Bandwidth test= fine, browsing unusable (HYPER-V)
-
OK - Welllll…. If this setup worked for you on a physical box before but not on the VM, I'm stumped.
It does seem complex bordering on unnecessarily so. That must be one sweet Microsoft DHCP machine to keep it around with these kinds of headaches (-; -
OK - Welllll…. If this setup worked for you on a physical box before but not on the VM, I'm stumped.
It does seem complex bordering on unnecessarily so. That must be one sweet Microsoft DHCP machine to keep it around with these kinds of headaches (-;Hahah it works surprisingly well. The only non-Dell/Cisco/Microsoft item is the pfSense. I'm waiting for the ASA 1000v to hit hyper-V :-)
For dualWAN I pick 2 IPs and use them as multiple gateways load balanced in the routing section on the far left tab.
For the DMZ IPs I put them right on the edge.I'll move them in later when I have fully set up Lync.
I basically use pfSense as a multiwan capable DD-WRT
-
"Lets say I am a user who has had a physical pfsense forever. I want to remove it and install a virtual pfsense appliance. The new virtual pfsense appliance fails to perform as well as the physical. What should I check?"
OK - Easier.
Your WAN IP assignments seem weird to me. You can't call up your company and tell them "Give me two IPs. Give me your gateway address".
Connect to that by bridging to their network (not DHCP) and then hand out the public IPs to Virtual IP?This setup you have now with multi-IP dhcp at the WAN…. Did that work on a physical box there ever?
I can't get statics on a non-Business line. I have considered it but with the fantastic Dynamic DNS, I haven't needed to yet. The multidhcp WAN IPs currently are working. :-)
-
For my own education, can you post a snapshot of your WAN interface assignment?
I'd actually like to see how you are doing that, the VIP assignment, the VLAN and your multi-wan handling also incase I ever need to work with something like yours. There are lots of how-to pages for multiwan/load balance/fail-over etc. I'd love to compare your settings to those for educational purposes. -
It just baffles me. I give it a pair of Xeon cores, 1GB RAM, Dual 10GbE NICs, a decently fast RAID storage upgrade and it just says "LOL NOPE" :-(
This works brilliantly in VMWare ESXi but I no longer have a RAID card :-(
-
I'm looking forward to studying those snapshots.
-
For my own education, can you post a snapshot of your WAN interface assignment?
I'd actually like to see how you are doing that, the VIP assignment, the VLAN and your multi-wan handling also incase I ever need to work with something like yours. There are lots of how-to pages for multiwan/load balance/fail-over etc. I'd love to compare your settings to those for educational purposes.OK the full set up (I've only had enough NICs when I've used ESXi, obviously) was pfSense with 5 vNICs.
This setup had NO DMZ.
Modem#1 provided 2 public IPs and was plugged into port 1 of the 24 port swith. This port 1 was untagged on the outbound but was tagged at the port to VLAN5 (I call it MODEM1 VLAN)
Modem#2 was plugged into Port2 of the 24-port (core) switch. This was tagged as VLAN 10. This was to prevent the ISP DHCP broadcasts from overlapping.
The ESXi host had a few ports trunked directly from the core switch containing all VLANS (5, 10 and the internal 15).
pfSense VM has 2 NICs on VLAN5, 2 NICs on VLAN10, and 1 NIC on the internal VLAN15.
From there, I added them as part of a gateway group and loadBalance based on latency. It works AMAZINGLY well.
I can even use Dynamic DNS for things such as VPN.domain.com or ftp.domain.com etc. This way I haven't needed to use a DMZ as I would just forward what I needed. But soon I'll be expanding to a proper tiered topology.
My ISP changes my IPs once every3-6 months so it is really nice.
-
I'm just at the gym right now but when I get home, I'll do what I've been delaying forever: make a proper visio diagram.
