Poor network performance
-
@tucansam I had an issue testing my connection speed some time ago that turned out to be a problem with my client machine, an older Windows XP box. When I booted the same machine from a live Linux CD I was suddenly able to max out the connection no problems. I did investigate the problem and I think it turned out to be the Windows default TCP window size but don't quote me on that.
That's a stellar idea. I will have to give this a shot. All of the PCs in the house exhibit the same symptoms, but I'll wire up a laptop and boot off a live CD to compare.
When you're looking at the pfSense CPU usage you cannot use the dashboard bar graph if your box has multiple CPU cores. That graph shows the average use across all cores. The D2550 is dual core with hyperthreading so it appears as 4 cores. If you have one core maxed out at 100% and only 10% use on the other cores the graph will show 32.5% but in fact the pf process has hit the cpu limit on one core. To get a much better idea run 'top -SH' at the console. That will show you the idle percentage for each core.
Stellar, thank you. I had no idea. Yep, I've been using the dashboard, and occasionally top, but not with -SH I will keep an eye on things with that from now on.
Where were you fetching the file from directlt in pfSense? There's probably a better source nearer to you.
Yep, directly from pfsense. I'll dig around for servers closer to me and test again.
-
If you used a fetch command example I posted anywhere I probably pointed to a thinkbroadband test file. They're great if you're in the UK but not so much from the US. ;) Chris (cmb) once posted a similar site with test files he uses in the US but I can't find it now.
Steve
-
If you used a fetch command example I posted anywhere I probably pointed to a thinkbroadband test file. They're great if you're in the UK but not so much from the US. ;) Chris (cmb) once posted a similar site with test files he uses in the US but I can't find it now.
Steve
Ha. Yep, pretty sure it was your thread I read.
An an aside, after uninstalling snort a few days ago, I just now reinstalled it, and its running. My media downloader is showing 4.9-5.3MB/s download speeds, and 'top -SH' is showing 83-89% idle with that traffic passing. I typically run it at 200KB/s, at which point 'top -SH' shows 94-99% idle. 3.5MB free memory during the duration.
Do not believe this is a CPU issue…
Just as a point of curiosity, has anyone ever ranked the most system-resource-hungry packages from top to bottom? I know some of what I am running is probably unnecessary, and I'd like to leave enough headroom for other things. For one thing, I am trying to get rules working to restrict the bandwidth of some devices, as well as schedules for those devices. Not sure how much, if any, processing power that would take up. I'll also be revisiting squid at some point (which I have never seemed to get installed correctly despite following numerous youtube tutorials) as well as squidguard (same traffic).
-
'top -SH' is showing 83-89% idle with that traffic passing.
How is that divided between the cores? The central firewall/NAT process, pf, can curently only use one core so that's usually the limit. Snort will be able to use other cores though.
Steve
-
cachefly is the one I tend to use that Steve referenced, they have links to a 10 MB and 100 MB test file on their site.
http://cachefly.cachefly.net/10mb.test
http://cachefly.cachefly.net/100mb.testAs a CDN, they should be fast pretty much everywhere because you should end up at a server that's relatively close to you. Granted that depends on where you are, your ISP, and many other factors.
-
You should really take that XP box out back and shoot it. Or load some supported OS on it. Already a nice 0 day that isn't going to get patched on XP.
http://arstechnica.com/security/2014/04/active-0day-attack-hijacking-ie-users-threatens-a-quarter-of-browser-market/Those are just going to keep coming and coming. XP is dead, it's been time to move on for years.
-
'top -SH' is showing 83-89% idle with that traffic passing.
How is that divided between the cores? The central firewall/NAT process, pf, can curently only use one core so that's usually the limit.
SteveOnly true before pfSense 2.2.
-
@cmb:
You should really take that XP box out back and shoot it.
