connectivity delay for new clients
-
I have this issue on two firewalls at separate locations, both are on 2.6 but have had the issue for many versions (3+ years)
When a client connects and gets a DHCP address, the client has no connectivity for the first ~15 seconds. Windows says "connected, no internet" and browsers can't reach anything and give a message about no DNS.
-
after this ~15 seconds, everything works perfectly. As long as the client PC stays on. speeds are fast and DNS queries are near instant.
-
only windows clients seem to be affected, phones for example do not seem to be affected.
-
One site has unifi wifi, the other has cisco, both have the same issue
-
I'm using resolver mode at both sites, enabling forwarding mode doesn't change anything.
Does anyone else have this issue? What's my next troubleshooting step?
-
-
@vinistois Run a packet capture on the interface that the device connects to on the pfSense installation and then filter by the IP address (or better yet the MAC address of the device getting DHCP) and start the cap before attempting to connect the computer. Make sure you set the Count to 0 or you will have a capture with 100 packets and nothing to report back of value.
I suspect it's Windows checking in and that is waiting for DNS calls and HTTPS traffic to work. This will be evident in the packet capture.
Do you have a Linux device or macOS one you can test on?
-
@vinistois said in connectivity delay for new clients:
When a client connects and gets a DHCP address, the client has no connectivity for the first ~15 seconds
I never really measured the delay, but my Phone, when I connect to my captive portal, also show for several seconds a 'Internet' connectivity issue.
It is connected to the Wifi captive portal of course.
I know the local LAN network works, otherwise the login page would ecen show up. So my phone can speak with pfSense.
As soon as I enter a user and password, and hit 'Enter', the pfSense firewall is updated : my IP and MAC are allowed, and nothing stops my Phone from using the Internet.
Still, the message on my Phone isn't updatd instantly.Because their must be a delay, the phone isn't polling xx times per second, but probably ones every x seconds.
Quiet logic actually. As what would happens if I switch of the power from the switch that hooks up all my devices on my LAN network, and then switch is back on again ?
All wired devices (for me, 50 or so) will receive a link down and then a link up on their NICs.
All devices will initiate a DHCP at that moment.
All devices, when obtained a lease, and will test for 'Internet' connectivity.
pfSense will get smacked with requests.
unbound will get smacked with DNS requests.
On big networks a real congestion will take place.
So, this test, and the subsequent message you saw on the screen, isn't instantaneous.But you are connected.
You can test this using packet capturing as rcoleman proposed.
Or, open a 'cmd' on the windows device, and prepare this command - don't hit enter yet :nslookup google.com 192.168.1.1Where 192.168.1.1 is the IP of your pfSense LAN.
Unhook the ethernet cable for some seconds, and put it back in.
Wait one second to give DHCP time to do it's thing.
Now hit enter in the cmd box, execute the nslookup command.
nslookup should be answering in a second, which proofs you are connected to pfSense.Btw : test with a wired connection, as Wifi can add a lot of it's own delays.
-
Mmm, that's not expected. Yes, a pcap, showing what the client is doing in those 15s would probably be revealing.
I assume you are not running captive portal?
Do you have any IPv6 configured?
Partial IPv6 connectivity can introduce delays like that whilst Windows tries to use v6 and then falls back to v4.Steve
-
@stephenw10 said in connectivity delay for new clients:
Partial IPv6 connectivity can introduce delays like that whilst Windows tries to use v6 and then falls back to v4.
Nice catch
