Slow throughput on WAN through PFSense

dhudson4god · Apr 16, 2008, 5:49 PM

I don't think its a DNS issue, because it seems to resolve DNS queries fairly quickly. Also, override is set to allow. I just tried abandoning the old hardware in favor of a new machine. The new machine has a Linksys NIC and an integrated Intel? NIC. The same problems persist on the new machine. Completely new hardware. Even have tried bypassing the Cisco switch again, but no luck. Speed tests are running 250ish if they run at all. In Wireshark I'm getting a lot of incorrect checksum errors. Could this be causing the speed issues due to retransmitting packets?

The new machine is a older Dell Optiplex w/ 667mhz processor and 384 RAM. I took out the opt1 NIC just to eliminate some variables.

Update: Moved it to a 933mhz machine with 384 of ram. Fresh install of PFSense.

dhudson4god · Apr 16, 2008, 5:47 PM

Another update:

I disabled Hardware Checksum Offloading in the System > Advanced page. This seemed to help out quite a bit because I can get speed tests at 6000k sometimes, but most of the time it runs around 500k. When I run it through an elcheapo Linksys router, I can get stable 6000k. The CPU (933mhz) shows around 20% utilization most of the time. Seems like the only time the CPU pegs is when I change something from the GUI. There are no firewall rules except the default pass all.

Thanks again!

sullrich · Apr 16, 2008, 5:49 PM

I would change your NICS out and use genuine Intel NICS.

dhudson4god · Apr 16, 2008, 5:52 PM

I've tried 3Com, Linksys, and put the LAN on an old Intel NIC, but they all seem about the same. My current config has three Linksys NICs. Is that something that would really kill the bandwidth that much? Also, do you think the problem persists across all three of the vendors I've tried? If it is the NICs it won't be hard to go find a decent NIC on eBay.

sullrich · Apr 16, 2008, 5:55 PM

I would use ALL intel Nics, not mixing and matching. And yes, I would not personally trust linksys NICS under FreeBSD.

dhudson4god · Apr 16, 2008, 5:59 PM

Are there any other ideas before I pull these NICs and order off ebay? Also, any recommendation for specific NICs from Intel? I'm not looking for huge throughput. Just about 30 (not all on all the time) machines connecting to a 7mbps cable modem and a few VPN clients connecting to a DSL.

sullrich · Apr 16, 2008, 6:17 PM

Intel(R) PRO/1000

dhudson4god · Apr 16, 2008, 6:25 PM

Does the Intel Pro/100 S give significant gain for IPSec VPN encryption? Also, would it be okay to run one Pro/100 S say for the VPN connection and a couple regular desktop NICs for the LAN and regular WAN?

sullrich · Apr 16, 2008, 6:26 PM

I would use matched NICS, really. And no, the nics will not add throughput to your VPN other than being a cleaner "nic" for FreeBSD.

dhudson4god · Apr 16, 2008, 6:31 PM

The Server NIC has onboard IPSec encryption offloading.

sullrich · Apr 16, 2008, 6:33 PM

@dhudson4god:

The Server NIC has onboard IPSec encryption offloading.

I don't think that is supported, sorry.

dhudson4god · Apr 16, 2008, 6:36 PM

I appreciate all of your guy's help. I had heard that the support forum for PFSense is one of its greatest features. I heard right! I'll try a few new cards and report back with the results.

HaOsLsE · Apr 16, 2008, 8:01 PM

I would still check your speed/duplex, try forcing it to 100/full or auto, or even 10/full. It looks like your problem is just that. If not, try and get your hand on some intel cards. We use all netgear NICS in all our setups, with management being onboard/intel and they all work fine for us. We use different Nortel switches with no problems.

dhudson4god · May 23, 2008, 2:46 AM

Forgot about this thread. I put in four Intel cards from ebay and haven't seen a problem since!

Thanks for all of your help!