High latency

semperfi · Apr 6, 2013, 2:16 PM

Hi everyone
I just want ask for help regarding my network.
I have already connected all the company properties using Lease Line VPN from an ISP.
My problem is when office hours started I found out that all of the site office has a high latency specialy on office hours like ive said.
Some of the times went to RTO (request time out) and another one is when a high latency occured I cannot remote any site using remote desktop for windows and VNC.
I attached my network for anyone who want to see my network diagram..

thanks and hope that anyone could lend their help for me.

Thank You.

podilarius · Apr 6, 2013, 3:44 PM

Just to help me understand, the pfSense is protecting internet on the WAN side (not in diagram) and the LAN handles internal traffic through the VPNs? Do you have any traffic shaping turned on?

semperfi · Apr 7, 2013, 2:06 PM

the head office has its own internet.. the 2 site that has the pfsense firewall has also its own internet configured on both on its wan interfaces. These 3 sites with their own internet.. shares internet also through proxies.. to the rest of the sites without soho firewall and pfsense. I also used dansguardian for web filter setup. Yes i have a limiter for upload and download for restriction for some user.

semperfi · Apr 7, 2013, 2:10 PM

And also the Lan.. yes this were the internal traffic on passes through with vpn connections

podilarius · Apr 8, 2013, 4:12 AM

My guess is that the limiter is the problem. Since the traffic goes into the LAN and typically this is where the limiter is applied, VPN traffic is sent through the limiter. I would create either a new limiter and/or a new rules that does not have limiter above the main rule for the traffic destined for the VPN.

semperfi · Apr 8, 2013, 7:41 AM

thanks sir

sir how can allow to pass VNC pass through the firewall

tnx

podilarius · Apr 8, 2013, 9:25 AM

Create an alias and in that list all your networks. Then go into the LAN rules and add a new rule above the rule with the limiter (order matters) that says that if the destination is the networks alias, then pass without the limiter tag. You could also try setting the advanced firewall setting, "Bypass firewall rules for traffic on the same interface".

semperfi · Apr 9, 2013, 8:52 AM

thanks for the reply sir..

still I cannot use VNC to remote other sites..

how to allow vnc traffic through my PFSense.

thanks

podilarius · Apr 9, 2013, 9:50 AM

I would try a basic traceroute and ping to make sure that you can get there. If the bypass is in place, no rules should be consulted, so there should be nothing blocking except perhaps at the remote computer. To test, set a local route on the computer you are using to test with to point a remote subnet to the local VPN router. Then try to connect via VNC. If you are not allowed, then something is broken at the remote side.
Have you setup any egress filtering on the LAN? The default rule should allow all traffic from the LAN subnet to any where. If you are doing outbound filtering, then just look up the ports (i think tcp 5900 or 5901) and add an allow rule. Or you can just create a rule for the entire remote subnet to allow the traffic.

semperfi · Apr 10, 2013, 6:22 AM

Thanks a lot sir