New install. Poor performance?

jrutley

Hi, brand new user of pfsense here. I installed it, put it in front of our home network behind a bridged cable modem, and found out that the performance is abysmal.

I suspect that it's the CPU, but maybe someone here has more insight.
Running a speedtest, I get up to maybe 400Mbps before it ends up around 130Mbps.
On my TP-Link router, the one I want to replace, I get between 700-940Mbps.

With this new hardware, when going to fast.com or speedtest.net, the CPU usage made it as high as 36%.

It's not just fast.com though. While one person was downloading stuff (100Mbps+), others couldn't play any online games.

I have the gateway's monitor IP set to 1.1.1.1
WAN_DHCP <my-ip> 51.1ms 18.6ms 13% Warning, Packetloss
when running a test from fast.com, the status says offline

Here's the hardware in question:

https://www.aliexpress.com/item/1005007267007244.html
8GB of RAM and 128GB SSD

Intel(R) Celeron(R) N4000 CPU @ 1.10GHz
Current: 1100 MHz, Max: 1101 MHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (inactive)
QAT Crypto: No

4*Intel 2.5G RJ45 Lans
Intel(R) Ethernet Controller I226-V

Gblenn

@jrutley said in New install. Poor performance?:

Intel(R) Celeron(R) N4000 CPU @ 1.10GHz
Current: 1100 MHz, Max: 1101 MHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (inactive)
QAT Crypto: No

4*Intel 2.5G RJ45 Lans
Intel(R) Ethernet Controller I226-V

No reason that setup should not be able to reach Gbit speeds, or more even... My previous install, able to handle 1Gbit speeds, was on a PC-Engines APU2 that has a single thread rating only 25% of what a Celeron N4000 has.

What version of pfsense are you running and have you made any changes, additions outside the default?

jrutley

@Gblenn

2.7.0-RELEASE (amd64)
built on Wed Jun 28 03:53:34 UTC 2023
FreeBSD 14.0-CURRENT

The system is on the latest version.
Version information updated at Tue Mar 11 19:58:53 +05 2025

jrutley

I haven't made any changes other than setting up the ports. I've got one dedicated to WAN, and the other dedicated to LAN.

Is there a utility for dumping my config somewhere?

Gblenn

@jrutley Ok, not the latest release then but it should still be able to give you much better performance than a few hundred Mbit/s. Latest release is 2.7.2 from 2024...

Have you made any changes? Added any limiters/shapers? Added any packages?

jrutley

@Gblenn I added one firewall rule to block a site, but I removed that and experienced the same issue

jrutley

I'm not entirely sure how to update to 2.7.2, at least from this menu.

Gblenn

@jrutley Check the next tab, Update Settings...

What modem do you have from the ISP, and do you see that you have a public IP on pfsense WAN?

stephenw10

Run: certctl rehash then check again.

jrutley

it's a Hitron CODA 4680, and yes the WAN interface shows that I have a public IP

jrutley

The certctl rehash did the trick for that. Thank you.

I just noticed now that the gateway IP is different from the WAN interface
(unless that .225 is the CMTS, perhaps)

jrutley

After upgrading to 2.7.2, I still experience the same issue

stephenw10

The gateway should be different, that;'s the upstream device at the ISP. The WAN IP is local to pfSense.

The first thing I would do is disable the Gateway Monitoring Action (not gateway monitoring!) in Sys > Routing > Gateways, edit the WAN gateway. An external monitoring IP is already set so that's good.

Check Status > Interfaces for errors or collisions. That packet loss it pretty catastrophic!

jrutley

@stephenw10

monitoring action is disabled

<snip IP info>
MTU
1500
Media
1000baseT <full-duplex>
In/out packets
1901037/1054338 (2.22 GiB/656.63 MiB)
In/out packets (pass)
1901037/1054338 (2.22 GiB/656.63 MiB)
In/out packets (block)
660/1 (292 KiB/40 B)
In/out errors
0/0
Collisions
0
Interrupts
2689149 (874/s)

jrutley

I should have said "monitoring action is now disabled" earlier.

I'm still getting huge packet loss. I checked the modem signal levels, and they look pretty good. I'm tempted to try one of the other two disabled ports.

The other thing I did was disable IPv6 to see if that would help. It didn't.

stephenw10

Do you only see loss when running a test or loading the link in some other way?

And you don't see any errors on the LAN side NIC either?

Trying a different port/NIC is always a good test.

jrutley

@stephenw10
The lowest I've seen the loss is around 6%, presumably when the network is mostly idle.
Most of the time it's around 16-20%

Zero errors on the LAN side too

stephenw10

Hmm, well that's not great!

Try running a ping test from pfSense dircetly so you're only testing the WAN link.

Do you see loss if you just ping the pfSense LAN or WAN IP from an internal client?

If you can try putting a switch between the WAN NIC and modem to make sure it's not some low level connection issue.

jrutley

@stephenw10

Although I managed to find a spot to put the switch, unfortunately putting a switch in front didn't help :(

jrutley

no loss when pinging only within the LAN

no loss when pinging the WAN IP from local network