constant timeouts in browser and media players

JessicaSEUK

Hi,
I've been trying to convert from ipFire to pfsense and thanks to the help of people here am all most there.

I keep getting browser timeouts for any web site, including the FW own admin pages.
I normally use linux and have tried Firefox, Chrome. On a Mac the same plus safari. On Android, samsungs own browser, Firefox and Chrome. On iPhone, its I presume safari, firefox and chrome.

Also when watching a movie ( netflix or Amazon), only 1, it keeps buffering often needing over 1 min before continuing.
There are no games or anything else other than a few thunderbirds checking for email from time to time.

I do not get this with a normal router or if I reconnect the ipFire PC.
So it must be something about pfsense setup.
The hardware is the same, between ipFire and pfSense, I swap the HDD as required.

On advice for a different problem, I have turned off snort and NGBlocker. So its running with out add ons.

Because I thought there may be problems on the line,I also have my ISP monitoring the line and a monitor
https://www.thinkbroadband.com
Which show extreme latency periods. Normal for my line is around 20 to 40. When there is a problem it goes off the graph which is more than 160ms.

Does anyone have any ideas on either to fix or find out more info so I can fix the problem ?
The CPU is pretty steady around 2 to 6 %, mem is around 10 - 20 %, its has 4G RAM. Swap is 0.

Version : 2.6.0

bingo600

@jessicaseuk

What version of pfSense is installed ??
I assume 2.6.0-CE

Please describe the hardware a bit more.
Especially the network/Lan interfaces ... What type & model are they ?
But a mention of the CPU model would be nice too.

I'm on Linux , primarily using FireFox , and have no issues.

If you do a : ping 8.8.8.8 , for 10 minutes and break , do you see any loss ?

Are you isung pfSense for resolving DNS or do you have bind9 installed on the linuxes ?

Does DNS resolve ok ?

The high latency to the ISP , could point at some issue to the internet.
But it could also be network interface relates issues.

Slow/Timeout on own FW management pages could be "Internet related" , as the login probes netgate , and if not accessible. Login takes Looooooonnngg time.

You could try to disable the update Check temporarily , to see if it sppeds up the Local firewall mgmt , especially the login

System --> Update --> Update Settiings - Tick disable Dashboard Check

If login improves drastically , there is an issue for the firewall to chack the update pages ... Aka. prob. an issue towards the internet.

What does a 10 min ping from your PC towards the firewall interface report ?
Any losses ???

Network/Lan interfaces :
pfSense (FreeBSD) "loves" Intel netcards ... Realtek "not so much" , but they can be brought to behave acceptable.

Edit1:
Have you tried to run pfSense without all the "Addons" installed.
I mean default the config , and run a "bare minimum".

/Bingo

JessicaSEUK

Hi,
Thanks for answering.
The NICS, I believe are on an intel PCI-e card with 2 connections on the card.
I'm not using the motherboard card.

CPU is:
Intel(R) Pentium(R) CPU G630 @ 2.70GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No

Version:
2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

The system is on the latest version.
Version information updated at Sat Sep 24 14:21:50 BST 2022

DNS : It appears fine.

Ping on 8.8.8.8 ttl 120 mostly time is around 20 - 30ms

ping on the IP of the wan :
ttl 64

Time is varied.
It spends a lot of time around 20m spikes at around 50ms some peaks at 90ms. Large blip over 160 I assume this is when Im this is bad and is what is affecting netflix or amazon.

When accessing the web.
Whilst replying to this msg, I got several warnings of lost internet connection. At that time the ping time to my IP was at 0.2 - 0.4

My background is dev, I only know basic networking. But those numbers look odd to me.

CPU was around 6% RAM at 19% of 4GB

Auto Update has always been off.

There are no add-ons.

From what you have said, I need to be sure about the pci-e card.

I've just ordered a gigabyte INTEL,
Gigabit PCIE Network Card for Intel E1G42ET - 82576 Chip, Dual RJ45 Ports, 1Gbit PCI Express Ethernet LAN Card, 10/100/1000Mbps NIC for Windows Server, Win8, 10, XP and Linux, 3-Year Warranty

It should be here tomorrow. I will give that a try.

Hopefully, that has answered all of your questions.

Thank you very much for your help.

bingo600

@jessicaseuk

Ansvers are good

But for the ping's
I was more after packet loss , and maybe the 3 rtt values

Good idea to get some Intel NIC's , i hope you bought a "Used card" ..
New cards from China are usually Fakes.

Description & delivery time , indicates local

What are your network interfaces named in pfSense ??

