Slow management from WAN
-
First time pfSense user here. Got a 2100. I setup everything in my lab. It all worked great. I configured everything via the WAN port. WAN had a private IP in the lab. No issues at all.
I switched WAN IP to static public IP. Set source IP rule to be my public IP. I moved it into production. Management via the WAN was really slow. Like not usable. I got onto management from the LAN side and it was completely normal. LAN traffic to the internet worked great. I can't sort out any reason why that management traffic from the WAN side is slow only on production real world IPs. I tried moving the management port around a bit just to see if that mattered and it didn't. Even on same port as old firewall management via WAN it was slow.
-
@cylosoft What's the status of the unbound/DNS Resolver service?
-
@rcoleman-netgate DNS Resolver service is enabled. The computer on the LAN side was using the firewall as a DNS server and it was doing DNS lookups.
-
I just put the WAN back onto my lab switch; private IP. Via WAN everything is back to normal. DNS resolver looks good.
-
Presumably that is connecting via some different physical link when it has the public IP?
Do you have any sort of traffic shaping applied?
When you connect to the private IP in the lab is that coming from a client in the WAN subnet dircetly? I assume that cannot be the case for the public IP. It could be passing the traffic via a different firewall rule.
Just how slow is it? What symptoms do you see when you connect?
Steve
-
2 windows machines connected on LAN ports. The WAN port I'm physically moving cable from test network to public IP.
Nothing in traffic shaping turned on.
Management rule is the same. I have an IP alias with my public and my machines private IP on.
About 1 min to load login screen. About 1 min to login. The dashboard never really loads; gets like mostly loaded.
-
But in order to access it via the WAN for management you're connecting from some other external public IP to reach it?
If you're just using the external IP from an internal client you might be hitting some asymmetry.
-
@stephenw10 Yeah. My computers private IP is in the alias. On the same LAN as firewall when firewall is on lab network.
Public IP in the alias is my same computers public IP. So same ISP as firewall. But different public IP. 2 completely separate public IPs. I know the ISP is routing fine because this is all in production. The firewall being replaced works fine for all inbound traffic. The pfSense is getting same IP and gateway as the firewall it's replacing.
I'm going to try it again tonight and NAT some traffic from public IP into one of the LAN computers and see if that's slow.
-
That sort of throttling feels like an IP conflict or some sort of routing issue perhaps. Potentially a catastrophic MTU problem However I'd expect those to affect traffic from LAN clients too unless it was specifically in the route your public client is using.
-
@stephenw10 I had pfSense WAN spoof MAC from the firewall WAN it's replacing. Figuring I'd avoid any ISP issues and get a nice clean swap. But I agree it does feel like that. I just can't sort out what or why.
-
ARP cached somewhere? If it was upstream though it would affect everything .
A pcap on the pfSense while you try to access it should show the issue.
Steve
-
@stephenw10 I sorted this out. Kerio 9.4 doesn't like the pfSense web admin for some reason. Kerio 9.3 is fine with it. In Kerio NAT I've turned off filtering and inspection, but for whatever reason it just doesn't like pfSense web admin and it runs really really slow. I've never seen it on Kerio 9.4 with any other website.
-
Mmm, first report I've seen of that. But good to know, I'll be watching for it.
Steve
