Slow download speed

maverick_slo

@stephenw10
Tried with 1300 and 1200 MTU and MSS same result.

I wrote to my isp if they can do something about it...

stephenw10

Try just running a ping to 208.123.73.209 and see what the loss rate is.

You could also try running MTR against it:

                                   My traceroute  [v0.95]
steve-NUC9i9QNX (172.21.16.8) -> 208.123.73.209 (208.123.73.209)   2025-08-13T19:50:29+0100
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                   Packets               Pings
 Host                                            Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. fw1.stevew.lan                                0.0%    26    0.3   0.4   0.3   0.5   0.1
 2. 172.16.13.252                                 0.0%    26    4.7   4.6   4.4   5.0   0.1
 3. (waiting for reply)
 4. 128.hiper04.sheff.dial.plus.net.uk            0.0%    26    5.5   5.5   5.2   7.2   0.4
 5. 62.6.204.236                                  0.0%    26    5.4   5.8   5.2   6.9   0.4
 6. core5-hu0-0-0-15.faraday.ukcore.bt.net        0.0%    26    5.6   6.5   5.4  25.7   3.9
 7. 166-49-209-132.gia.bt.net                     0.0%    26    5.6   6.2   5.4  21.0   3.0
 8. ixp1-xe-5-0-0-2.us-ash.gia.bt.net             0.0%    26   88.4  88.9  87.6 105.7   3.5
 9. int-14-0-5-2.pr2.dca10.netops.charter.com     0.0%    26   89.3  98.0  88.7 126.7   8.5
10. lag-10.asbnva1611w-bcr00.netops.charter.com   0.0%    26  124.2 123.1 122.4 125.9   0.8
11. lag-400.atlngamq46w-bcr00.netops.charter.com 23.1%    26  112.4 113.3 112.3 115.8   0.8
12. lag-12.hstqtx0209w-bcr00.netops.charter.com   0.0%    26  112.6 113.1 112.0 114.1   0.6
13. lag-1-10.rcr01hstqtx02.netops.charter.com     0.0%    26  111.8 112.0 111.6 113.4   0.4
14. lag-9.mcr02hstqtx02.netops.charter.com        0.0%    26  122.7 122.7 122.3 124.3   0.4
15. lag-102.mcr02snavtxuu.netops.charter.com      0.0%    26  135.2 135.1 134.7 135.9   0.3
16. lag-101.mcr02snantxvy.netops.charter.com      0.0%    26  135.1 135.1 134.8 135.4   0.2
17. lag-102.mcr02ausdtxir.netops.charter.com      0.0%    26  125.0 125.1 124.8 125.7   0.2
18. syn-076-058-033-033.biz.spectrum.com          0.0%    26  135.3 134.2 133.8 135.3   0.3
19. syn-024-073-241-243.biz.spectrum.com          0.0%    26  135.0 135.9 133.8 147.5   3.9
20. syn-097-105-026-206.biz.spectrum.com          0.0%    25  125.5 125.5 125.2 126.0   0.2
21. net66-219-34-194.static-customer.corenap.com  0.0%    25  125.1 125.1 124.9 126.0   0.2
22. fw1-zcolo.netgate.com                         0.0%    25  128.5 128.6 128.4 129.1   0.1
23. 208.123.73.209                                0.0%    25  125.8 125.6 125.4 125.9   0.1

maverick_slo

No loss

208.123.73.209 ping statistics ---
23 packets transmitted, 23 received, 0% packet loss, time 22029ms
rtt min/avg/max/mdev = 140.357/147.701/152.623/5.680 ms

maverick_slo

Mtr, HE is really bad...