IGB = Intel
EM = Intel
RE = Realtek

Interface --> Assignment

Here you can see my WAN is of the type IGB ==> Intel.

How about your ISP Connection (can you supply ISP name) ?
Is that ADSL/VDSL (telephone line) or Fiber or PPoE or ???

Could you install ie. shutter on Linux ?
That's what i use to make screencaptures with , and makes "our" life much easier.

Edit:
Do you know you can get a "root" shell on the pfSense via ssh ?
Password is the same as admin in the WebGUI.

ssh admin@<firewall-ip>

Then Select 8 , for shell.

And that you can see the logs via Status --> System Logs

Here the OS Boot (log)

Would prob. reveal the Networkcard type
Ie. my IGB0 is an Intel 211 card

/Bingo

JessicaSEUK

Hi,
Thank you again.. Ping show 0 packet loss.
The new card is from Amazon and is GigaBit, who I think are based in LA. Im pretty sure I have other cards and some motherboards from them.

It's new and will arrive before 1 tomorrow. Being Amazon if there is a problem they are always good with returns. Amazon it is coming direct from them. From what I can see it should be ok.

Ive checked the assignments and yes they are re not IGB or EM.

ISP is Andrews & Arnold. It's normal fibre. Which I think means its fibre to the nearest box then copper from the box to the house.
Out box is assuming the cable follows the road about 1/4 to 1/2. I walk it in 5 or so mins and I have a dodgy leg so I walk slow.
Connecton is PPOE, I can do screen shots and ssh no problem.

From the boot log it confirm RealTek

RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigabit Ethernet> port 0xd000-0xd0ff mem 0xf7d00000-0xf7d00fff,0xf0100000-0xf0103fff irq 16 at device 0.0 on pci4

Thanks , Ill switch back to ipFire for the rest of the afternoon and try again tomorrow.

bingo600

@jessicaseuk

According to this:
https://forum.netgate.com/post/1044755

There should be an "alternate" realtek driver , on the forum.
That might make the realteks more stable.
https://forum.netgate.com/post/1027034

But nothing beats Intel's on pfSense.

Now that you have the Intel NIC on the way, do use the Intel's as WAN & LAN.

Loading the alternate driver, would only make sense if you wanted to play with the Realteks as 3'rd & 4'th interfaces.

Edit1:
Are you connecting directly to the "Lan" realtek or do you have a switch in between ?
If switch , what Brand & Model ?

Having those high fluctuations on the LAN (ping 160ms) , could indicate an issue there.

Edit2:
What does Status --> Interfaces show for Wan & LAN ?

Especially Errors & Collisions

stephenw10

0% packet loss but very high latency says some buffer bloat issue normally.

If you only have one gateway try disabling the gateway monitoring action:
https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.htm

The latency is probably triggering alarms and all the associated actions unnecessarily.

Steve

bingo600

@stephenw10

Good tips , that OP should try - Always try your tips

My reasoning ...
OP Wrote:

Ping on 8.8.8.8 ttl 120 mostly time is around 20 - 30ms

ping on the IP of the wan :
ttl 64

Time is varied.
It spends a lot of time around 20m spikes at around 50ms some peaks at 90ms. Large blip over 160 I assume this is when Im this is bad and is what is affecting netflix or amazon.

I read it as 8.8.8.8 pings were consistent around 20..30ms , but that "Wan ping" were having the 160ms spikes. ... I was asking for LAN ping , but WAN is still a local ping.

That's why i was "thinking" have a look at : Ingress (LAN) IF or Switch ...

/Bingo

stephenw10

Yeah, initially it shouts a connection duplex mismatch but you would see packet loss in that situation. You would also see errors/collisions on the interface as you asked about.

JessicaSEUK

@jessicaseuk Hi,
Thanks for your help. The new card arrived and has been up for about 18 hours.
I also wrote a simple script , run by cron to run ping and look for loss, then dump to a file.
It looks a lot better.

Im still getting a lot of browser timeouts, I was wondering if may be DNS is slow.
About 15 mins ago I disabled ISP DNS and added 1.1.1.1 and 1.0.0.1 , I use Cloudflare. It looks promising but has not been doing enough to know for certain.

My thoughts then changed. When accessing the pfSense admin , I use the IP. In my case, 192.168.0.1

It often times out. Quite often after many retries, I need to run menu option 11 to restart webConfigurator. At this point, I have no comms with the pfSense device, which means I cant use ssh. It has to be a direct connect, monitor, keyboard.

