Slow throughput on WAN through PFSense

dhudson4god

I have a Dell PIII 1ghz machine w/ 384 MB RAM.  I have three NICs installed.  Two 3com NICs and one Linksys.  The Linksys will be for a VPN DSL connection, but for right now I have the opt1 interface disabled.

My 7mbps/384kbps cable modem gets speedtests of about 6.5mbps when directly connected to a computer or through a Linksys router.  When I connect that same modem to my new PFSense install I get tests from 200k-600k.  Also, the Speedtest.net test jumps around as if there are bursts of packets coming in.  Its not just a Speedtest where the speed difference is noticeable either, the general internet is VERY slow.  My system is setup like this:

LAN (26 comps) –--> Cisco 3500XL Switch -----> PFSense -----> WAN (7mbps Cable modem)
                                                                            ______> DSL modem for VPN

All the NICs are on separate IRQs, and I have tried switching the WAN interface over to the Linksys NIC, but to no avail.  I have also tried bypassing the 3500 switch with a Linksys 4 port switch, but it seems to have the same results.  When I type vmstat -i in the shell, it shows an interrupt rate up over 1000, but with all the NICs having their own IRQ channel, should that affect anything?

Thanks in advance!

sullrich

Check for duplex issues / auto speed negotiation issues.

dhudson4god

The modem is a 100mb full duplex, and that's what PFSense says it is.  Also, the LAN going to the Catalyst Switch is 100mb full duplex as it should be.

hoba

Do you see interface errors at status>interfaces on any of the interfaces? anything obvious in the systemlogs like links going up and down? Do you use the trafficshaper?

dhudson4god

Don't use trafficshapper, and the status>interfaces shows no collisions or errors.  Nothing seems out of the ordinary in the system log.  Also, the MTU is set to 1500, but I've tried it at 1492 and auto to no avail.

Thanks!

hoba

Are you running any packages on your system? Do you see high cpu load when doing the tests?

dhudson4god

No packages.  I see the rdgraph for CPU run up to about 80 at some points but is generally lower.  The high CPU could be from changes I'm making in the GUI as well.

Thank you again for your prompt replies!

hoba

You are welcome but I'm almost out of ideas. Did you try to change the cables already? Some pretty short cables can cause funny issues sometimes.

GruensFroeschli

the general internet is VERY slow.

When i looked at that i thought it "might" be the DNS resolving. (i just encoutered something like that).

Are you sure you have ticked the "Allow DNS server list to be overridden by DHCP/PPP on WAN" box on "General Setup".

Can you test if is faster if you enter 208.67.220.220 and 208.67.220.222 as DNS Servers on a Client statically?

dhudson4god

I don't think its a DNS issue, because it seems to resolve DNS queries fairly quickly. Also, override is set to allow.  I just tried abandoning the old hardware in favor of a new machine.  The new machine has a Linksys NIC and an integrated Intel? NIC.  The same problems persist on the new machine.  Completely new hardware.  Even have tried bypassing the Cisco switch again, but no luck.  Speed tests are running 250ish if they run at all.  In Wireshark I'm getting a lot of incorrect checksum errors.  Could this be causing the speed issues due to retransmitting packets?

The new machine is a older Dell Optiplex w/ 667mhz processor and 384 RAM.  I took out the opt1 NIC just to eliminate some variables.

Update:  Moved it to a 933mhz machine with 384 of ram.  Fresh install of PFSense.

dhudson4god

Another update:

I disabled Hardware Checksum Offloading in the System > Advanced page.  This seemed to help out quite a bit because I can get speed tests at 6000k sometimes, but most of the time it runs around 500k.  When I run it through an elcheapo Linksys router, I can get stable 6000k.  The CPU (933mhz) shows around 20% utilization most of the time.  Seems like the only time the CPU pegs is when I change something from the GUI.  There are no firewall rules except the default pass all.

Thanks again!

sullrich

I would change your NICS out and use genuine Intel NICS.

dhudson4god

I've tried 3Com, Linksys, and put the LAN on an old Intel NIC, but they all seem about the same.  My current config has three Linksys NICs.  Is that something that would really kill the bandwidth that much?  Also, do you think the problem persists across all three of the vendors I've tried?  If it is the NICs it won't be hard to go find a decent NIC on eBay.

sullrich

I would use ALL intel Nics, not mixing and matching.  And yes, I would not personally trust linksys NICS under FreeBSD.

dhudson4god

Are there any other ideas before I pull these NICs and order off ebay?  Also, any recommendation for specific NICs from Intel?  I'm not looking for huge throughput.  Just about 30 (not all on all the time) machines connecting to a 7mbps cable modem and a few VPN clients connecting to a DSL.

sullrich

Intel(R) PRO/1000

dhudson4god

Does the Intel Pro/100 S give significant gain for IPSec VPN encryption?  Also, would it be okay to run one Pro/100 S say for the VPN connection and a couple regular desktop NICs for the LAN and regular WAN?

sullrich

I would use matched NICS, really.  And no, the nics will not add throughput to your VPN other than being a cleaner "nic" for FreeBSD.

dhudson4god

The Server NIC has onboard IPSec encryption offloading.

sullrich

@dhudson4god:

The Server NIC has onboard IPSec encryption offloading.

I don't think that is supported, sorry.