 44118 root 20 0 11M 2536K nanslp 0 0:11 0.02% /usr/local/bin/dpinger -S -r 0 9 root -16 - 0B 16K - 1 0:03 0.02% [rand_harvestq] 24544 root 20 0 11M 2564K select 1 0:01 0.02% /usr/sbin/syslogd -s -c -c -l /
What you're looking for is the idle percentage on both cores. In that example I'm running iperf on the SG-1100 directly so it's not a good test.
The single mvneta(4) NIC in the 1100 means it can only use core for traffic. Here the other one is used by iperf3.Having multiple interfaces with VLANs will only make any difference if they are also moving traffic at the same timer you are testing WAN to LAN.
Steve
-
@stephenw10 I captured this while doing a speedtest.net. Is this what you were referring to correct?
Thanks
-
Yes, exactly. You can hit 'q' whilst that's running to quite and freeze the readings. Makes it much easier to copy/paste out that way.
Ok so you can see one CPU core is down at 4.5% idle, there's not much more it can do with that load.
However you can also see ntopng is using 50% of one core total. That is probably reducing the throughput.Steve
-
@stephenw10 Looks like it was slowing me down by an average of 50Mbps (see screenshot below)
And I hit 'q' to grab this screenshot while doing one of the speedtest.net test again.Can you tell me anymore "magical" things from this shot?
Thanks for everything, I'm actually learning a ton from all these investigations.
-
Mmm, not really. One CPU core is almost completely idle there, which is expected due to mvneta only using a single queue.
Potentially there is 15% more CPU cycles it could use but you would not see much of an increase.
~400Mbps is not unexpected to site across a 10ms connection.Steve