Thank you for your help, things are at least moving fwds and hopefully getting close to a working system.
It is a lot more troublesome than ipFire, Im hoping it will be better , once these problems have been overcome.

I've also ordered an i7 which should arrive tomorrow. The system, I had is plenty powerful enough, but just in case there is some 32 / 64 issues or something odd going on.

If all fails the i7 will run the latest version of ipFire. My old / current box stopped updating ages ago.
For what I need, an i7 is completely OTT but if that is what it takes so be it.

Whilst typing this I got a warning claiming lost connection to Netgate Forum 3 times.

Thanks again.

JessicaSEUK

@bingo600 Hi
Thanks for your reply.
Sorry, the link you sent is for me a 404 page not found and I do not know enough about pfSense yet to be able to guess about anything.
Thank you again.

stephenw10

@jessicaseuk said in constant timeouts in browser and media players:

It often times out. Quite often after many retries, I need to run menu option 11 to restart webConfigurator. At this point, I have no comms with the pfSense device, which means I cant use ssh. It has to be a direct connect, monitor, keyboard.

If you're unable to SSH to pfSense by IP address directly that indicates something more fundamental. Like maybe an IP conflict or a rogue DHCP server running on something else.

Can you even ping pfSense at that point?
If it fails what error is shown?
Try to check the ARP table on the client. Make sure it's still showing the pfSense LAN IP with the correct MAC address.

I would not expect simply restarting the webconfigurator to restore SSH access so I suspect something else is happening there.

Steve

JessicaSEUK

@stephenw10 Hi, I can normally do an ssh no problem.
When its updating its settings, the comms drops on the ssh.
The browser times out, retry , retry etc etc
Eventually, I run option 11 to restart WebConfiurator and comms is resumed and the browser reloads fine.
As I navigate menus the same happens. Mostly its when I have made a change and applying it.

Now its a working, I day, I cant do anything during the daytime as we need email to be working for our work.

I'm normally up and looking at various things from around 3am so can play a little during that time.
The next chance where I can take things down for any length of time ( including keep rebooting, losing comms etc ) will be at the weekend.

Thanks for your help.
The new i7 arrives tomorrow. I can really see it will change anything other than give me the option to switch between ipFire and pfSense.

Im told pfSense is so much better and I should move over to it but so far, I cant get things stable enough to find out.

It is concerning that a simple install should cause so many problems. Re the boot / black screen one.
There was another it did not work with a GPU plugged in and had to remove it and use the motherboard. The only clue was after the boot menu the screen when white and hung.
Thanks to everyone here for your help.

stephenw10

Check the system logs. See what's happening when you make a change. It's possible it's triggering something it should not be due to a misconfiguration somewhere. Like it could be reloading the LAN interface or resetting all the states. Either could present like that. And neither should happen by default.

Steve

bingo600

@jessicaseuk said in constant timeouts in browser and media players:

My thoughts then changed. When accessing the pfSense admin , I use the IP. In my case, 192.168.0.1
It often times out. Quite often after many retries, I need to run menu option 11 to restart webConfigurator. At this point, I have no comms with the pfSense device, which means I cant use ssh. It has to be a direct connect, monitor, keyboard.

As Stephen said - Have a look in the system logs.

That said:
IMHO the thing to focus on is the "Loss of access" to your local pfSense LAN interface.
If LAN had issues then any devices on LAN will have issues, and that could easily be seen as browser timeouts.

Could you try to answer questions from here ?
https://forum.netgate.com/post/1063211

1:
How are your devices connected to to the LAN , do you have any switches inbetween ?.

2:
How was your Status --> Interface "counters" , especially for LAN

/Bingo

A Former User

My background is dev, I only know basic networking. But
those numbers look odd to me.

Then perhaps a fresh install and "only" pfSense and some
rules set up will be the best starting point for you. If then
something went wrong it is better to find out or narrow
down to a special point. Snort and pfBlocker-NG will be
also not real "set-it-up-and-forget-it" applications and
this also not for very experienced users.

Home routers maybe sorted with some small ASICs and running (acting) therefore a bit more faster, also Linux is
a few bit more liquid and smooth running on the same
hardware as FreeBSD, it also comes with much more
hardware and better driver support for many different hardware. So it is not the same running Linux and/or
FreeBSD based systems on the same hardware.

My suggestion to not run in a "many-problems-but-what-is-it-searching" loop, fresh install, configure it out, and then if all is fine start the next packet installing and again
configure it out, .........

So the forum might be best able to help you, owed to the different sections you maybe point your "problem" or question in.