Slowed Packet Handling
-
The firewall rule prevents the subnet from accessing another subnet, so essentially allow traffic to all but listed subnet.
No VLANs, on the interface and the slowdown appears to only affect the wireless devices.
Its a bit difficult to gauge as the other subnet has exclusively wired devices and moves fairly quickly but it appears to only affect the devices on subnet with the rule.
What I've ended up doing is essentially creating a floating rule that does the same job and does it without the noticeable slowdown on any particular subnet. I think that may indicate an issue with that particular NIC specifically, am I right in my assumption?
-
The firewall rule prevents the subnet from accessing another subnet, so essentially allow traffic to all but listed subnet.
No VLANs, on the interface and the slowdown appears to only affect the wireless devices.
Its a bit difficult to gauge as the other subnet has exclusively wired devices and moves fairly quickly but it appears to only affect the devices on subnet with the rule.
What I've ended up doing is essentially creating a floating rule that does the same job and does it without the noticeable slowdown on any particular subnet. I think that may indicate an issue with that particular NIC specifically, am I right in my assumption?
No, it doesn't indicate a hardware problem if a floating rule resolves the problem.
Instead of adding a new rule, what you can actually do is simply to edit the default rule so that:Destination subnet is 'Not' 'LAN Subnet'.
That is, the devices on wifi can access any IP address that isn't the main wired LAN subnet.
-
Wow, I could have sworn I had already tried that but I just gave that a shot and it works perfectly! If I needed to prevent it from accessing other subnets as well (its a guest network) should I be using Destination 'Not' and an alias for the other subnets?
-
Wow, I could have sworn I had already tried that but I just gave that a shot and it works perfectly! If I needed to prevent it from accessing other subnets as well (its a guest network) should I be using Destination 'Not' and an alias for the other subnets?
You can. Just create an alias for all the subnets (networks) including the LAN and substitute the network in the rule with an alias instead.
-
I actually just gave that a shot and encountered the same issue, it crunches the speed. Ive only got a gig of RAM in this box could this be an issue? The system info says im only using about 75% of the avalible memory which is why i didnt initially suspect it
-
1G of RAM should fine for most situations. Are you running Squid or Snort? What's your WAN bandwidth?
Which install type are you running? If you're running from a HD and your extra rule is somehow using just enough ram to push the system into using swap that would slow things down significantly. That seem unlikely though.Steve
-
I am running squid and squidguard but Squid is not activated on the interface I am referring to but on a separate subnet.
I pay for 50mbps but the fastest I've seen yet is about 35mbps on the hardwired subnet, about 25mbps on the wireless subnet (the one with the slowed firewall rule handling).
This is running from a HD in a dedicated box and it wouldn't surprise me if that is the issue, this was my first router build and it is mostly older hardware cobbled together, the HD is an WD Green 500 gig from a few years back.
Thanks everyone for your continued help! -
It would surprise me. Squid uses ram but not that much. Any indication in the RRD graphs of memory exhaustion?
Steve
-
No :/
The hardware seems to be right inside of the working values I would expect
Memory Usage 35%
CPU Usage 32%
Swap Usage 1%
Disk Usage 1%
All statistics seem to be about where they should but the second I add a rule dictating a bit of specificity on that interface speed drops through the floor, this issue doesnt seem to affect any other interfaces. That being said I am still at maximum on my hardwired subnet getting about 32mbps when Cox says i'm paying for 50mbps but I suspect there are other issues at work with that particular problem, -
Can you confirm that this only affects the 'wifi' subnet and not the main subnet?
If so, you might have to screenshot the floating rules, outbound NAT and interface rules for us to look at.
Seems like something isn't going right somewhere.