-
I'm just bummed that it works on a crappy physical computer, works great on a VMWare host, but fails catastrophically on Hyper-V
-
Well I will certainly study it, but have no idea if I'll understand how its working. Should be fun.
-
http://imgur.com/hl2Xo77,VYt3Hts,a2W3uXi
This is the current pfsense setup for the physical pfsense implementation and it worked very well. The ISP gives me all different IPs with all different subnets and all different gateways.
-
crap
the first image is incorrect and is for the virtual and is a wrong screenshot. Disregard it.This is the correct one: http://imgur.com/XbBg4ii,PdsrAoT,2D4ps89
-
This is the one I was waiting for.
Question. Was this modem you are using now, it was connected to the physical machines before?
But your links in the main status page show correctly as up correct? -
What are you DNS servers?
Are they being served by numbers forwarded from your WAN connection?
Could you try changing them to something like:
127.0.0.1
8.8.8.8
8.8.4.4?????
-
to note: in the second image under gateway, it says dynamic for one. This is the one I've disconnected for the virtual pfsense to use, so it is seen as down for the moment (I've removed the connection to VLAN 5 from the physical pfsense and applied it to the virtual to use).
-
http://imgur.com/GaydetJ,BRkUTaK is a simplified network diagram
the first image is the functional view while the second image is the physical view
-
What are you DNS servers?
Are they being served by numbers forwarded from your WAN connection?
Could you try changing them to something like:
127.0.0.1
8.8.8.8
8.8.4.4?????
I use an internal DNS on the Domain Controller for internal name resolution. It forwards to the ISP's primary and secondary DNS as well as 8.8.8.8 and 8.8.4.4.
-
One second, trying out your suggestion
-
I like your suggestion because the internal DNS hadn't changed the gateway.
I tried external DNS both 8.8.8.8/8.8.4.4 as well as my ISP's DNS servers and it was still slow (flushed DNS before the test as well as cleared the browser caches)
-
OK - Now…. Maybe its the return path thats a problem.
Try unplugging WAN cable from one modem.
Test.Then other modem...
Test...Is it more reliable on one modem than two?
-
Crap. You only have one. Right?
OK. Can you drop 1 IP for WAN and test?
-
Just dropped everything on Modem1 except for a single connection/IP to virtualize pfSense and it still has same issues
Weird things though…...google loads quickly and has no issues, so does speedtest.net......youtube takes a while to load all the thumbs but the videos buffer at full speed
-
I can't load a single thing on forum.pfsense.org when I change to the virtualized pfsense
Also I am seeing a ton of denials on the pfsense firewall from internal IPV6 addresses (probably broadcasts) even though I disabled IPv6….......how do I kill that off?
Edit: Here are the firewall logs: http://imgur.com/1cgaMr5
-
Unless you have some need of IPV6 today, why not:
System > Advanced > networking
Un-click all the IPV6 on both your PFsense boxes?
Turn it all off.
-
Yeah I did just that. The logs are still getting filled with IPv6 denials…...weird.
-
Can you also remove the "allow" IPV6 reference in your LANs (and maybe WANS) firewall rules?
Unless you need it for something? Everywhere… -
Can you also remove the "allow" IPV6 reference in your LANs (and maybe WANS) firewall rules?
Unless you need it for something? Everywhere…hmmm I don't think this is the problem, though….....I should get some sleep on this.
Let me know if you think of anything else that I may have missed.
Edit: I have removed the references from everywhere, still showing.......hmm
-
OHHHHHH YES.
I'm sure I'll just imagine the fix while you are sleeping! haha Not. -
OHHHHHH YES.
I'm sure I'll just imagine the fix while you are sleeping! haha Not.haha well you know what I mean…...if you think of another idea, let me know!
It seems to be only a few domains that work very well, others don't. It may be a DNS issue. I'll mess around with that tomorrow
-
I suspect DNS issue, or WAN load balancing issue, or either DHCP, IP or MAC conflict.
