Throughput from Lan to Wan

johnpoz

@orkopaede it is just an outbound nat.

In my example when pfsense sees traffic to 2.42 from 9.100 it changes the IP from being source of 9.100 to pfsense IP on that interface, in my case 2.253.. Just like what happens when your lan clients goes to something on the internet and pfsense changes the IP to pfsense wan IP (normally some public IP).

notice the states when I do that..

Now when not natting - which pfsense wouldn't do between local networks. See the states

Orkopaede

@johnpoz okay i think i got it:

Speeds are i would say okay the 8.227 is here probably the bottle neck:

iperf3.exe -c 192.168.8.227 -V
iperf 3.1.3
CYGWIN_NT-10.0 WernerLaptop 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64
Time: Wed, 22 Feb 2023 14:25:03 GMT
Connecting to host 192.168.8.227, port 5201
      Cookie: WernerLaptop.1677075903.687139.6ae82
      TCP MSS: 0 (default)
[  4] local 172.28.0.1 port 1188 connected to 192.168.8.227 port 5201
Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 10 second test
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  94.8 MBytes   794 Mbits/sec
[  4]   1.00-2.00   sec  96.9 MBytes   813 Mbits/sec
[  4]   2.00-3.00   sec  85.1 MBytes   714 Mbits/sec
[  4]   3.00-4.00   sec  89.8 MBytes   753 Mbits/sec
[  4]   4.00-5.00   sec  89.5 MBytes   751 Mbits/sec
[  4]   5.00-6.00   sec  93.5 MBytes   784 Mbits/sec
[  4]   6.00-7.00   sec  68.8 MBytes   576 Mbits/sec
[  4]   7.00-8.00   sec  72.8 MBytes   609 Mbits/sec
[  4]   8.00-9.00   sec  82.5 MBytes   695 Mbits/sec
[  4]   9.00-10.00  sec  95.4 MBytes   800 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   869 MBytes   729 Mbits/sec                  sender
[  4]   0.00-10.00  sec   869 MBytes   729 Mbits/sec                  receiver
CPU Utilization: local/sender 12.0% (2.0%u/10.0%s), remote/receiver 19.8% (5.2%u/14.6%s)

iperf Done.

any way it should be enough for the 200Mbit Internet connection

johnpoz

@orkopaede I don't see any nat happening in your states.. Notice in my states where it shows 192.168.9.100 changed to the wlan interface IP of 192.168.2.253

If you had an existing state between those 2 IPs, then the nat wouldn't happen. You need to clear any old states between those IPs and that 5201 port so that the new connection would use the nat.

But hard to believe that "nat" alone would be that much of a hit..

edit: just for grins.. Could you disable the Kernel PTI.. That for sure could be a hit on performance.. There is almost zero sort of use case where that would be needed on a firewall.. I find it unlikely it could be such a hit to only see 16mbps vs your 200.. But have a hard time coming up with a use case where you would want/need to enable that on a firewall. And it would be a hit, the level of which is hard to say.. But why have anything enabled that would hinder the performance of your box? Unless you have a very good reason to, and have to take the performance hit.

https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#kernel-page-table-isolation-pti

While more secure, this protection can incur a performance penalty. If untrusted users do not have access to run arbitrary code on the firewall, it can be disabled without significant security risk.

Orkopaede

@johnpoz I will give that a try.

For the NAT problem. I guess the nat didn't work because everything was or is allowed in the firewall rules for this interface. How would the rules have to be set here so that the NAT can still work? Allow everything except LAN interface where the 8.227 is connected?

johnpoz

@orkopaede nothing should have to change in the firewall rules, if the traffic was allowed before. But if you had an existing state, you would need to clear out those old states that were not doing nat.. Or just wait til they go away on their own on timeouts.

Orkopaede

@johnpoz Okay then I'll just reset the stats or wait. I have to go and pick up my child from kindergarten anyway so.
First of all, thank you for your time and help. I'll test further tomorrow. Thank you!

Orkopaede

@johnpoz Finally with the last test

Speeds:

iperf3.exe -c 192.168.8.227 -V
iperf 3.1.3
CYGWIN_NT-10.0 WernerLaptop 2.5.1(0.297/5/3) 2016-04-21 22:14 x86_64
Time: Wed, 22 Feb 2023 15:07:53 GMT
Connecting to host 192.168.8.227, port 5201
      Cookie: WernerLaptop.1677078473.811245.0a2fc
      TCP MSS: 0 (default)
[  4] local 172.28.0.1 port 5984 connected to 192.168.8.227 port 5201
Starting Test: protocol: TCP, 1 streams, 131072 byte blocks, omitting 0 seconds, 10 second test
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  77.4 MBytes   648 Mbits/sec
[  4]   1.00-2.00   sec  81.8 MBytes   686 Mbits/sec
[  4]   2.00-3.00   sec  87.6 MBytes   735 Mbits/sec
[  4]   3.00-4.00   sec  65.5 MBytes   550 Mbits/sec
[  4]   4.00-5.00   sec  96.8 MBytes   812 Mbits/sec
[  4]   5.00-6.00   sec  90.2 MBytes   757 Mbits/sec
[  4]   6.00-7.00   sec  91.9 MBytes   771 Mbits/sec
[  4]   7.00-8.00   sec  75.6 MBytes   635 Mbits/sec
[  4]   8.00-9.00   sec  78.8 MBytes   660 Mbits/sec
[  4]   9.00-10.00  sec  88.4 MBytes   742 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
Test Complete. Summary Results:
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   834 MBytes   699 Mbits/sec                  sender
[  4]   0.00-10.00  sec   834 MBytes   699 Mbits/sec                  receiver
CPU Utilization: local/sender 11.0% (1.4%u/9.6%s), remote/receiver 2.5% (0.6%u/1.9%s)

Okay now i have to go.

johnpoz

@orkopaede you can always just kill any state in the state table directly. Under diagnostics, state table.

edit:
That seems low for whatever reason.. Notice in mine it was a very small hit to the speed, compared to just lan to lan speed.. And your on an I5.. I would think that is more powerful than my sg4860..

Orkopaede

@johnpoz i selected the wrong interface...

LAN not TESTINTERNET

johnpoz

@orkopaede yeah you need to put the nat on the correct interface for the direction of your traffic flow ;)

Orkopaede

@johnpoz ok i tested it a bit further and i think it is a windows problem. I repeated the tests on a Linux PC and I always got my 200Mbit without establishing multiple connections (iperf option -P). I don't think I have to bother anyone here with this topic. ;) Thank you once again for the help.

johnpoz

@orkopaede said in Throughput from Lan to Wan:

i tested it a bit further and i think it is a windows problem

did you actually enable window scaling - all the posts you show it disabled.

edit: never mind looks like you did enable it.

SteveITS

@orkopaede I don’t see in the thread that you checked traffic shaping? I’ve seen many threads where an old setting was left enabled.

Orkopaede

@steveits Hi, traffic shaping is disabled on all Interface. I never touched this part of pfsense.

Orkopaede

@orkopaede So i guess it is what it is... a Windows problem.
When i find the Problem i will post it here, hopefully with a solution.

NightlyShark

@orkopaede Hi! Run wireshark on the Windows machine and see if anything catches your eye. Also check Windows power-saving for the NIC you are connecting from. For some poorly written drivers, Windows tends to make some bass-ackwards assumptions about what "energy saving" vs "disrupting key functionality" means.