WAN Performance Problem
-
Hi all
I'm running pfsense 2.1 RC0 on a Hyper-V platform (Windows 8). Although not officially supported, the setup is great, bacause you can run pfsense on a normal Window 8 Machine whitout using addional hardware. The only problem i have is the WAN performance. Whatever i do, the troughput is always around 40-60Mbit, but never more. I generated some traffic from another VM or from the Hyper-V host, same result
When i generate traffic from one internal pfsense interface to another, the troughput is fine (100Mbit, because of the legacy Hyper-adapters). Also when i connect a PC directly to the modem's interface, i get the full performance. I any case the ressource load on the pfsense is not above 20%.
Any ideas are really appreciated!
Liceo
-
No ideas? Many thanks in advance!
-
Update: I installed the current stable release from scratch without any packages any only two Interfaces (WAN/LAN), same result…
-
Are you doing caching, intrusion detection, filtering etc?
I ask this because I'm interested in if you are using virtual disks or seperate drive with its own high speed interface?
Because I've often been limited by drive speed in some configs. But I don't know yours.
-
Thanks for your reply!
Are you doing caching, intrusion detection, filtering etc?
Not sure wich setting you actually mean (sorry i'm not a pfsense pro), but i did not changed the config manually (all default on the WAN Interface / firewall config). Just let me know which setting i should check.
I ask this because I'm interested in if you are using virtual disks or seperate drive with its own high speed interface?
Because I've often been limited by drive speed in some configs. But I don't know yours.pfSense runs as any other virtual machine on a single 10GB virtual disk (vhdx file). The disk file is placed on a RAID1 Array (two disks) and a don't see any load on the host OS
-
No idea. Stumped.
I'm used to seeing performance hits on my VMs because the virtual disks are never as fast as physical disks and it also taxes the CPUs to use them.
However, if disk I/O isn't your issue, I don't know what is. -
ok, but thanks anyway ;-)
-
Push ::) … Sorry have to try it again, hopefully someone can help!
-
What speed do you get directly from the modem?
Have you tested any other VM connected similarly to pfSense?
Have you tried testing the speed directly from the pfSense VM rather than through it?
Steve
-
The only problem i have is the WAN performance. Whatever i do, the troughput is always around 40-60Mbit, but never more. I generated some traffic from another VM or from the Hyper-V host, same result
What are you using to test the performance?
Are you able to saturate the WAN link with multiple concurrent TCP connections?
What is the real inrterface name of the pfSense WAN interface (e.g. fxp1,le0, …)?
Can the hypervisor provide a PCI passthrough mode which would give pfSense direct control of the WAN interface (bypassing the virtual switch)?
When i generate traffic from one internal pfsense interface to another, the troughput is fine (100Mbit, because of the legacy Hyper-adapters).
Does this traffic go through pfSense or just through one of the switches?
-
I have tested the following:
1.
Shut down pfsense. Take a virtual machine and connected it to the same virtual switch as pfsense is using (WAN, de0). I'm using the legacy network Adapter, same as used for the pfsense virtual machine. Now the Client get an public IP address. The Speed test against cnlab.ch shows me the full 100Mbit.2.
Power on pfsense. Use the same virtual machine and connect it to another virtual switch. This virtual switch is connected to the Interface de3 (LAN) on pfsense. Now i repeat the same test: Only 50-60Mbit are measured.I use a second PC which is connected to de1 (another LAN) and copy a 1GB file from this PC to the virtual machine (same as above) on de3. I measure the full 100Mbit on both directions (50% cpu utilization).
My conclusions are:
- Problem cannot caused by the hypervisor or the virtual switch
- Problem cannot caused by the legacy NIC
- Problem doesn't occur when it goes over pfsense from de1 to de3
-
Are you able to saturate the WAN link with multiple concurrent TCP connections?
No. tried with JDownloader, get always not more than 50-60Mbit
What is the real inrterface name of the pfSense WAN interface (e.g. fxp1,le0, …)?
de0
Can the hypervisor provide a PCI passthrough mode which would give pfSense direct control of the WAN interface (bypassing the virtual switch)?
No. Only Server 2012 has the Option to make use of single root I/O virtualization (SR-IOV).
-
What is the real inrterface name of the pfSense WAN interface (e.g. fxp1,le0, …)?
de0
Does the hypervisor give you the option of emulating other NICs? If its available, I suggest you try emulating Intel gigabit NICs.
-
What is the real inrterface name of the pfSense WAN interface (e.g. fxp1,le0, …)?
de0
Does the hypervisor give you the option of emulating other NICs? If its available, I suggest you try emulating Intel gigabit NICs.