My traceroute  [v0.94]
as.rasca.local (10.10.0.82) -> 208.123.73.209                          2025-08-13T21:27:40+0200 
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                       Packets               Pings               
Host                                                Loss%   Snt   Last   Avg  Best  Wrst StDev  
1. _gateway                                          0.0%     7    0.3   0.3   0.2   0.4   0.15 
2. 77-38-56-1.dynamic.telemach.net                   0.0%     7    2.3   4.4   1.9  13.3   4.24 
3. 185-66-148-89.static.telemach.net                 0.0%     7    2.2   3.4   1.9  11.3   3.5
4. 100ge0-36.core1.lju1.he.net                       0.0%     7   14.5   8.7   7.3  14.5   2.68   
5. 0.4-66.core2.vie1.he.net                         28.6%     7   10.0   7.8   7.1  10.0   1.2
6. 100ge0-63.core2.par2.he.net                      71.4%     7   26.2  26.2  26.2  26.2   0.0  
7. port-channel11.core2.nyc4.he.net                 66.7%     7   96.8  96.8  96.7  96.7   0.08 
8. port-channel11.core1.ash1.he.net                 66.7%     7  101.6 101.7 101.6 101.9   0.2
9. port-channel1.core3.ash1.he.net                  50.0%     7  102.8 102.9 102.8 102.9   0.1
10. twc-7843-bb-as7843.e0-33.switch1.ash1.he.net      0.0%     7  104.4 101.8 100.9 104.4   1.2 
11. lag-310.asbnva1611w-bcr00.netops.charter.com      0.0%     7  128.8 129.5 128.8 130.7   0.8 
12. lag-407.atlngamq46w-bcr00.netops.charter.com     42.9%     7  134.8 132.9 128.4 140.2   5.78.
13. lag-405.hstqtx0209w-bcr00.netops.charter.com      0.0%     7  127.5 127.8 127.5 128.1   6.9 
14. lag-1-10.rcr01hstqtx02.netops.charter.com         0.0%     7  126.6 126.6 126.4 126.6   0.17
15. lag-9.mcr02hstqtx02.netops.charter.com            0.0%     7  128.8 128.8 128.6 129.0   0.21
16. lag-102.mcr02snavtxuu.netops.charter.com          0.0%     6  141.1 141.2 141.1 141.3   0.1 
17. lag-101.mcr02snantxvy.netops.charter.com          0.0%     6  140.1 140.5 139.5 144.7   2.16   
18. 1ag-102.mcr02ausdtxir.netops.charter.com          0.0%     6  140.2 140.2 139.6 142.6   1.27
19. syn-076-058-033-033.biz.spectrum.com              0.0%     6  141.4 140.9 140.6 141.0   0.24   
20  syn-024-073-241-243.biz.spectrum.com              0.0%     6  142.0 141.1 140.5 142.0   0.64   
21. syn-097-105-026-206.biz.spectrum.com              0.0%     6  156.9 152.3 151.2 156.9   2.36   
22. 2t66-219-34-194.static-customer.corenap.com       0.0%     6  151.5 143.0 141.0 151.5   4.2 
23. fw1-zcolo.netgate.com                             0.0%     6  152.5 147.3 141.3 153.1   6.1 
24. 208.123.73.209                                    0.0%     6  169.9 149.5 140.2 169.9  11.7

Edit: Fixed up that MTR output.

stephenw10

That MTR output is actually OK. It's normal to see some hops in the route the don't respond to pings or drop packets. The important thing is that there is no loss at thge last few hops. If there was general packet loss in the route everything beyond a bad router would see at least that same level of loss.

That packet capture sure looks like it's just missing traffic though.

maverick_slo

@stephenw10

What can I do?

stephenw10

You could try pinging with large packets to determine any MTU restriction in the path. Setting MSS to 1200 should have eliminated that unless it's very restricted.

In the screenshot of the pcap we can see large packets arriving from the pkg servers but none going the other way.

Though the fact that pfSense is continually sending duplicate ACKs seems to imply that it's not seeing the incoming packets from the server even though they are reaching the NIC.

I assume you are not seeing traffic blocked in the firewall log? Do you have custom block rules that might block that without logging?

Do you have more than one WAN? Is it possible traffic is using both?

Something else could be dropping traffic on the WAN like traffic shaping or Snort.

maverick_slo

@stephenw10
No, one wan.

2 locations, same ISP....

Happens same on both locations even if I try to use installer for new install so no snort or whatever..

JeGr

@maverick_slo Are you running WAN IPv4 only or with dualstack (IPv6), too?

I've seen quite a few installs from us with dual stack where especially v6 was slow as hell. Disabling v6 (setting v6 gateway to none to force it to run via v4) was way faster. As sad as that is...

Just an idea.

maverick_slo

@JeGr nop
No ipv6 at all..

Also no firewall rules that would block anything...

stephenw10

Are you able to upload that pcap (or one like it) so we can look at it? That looks so catastrophic it should show something where it first fails.

https://nc.netgate.com/nextcloud/s/gmrTnLwJyNjNpqa

maverick_slo

@stephenw10
Hi.
Upliaded to your and mine Nextcloud

Hope u see something..

stephenw10

Hmm, unfortunately that doesn't include the initial part of the connection where it first fails. Are you able to get a pcap including that? If you just run pkg update for example.

Was is that running on? The MAC addresses for pfSense and it's gateway are unusual.

maverick_slo

@stephenw10
Uploaded: telemach_netgate_PKG_UPDATE.pcap

But it`s just 9KB...

maverick_slo

@stephenw10 pkg_install_start.pcap uploaded.
It replicates behaviour and I started packet capture before trying to install freeradius package...

MAC addresses are Hyper-V, my firewall is virtual machine...

stephenw10

Hmm, something weird going on there. The packets are arriving out of order at the WAN. You can see in that pkg_install_start pcap where it first fails at packets 24-26. Packets 24 and 25 are reversed.

Do you have any hardware off-loading enabled?

If there any sort of proxy involved here? Something set in Hyper-V?

Can you test a bare metal install from the same location?

maverick_slo

@stephenw10
Bare metal same issue.
No proxy at all

2 locations, same ISP

1. Has Sonicwall firewall
2. Has pfsense firewall

So common thing is download from netgate and ISP...

maverick_slo

Im testing with file on my phone...

http://pfsense-plus-pkg00.atx.netgate.com/beta/packages/pfSense_plus-master_amd64-core/All/pfSense-kernel-debug-pfSense-23.01.b.20230106.0600.pkg

On my isp, slow dl speed on wifi.

I have then 2 sims, 2 different isps...

On both those isps speed is ok.

stephenw10

Oh so you still see this even without pfSense involved at all? It must be a problem in the route then. Like something at your ISP routing packets via multiple routes perhaps.

What happens if you route traffic over a VPN to somewhere else so you bypass anything the ISP is doing?