Web server pages rendering slowly going out WAN but fine internally - HELP PLS!
-
Ahh yes. Checksum offloading errors.
From a shell:
ifconfig xl0 -rxsum
ifconfig xl1 -rxsum
ifconfig xl2 -rxsumThese seem like older cards, eh? I bet the checksum offloading is busted in FreeBSD.
-
Well, this gets even more interesting. I did what someone else suggested an hooked up my laptop directly to the cable modem. I had wireshark on it and started a capture and remoted with putty to my office and logged onto the pfsense box and start tcpdumps on DMZ and WAN. I then pulled up the browser on my laptop and the accessed the same pages. Here are the PCAP files:
http://www.jobsoft.com/packet-watch-dmz-lapdir-take2-filtered.pcap
http://www.jobsoft.com/packet-watch-eth0-lapdir-take2-filtered.pcap
http://www.jobsoft.com/packet-watch-wan-lapdir-take2-filtered.pcapThe amazing thing to me is the web pages rendered FLAWLESSLY! Yeah, a dropped packet here and there, but, NO delay in rendering!! 1-2 SECONDS tops! And none of the corrupt packets from when testing behind the WRT54G NAT.
OK, now, before PFSENSE, these sites also rendered in 1-2 seconds FROM BEHIND the WRT54G NAT!! So, when in combination of:
WEBSERVERS<–>DMZ<-->PFSENSE<-->WAN<-->WRT54G<-->LAPTOP
problems with packet turnaround/delays arise.
Again, before PFSENSE, it was Fedora6/Shorewall-IPTABLES. Under that scenario, some server were on LAN and some on WAN, but, all accessed with no problems whatsoever. With PFSENSE and take out WRT54G, things seem fine too. It is almost as if at the packet level some packets are getting corrupt and/or held up such that at the TCP/packet level no retransmission occurs until the browser (maybe?) tries the URL it is seeking. I haven't dug down that deep yet.
My next steps are 1) swap back in Fedora and capture/test, 2) different NICs and/or 3) "modern" PC hardware for PFSENSE.
Mark
-
Ahh yes. Checksum offloading errors.
From a shell:
ifconfig xl0 -rxsum
ifconfig xl1 -rxsum
ifconfig xl2 -rxsumThese seem like older cards, eh? I bet the checksum offloading is busted in FreeBSD.
Slightly! :-)
xl0: <3Com 3c905-TX Fast Etherlink XL> port 0xd800-0xd83f irq 10 at device 18.0 on pci0
xl1: <3Com 3c905B-TX Fast Etherlink XL> port 0xdc00-0xdc7f mem 0xe8801000-0xe880107f irq 5 at device 19.0 on pci0
xlphy0: <3Com internal media interface> on miibus1
xl2: <3Com 3cSOHO100-TX OfficeConnect> port 0xe000-0xe07f mem 0xe8800000-0xe880007f irq 11 at device 20.0 on pci0
xlphy1: <3Com internal media interface> on miibus2I have 3 newer AON-325 (Realtek 8139C) I was going to try. I also have a Compaq Netexpress (sp?) and can get my hands on another Intel Pro 100.
I had seen some reference to the issue with offloading in another thread. What still concerns me though is that I did try all 3 of these cards in different combinations of roles, so, I would suspect that one might work. and secondly, when I remove the WRT54G, and go laptop direct, no checksum errors at all (best I can tell). This could be an anomaly deriving from PFSENSE/FreeBSD and the WRT54G that only manifests itself when they come together (like chocolate and peanut better)! :-)
-
Ahh yes. Checksum offloading errors.
From a shell:
ifconfig xl0 -rxsum
ifconfig xl1 -rxsum
ifconfig xl2 -rxsumThese seem like older cards, eh? I bet the checksum offloading is busted in FreeBSD.
forgot to add the results of the above commands you suggested:
ifconfig xl0 -rxsum
ifconfig: -rxsum: bad value
ifconfig xl1 -rxsum
ifconfig: -rxsum: bad value
ifconfig xl2 -rxsum
ifconfig: -rxsum: bad value
-
Sorry, should be:
-rxcsum
-
-
Then it worked. Do a ifconfig and compare the flags with what you posted originally.
-
WHOA!! ;D
That seems to have fixed it!!
I will have to go look up just what that option does.
Question is then, where can I work that into config.xml? I know there are options for media. I suppose I could look at the "master" config.xml that is over on the M0n0wall site as I suspect there are hidden options for something like this. I suppose I could tuck them into an rc file at bootup, but, I wonder if a "refresh" and/or change to an interface setting from within pfsense would reset the flags?!
But, at any length, this has advanced me considerably! I still intend to try and figure out why the WRT54G was mucking things up more that caused the checksum issue to rear up. But, at least it is functional and acceptable again.
I will post a follow to the WRT54G aspect at some point IFF something pertaining to pfsense is contributing.
Thanks all!!
Mark
-
add a of shellcmd to config.inc from /cf/conf/config.xml
Download the configuration using the configuration backup and then add this under the <system>tag:
<shellcmd>ifconfig xl0 -rxcsum;ifconfig xl1 -rxcsum;ifconfig xl2 -rxcsum;</shellcmd>
Then re-upload the configuration back and note the firewall will reboot after restoring the changed configuration.. Afterwards the system will run the commands on reboot.
And FYI it appears that either your hardware's checksum offloading is busted or there is a driver issue. </system>
-
Thanks for this info. I am planning on getting 3 Intel chip cards ordered as I have read many others recommend them. Aside from Intel, any others good candidates?
-
If you can swing it, get the intel gigabits. They have larger buffers and will decrease cpu overhead.
-
Sorry for writing here into this discussion:
Are you sure the Intel NIC's won't make any problems?
We have a weird issue here and have also applied this "tweak" here and are
currently testing if our problems are resolved…
And we are using the Intel Dual Port GBit NIC's (and are also having the same
problem of lost/stuck packets with a brand new HP Bl20p G3-Blade)...Has anybody running pfSense on a HP Blade successfully or on a DL380 with
two Intel Dual Port GBit NIC's?Thanks for your reply :)
-
My homebox has 2x intel fxp onboard (ibm eserver). I don't see any issues with it. Not a zero in/out error. Same at the nexcom at our office or 2 other nexcoms that I have out with intel nics. However these drivers have support for several intel chipsets, so the problems might only arise with really new chipsets like in your hardware.