Unfortunately, pfsense doesn't support this NIC driver yet..
-
A good NIC is a NIC that works best is most vetted and most supported while still providing most of the speed you need. So, good ones are old ones and old ones are dirt cheap. Like $20 cheap.
-
A good NIC is a NIC that works best is most vetted and most supported while still providing most of the speed you need. So, good ones are old ones and old ones are dirt cheap. Like $20 cheap.
Sure, but pfsense is a virtual machine. I talk about virtual NICs and the Hyper-V synthetic adapter (similar to the vmx3 adapter in vmware) is not supported by pfsense.
-
I had issues get the 64 bit version of 2.1 to work well in ESXi. Kept dropping connectivity and going offline with multi-wan especially. For me, the 32 bit version was much better and worked right away. But I one on 32 bit version, I didn't hit any of your problems.
Haven't had much more than a couple of installs though. Not hardly the 2.1 expert. -
I tested also with 2.0.3, same result…
-
So the DEC NIC is the only other choice? (Edit: it seems it is: link) The de(4) driver is old and supports many different cards, I've seen it give trouble before on real hardware. I agree with Wallabybob this could well be your problem.
You should try testing the bandwidth from the pfSense VM directly so that you're only tesing the WAN connection. You can do this by downloading a large file from the console:[2.0.3-release][root@pfsense.fire.box]/root(2): fetch -o /dev/null http://download.thinkbroadband.com/50MB.zip /dev/null 100% of 50 MB 1961 kBps 00m00s
That file works well for me in the UK, you may have to choose something else.
Steve
-
Have you tested any other VMs using the legacy NICs?
The legacy network adapter requires processing in the management operating system that is not required by the network adapter.
Hard to believe it could slow it that much but you never know….
Steve
-
I don't think that the problem is caused by the legacy adapter. If this would be the case, i had also performance issues on the internal NICs, right?
I did the test you suggested. Not sure if i can test a 100Mbit internet Connection using a single file download..
$ fetch -o /dev/null http://download.thinkbroadband.com/50MB.zip
/dev/null 50 MB 1836 kBps -
I don't think that the problem is caused by the legacy adapter. If this would be the case, i had also performance issues on the internal NICs, right?
Some time ago I fired up a pfSense VM under VirtualBox running on Ubuntu Server 12.04. I setup some tests but they "didn't work" A packet capture running on the pfSense console showed packets given to the WAN interface but no responses. After some further investigation I decided to change the type of NIC VirtualBox was emulating from the default (an AMD NIC) to Intel Pro/1000. The tests then worked. I didn't investigate further because it wasn't my purpose to debug the interactions of the appropriate FreeBSD driver wit the VirtualBox emulation of an ancient AMD NIC.
I expect someone in the VirtualBox team has tested the emulation of that AMD NIC with either Windows or Linux (or both) so I wouldn't extrapolate my experience to other guest operating systems. Interactions of the FreeBSD used in pfSense with the hypervisor NIC emulation won't necessarily be a good guide to the interactions of other guest operating systems with the hypervisor's NIC emulation. Running on "bare metal" has fewer things to "go wrong" than running in a Virtual Machine.
But since you don't seem to have any capability to change the type of NC emulated by your hypervisor my experience is probably of no practical interest.
-
I don't think that the problem is caused by the legacy adapter. If this would be the case, i had also performance issues on the internal NICs, right?
The WAN NIC is the only one that has to actually talk to the real NIC. That will no doubt involve far more code that the internal NICs. It could be that pfSense is trying to do something hardware specific to the DEC interface and Hyper-V has to somehow translate that to the real NIC. Linux/Windows drivers may not be doing that same things. It may be possible to stop it trying to do low level hardware stuff. For instance try disabling all the hardware cpu offloading features.
I did the test you suggested. Not sure if i can test a 100Mbit internet Connection using a single file download..
$ fetch -o /dev/null http://download.thinkbroadband.com/50MB.zip
/dev/null 50 MB 1836 kBpsThat seems very low for a 100Mbps connection. What speed can you download that file directly connected to the modem? Thinkbroadband are in the UK, are you? I can max out, or get close, with a single connection.
Steve
-
Directly connected i have also the full performance (connection is a bit shaky)
-
Now i'm testing the custom build decribed in this thread:
http://forum.pfsense.org/index.php/topic,56565.0.htmlThat one rocks! Let's see if it's stable…
-
Ah nice. You getting full WAN bandwidth then I take it? :)
Steve
-
Yes. I now got a 150MBit line, even this is now possible. Unfortunately, creating VLANs is still not possible.