Be cause it works a little in fits and starts…If it were insurmountable, it wouldn't work at all.
I'd start with 1 IP, 1 pfsense and 1 computer on 1 LAN and see if that even works on a fresh install.
Then I'd start adding aspects of your network introducing them 1 at a time and see when it breaks. Might point to the why.and
546/547 is DHCPv6. It would go away if you enabled DHCPv6 Relay on the interface. Why is it blocked by default with the black magic in behind otherwise - no idea. For ICMP - this is all the local traffic. Allow ICMPv6 in floating rules, useless log noise gone. ICMPv6 is required for proper IPv6 working anyway.
-
According to Mr. doktornotor, IPV6 is sort of a busted POS in freeBSD currently (Not his words, but I get that feeling)
Its suggest to:
Try - where you have the IPv6 "catchall" allow rule enabled, edit -> Advanced Options - tick the checkbox with the above nondescriptive description (This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.) - Save - Apply. See if it helps.
If you are using IPV6.
-
According to Mr. doktornotor, IPV6 is sort of a busted POS in freeBSD currently (Not his words, but I get that feeling)
Well, nah… it works pretty well except for some exceptions... ;D The fragmented packets certainly being incredibly annoying when you hit the issue.
-
Apparently, passing the traffic as described is supposed to help. Perhaps rather than going out of our way to disable and block IPV6 we should have been going the other route. Enabling it and passing it everywhere including that menu he spoke of. I'm all IPV4 here.
Last night while purchasing a couple domains I considered buying IPV4RIP.com since its not taken.
-
Brilliant! I'll take care of that as soon as I get in.
As for the other issue, I'll isolate it all tonight and try from a completely different machine (or maybe a cell phone) and attempt from there.
-
This is going to ruin what little sanity I have left.
After much testing, I have noticed the following pages load:
pfsense.org
google.ca
cnn.com (unreliably and slow)
thepiratebay.sx
youtube.com
speedtest.net (with 10/0.5 down/up speed ratings)
I can also connect to Steam and corporate webmail
I can download my gmail through Outlook but not web pageThese do not:
gmail.com
facebook.com
youtube videos hosted by vevo (commercials work though!)
forum.pfsense.org (wtf right?)I have used external ISP DNS, internal DNS and google DNS as well. Same results.
I can ping the domains very easily with the exception of those who do not respond normally such as cnn.com.
I can ping everything. It is just the loading of pages that fail.
This is with multiple machines on the network.Removing pfsense-virtual from the network entirely and replacing with physical counterpart resumes normal activity.
-
try http://173.252.110.27
What happens?
-
Scrap the VM and start again from creating new VM and then doing fresh install might be good option by now.
-
Scrap the VM and start again from creating new VM and then doing fresh install might be good option by now.
This was done with a brand new VM and broswing by IP still led to the same issues. I wish it was a DNS issue. But it isn't present when the physical pfSense is there. I do know the ESXi pfSense works flawlessy so I'll go with that.
I am going to migrate back to ESXi where I can use pfSense a bit better. The problem is that with this new host, I don't have a hardware RAID controller and it is tricky to install (1U so either quad port nic OR raid controller) or I'll have to go with a SAN arrangement.
For now I'll spread the VMs across the the DAS drives and take good backups until the RAID Controller gets here.
-
SAN…
Cool. I hope it works for you. P.S. What are you doing with so much stuff running behind such a tiny little bit of bandwidth? Whats the end purpose?
-
SAN, yeah…...iSCSI most likely because I don't think I can do FC or FCoE with my current set up. I don't have much room in my tiny 8U rack.
Well I have 6 people and a few PCs that I need to babysit. I try to keep everything as clean as possible. Mostly a ton of GPOs to keep the PCs in line, and provide services for the users without having to rely on external resources. As you said, such tiny bandwidth forces me to have to have more things 'in-house' because any mismanagement will kill off a connection. That also makes me use WSUS, etc.