After 2.0.2 upgrade unable to upload at same speed.

ggw

@cmb:

WAN plugged into? You have your side set for autonegotiation or fixed speed/duplex?

The ISP link is fixed at 100/FD,  the others were auto for 1G,  tried both hard and auto on both sides in an effort to eliminate that as a suspect.  When I view the interface stats within the gui they report zero. (btw do you happen to know the flag for ifconfig which will display the media errors?)  The switch is reporting no errors as well.  I too suspected it was a duplex/speed mismatch but that wouldn't appear to be the case.

We recently 'turned on' jumbo frames on the network,  this would of been the first time the pfsence box was rebooted since that happened.  My understanding of jumbo frames on network gear is "i'll accept a frame up to this size" so it shouldn't have any effect I'd have thought.  but i'm wondering now as I write this if perhaps the switch isn't negotiating window send size with the pfsence's interface perhaps…  I'll do a port mirror and sample the data there to see if maybe that is it..

that all said,  today things seem to be better.  haven't done any threw-put testing but i do see DNS answers are quicker and pages are not having the same delay before loading as before.

BR-SSH@CORE0>show interfaces ethernet 2/22
GigabitEthernet2/22 is up, line protocol is up
  Hardware is GigabitEthernet, address is 748e.f83e.6800 (bia 748e.f83e.682d)
  Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
  Configured mdi mode AUTO, actual MDI
  Member of L2 VLAN ID 199, port is untagged, port state is FORWARDING
  BPDU guard is Disabled, ROOT protect is Disabled
  Link Error Dampening is Disabled
  STP configured to ON, priority is level0
  Flow Control is config enabled, oper enabled, negotiation disabled
  Mirror disabled, Monitor disabled
  Not member of any active trunks
  Not member of any configured trunks
  Port name is TO_INTERNET-VIA-PFSENSE-bce1
  IPG MII 96 bits-time, IPG GMII 96 bits-time
  IP MTU 10218 bytes, encapsulation ethernet
  300 second input rate: 34635272 bits/sec, 3672 packets/sec, 3.51% utilization
  300 second output rate: 5824496 bits/sec, 2221 packets/sec, 0.61% utilization
  380057288 packets input, 410302643116 bytes, 0 no buffer
  Received 358 broadcasts, 0 multicasts, 380056930 unicasts
**  0 input errors, 0 CRC, 0 frame, 0 ignored
  0 runts, 0 giants**
  268451618 packets output, 113011198307 bytes, 0 underruns
  Transmitted 1053 broadcasts, 886490 multicasts, 267564075 unicasts
0 output errors, 0 collisions
  Relay Agent Information option: Disabled

cmb

Ok since the ISP's port is forced, whatever you're plugging that port into must be forced. If the firewall is straight into that port, set 100/full on the WAN. If there's a switch in between, the port where the ISP's gear plugs in must be 100/full and leave the firewall and its port on auto.

If it were jumbo frames related that would almost certainly have much different symptoms. That most always exhibits itself as certain sites not loading fully or at all, but other sites working perfectly fine.

SysIT

Any reason why you need the Juniper and the pfsense, why not ditch one or the other (preferably the juniper)…?

cmb

Oh I overlooked the Juniper in between. Can you get proper speed to/from the DMZ off the Juniper? That may at least further narrow down where the issue exists.

SysIT

Yup, process of elimination

ISP –> direct to computer
ISP--> Juniper --> Computer
ISP--> PFSense --> Computer

ggw

@cmb:

Ok since the ISP's port is forced, whatever you're plugging that port into must be forced.

yes,  I think i indicated this was the case already,  and I have re-confirmed it to be so.  Zero errors on all interfaces involved in the path.  8(

using iperf and testing threw ISP3:

internal network to DMZ's: full rate.
pfsence box to DMZ: full rate.

DMZ to internet: full rate.
pfsence to internet:  slow (5 megabits)
internal to internet via pfsence/squid: slow (5 megabits)

it feels as if some limiters or QoS I set up before were 'turned on' again,  but i've confirmed via the GUI the config for them are all gone,  including the acl's set up in squid.

At this point I think I'll just fail it over and re-stage it.  the other pfsence box works as expected,  thinking I don't want to consume to much  more company time problem solving it.

thanks cmb,
-g

ggw

@SysIT:

Any reason why you need the Juniper and the pfsense?

yes.

-g

ggw

just as a follow up,  everything is normal again after re-staging.  I've no idea what it may of been or if the re-stage is related to regaining our threwput to that particular ISP (we had 3 ISPs,  with only one affected by this issue)  but we are good again.

take care and thanks for the attention,

greg

dhatz

What does "re-staging" mean?

Did you wipe clean the disk / cflash and re-install pfsense 2.0.2 and restore the .xml config file?

ggw

@dhatz:

What does "re-staging" mean?

to clear and set up a device for redeployment,  after it had been in service.

Did you wipe clean the disk / cflash and re-install pfsense 2.0.2 and restore the .xml config file?

format yes,  restore no.  I didn't want to potentially import the issue.  As I mentioned my set up is simple,  it firewalls,  proxies,  routes, reports  and has fail over set up.  everything else is basically disabled or at default values so there wasn't a lot of vaule to use the xml.  Only took a few minutes to put it back to where it was.  Keeps you familiar with where the settings are which you don't often access.  8)

-g