Loosing 4Mb+ with pfsense firewall - Is this normal?
-
With pfSense router:
Directly connected into Vista or XP:
I have tried with and without traffic shaping enabled. Plus I don't seem to get as big a hit with either ipcop or endian.
-
What hardware is that?
Did you enable polling?
What is the CPU load when you do that?
Are you getting any in/out errors on the status page?
This really looks like some configuration problem ^^" -
Jetway J7F4K 1.2GHz + 1 Gb RAM
No
Nil -> 11%
No Errors of any kind just the occasional lock up once a fortnight -
Did you turn on Traffic Shaping? When I configured QoS for my VoIP phone I noticed that if the cable company increased my bandwidth I would not benefit from it till I reconfigured my Traffic Shapping.
-
have tried with and without traffic shaping enabled
No matter what I do I can not get more than about 6MB with the router in between the PC and the cable modem. It a worthwhile trade off for the added security and features of pfsense but it does seem quite a big one.
-
Usually it shouldn't be a issue to hanlde that much of a traffic imo.
Can you describe your setup, nics etc.
Do you have any errors in the logs? -
Jetway J7F4K 1.2GHz + 1 Gb RAM
D-Link DFE-580TX Quad NIC PCI Card
CPU temp 37 degrees centigradeTogether with the occasional lockup this is why Im looking to try new hardware http://forum.pfsense.org/index.php/topic,11913.0.html but I will be well upset if I get the same results.
-
Does that board have any MSI/MSI-X active?
If yes try disabling it!Other than that i would take a look at the quad port nic if it is behaving well with interrupts and is not just using one for all the for ports.
-
Does that board have any MSI/MSI-X active?
Don't think so.
pcib0: <host to="" pci="" bridge="">pcibus 0 on motherboard
pci0: <pci bus="">on pcib0
pcib1: <pci-pci bridge="">at device 1.0 on pci0
pci1: <pci bus="">on pcib1
pci1: <display, vga="">at device 0.0 (no driver attached)
pcib2: <pci-pci bridge="">at device 8.0 on pci0
pci2: <pci bus="">on pcib2
ste0: <d-link 10="" dl10050="" 100basetx="">port 0xef00-0xef7f irq 11 at device 4.0 on pci2
miibus0: <mii bus="">on ste0
ukphy0: <generic ieee="" 802.3u="" media="" interface="">on miibus0
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ste0: Ethernet address: 00:05:5d:e6:25:4d
ste1: <d-link 10="" dl10050="" 100basetx="">port 0xee00-0xee7f irq 11 at device 5.0 on pci2
miibus1: <mii bus="">on ste1
ukphy1: <generic ieee="" 802.3u="" media="" interface="">on miibus1
ukphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ste1: Ethernet address: 00:05:5d:e6:25:4e
ste2: <d-link 10="" dl10050="" 100basetx="">port 0xed00-0xed7f irq 5 at device 6.0 on pci2
miibus2: <mii bus="">on ste2
ukphy2: <generic ieee="" 802.3u="" media="" interface="">on miibus2
ukphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ste2: Ethernet address: 00:05:5d:e6:25:4f
ste3: <d-link 10="" dl10050="" 100basetx="">port 0xec00-0xec7f irq 10 at device 7.0 on pci2
miibus3: <mii bus="">on ste3
ukphy3: <generic ieee="" 802.3u="" media="" interface="">on miibus3
ukphy3: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ste3: Ethernet address: 00:05:5d:e6:25:50IRQ, 11, 5 and 10.</generic></mii></d-link></generic></mii></d-link></generic></mii></d-link></generic></mii></d-link></pci></pci-pci></display,></pci></pci-pci></pci></host>
-
If MSI/MSI-X was in use some of the IRQs would be 256 or more.
The test provides a measure of speeds between your system(s) and a particular host(s) on the internet. There are a number of factors outside your control which could significantly influence the numbers displayed by the speedtest. For example: does the test always go to the same server (neither the same server name nor the same server IP address is sufficient to guarantee the test always goes to the same server)?, does it always follow the same route? is the route ever congested? These factors are possibly quite difficult to "measure". Hence you should probably be cautious about making too much of a small number of readings.
-
Forgive me but I know not to take one reading as gospel. I am basing the data on the view 'all my results' going back many months.
I always test with the same server as I only have two to choose from in the UK. The results below where achieved running ipcop which as you know is quite a basic firewall using my existing hardware minus the quad port NIC.
I am hopefully going to be in a position to swap the 4 port NIC for a Vlan capable switch very soon so if it is the NIC I can expect the old speeds back.
All I was wondering was is this the trade off in having a packet filtering firewall?
-
All I was wondering was is this the trade off in having a packet filtering firewall?
nope.
if you can - try it pure router mode (with disabled packet filtering). -
You could try fetch from console
fetch http://cachefly.cachefly.net/100mb.test
or
fetch http://mirror.cogentco.com/pub/linux/centos/5/isos/x86_64/CentOS-5.2-x86_64-bin-1of7.isoExtra could be to ssh pfSense and open more windows and use commands like
top -SI
sysstat -vmstat or -ifstat or -iostat or -tcphttp://www.freebsd.org/cgi/man.cgi for more info on those commands