Indeed, and that's coming from a die hard XP fan. I have seen little point in upgrading Windows versions until now. XP did everything I needed it to without too much system bloat. 2K was better! ;) However I've now switched everything I had running XP to Xubuntu which runs great on older hardware. Also playing with GhostBSD which is nice with XFCE. Even so I still have one machine set to dual boot to XP which I had to use yesterday to open BIOS update distributed as a windows executable. >:(
Steve
-
'top -SH' is showing 83-89% idle with that traffic passing.
How is that divided between the cores? The central firewall/NAT process, pf, can curently only use one core so that's usually the limit. Snort will be able to use other cores though.
Steve
Just ran fetch on the 100mb cachefly file and got only 1944kBps, one cpu was 100% idle, other three were 90-94%, snort never went above 25%
-
@cmb:
You should really take that XP box out back and shoot it. Or load some supported OS on it. Already a nice 0 day that isn't going to get patched on XP.
http://arstechnica.com/security/2014/04/active-0day-attack-hijacking-ie-users-threatens-a-quarter-of-browser-market/Those are just going to keep coming and coming. XP is dead, it's been time to move on for years.
Working on it, although I'll save my bullets for other purposes. I need to migrate some things from that machine to another one, and I need to build the new one first. So, yeah, working on it.
-
@cmb:
You should really take that XP box out back and shoot it.
Indeed, and that's coming from a die hard XP fan. I have seen little point in upgrading Windows versions until now. XP did everything I needed it to without too much system bloat. 2K was better! ;) However I've now switched everything I had running XP to Xubuntu which runs great on older hardware. Also playing with GhostBSD which is nice with XFCE. Even so I still have one machine set to dual boot to XP which I had to use yesterday to open BIOS update distributed as a windows executable. >:(
Steve
Agreed, 2000 > XP > Win7 > DOS 1.0 > Win8.
Actually scratch that, put "punch cards" ahead of Win8.
My speeds are remaining consistent, just consistently slower than I had anticipated given my setup.
-
[Just ran fetch on the 100mb cachefly file and got only 1944kBps[/quote]
Then I think you'll have to test your connection speed to cachefly without the pfSense box because that's slower that anything else.
scratch that, put "punch cards" ahead of Win8.
Technically I don't think punch cards count as an operation system. Then again you could say the same for Win8. ;)
Steve
-
I failed to mention that it was just lying around collecting dust. It was a previous gaming pc. However, I do realize the kind of damage that I was causing to the environment and now I am running pfsense in a virtual machine. Then again I just have that itch again to build it back up and run it. I need to get a dynamat for the box though. It was only $40 so as you could guess it is way too loud. Something like that really does not draw that much power with amd cool and quiet on. Most of the time it ran at 800mhz and .75v. The tdp was embarrassingly high at 1.47v and 140w at full load so yes I had a big thermaltake maxorb cooling it.
edited in the interest of not messing up a topic. I must hold back on the caffeine intake late at night.
-
I just wanted to jump in on this as I am seeing the same type of issue.
I bought an OPNsense appliance running Intel Atom 1.6Ghz, 2GB RAM, 2GB CF, and in a production environment on a 100Mbit fibre connection it gives me 15/87. Sent it back on warranty and got a reply that it was a config / software mismatch, but when it got back I rebuilt the entire config manually and the problem persists. I use some advanced NAT (reflection, Virtual IP's, 1:1 etc) but almost no packages except dhcpd, dns and whatever is default.
I'm thinking hardware issue but I'm not sure. Seems strange since the hardware is brand new. Maybe you've got the same issue as I do?
-
Not quite sure what numbers you're giving us there. You're seeing 15Mbps down on a 100Mbps connection?
If that's the case look for a duplex mismatch or possibly some flow control issue. Check the Status: Interfaces: page for errors/collisions.
Test directly on the box to see which interface is throttling the connection. Look at 'top -SH' at the console to see if it's a CPU or interrupt problem.Steve
-
I do realize the kind of damage that I was causing to the environment
Don't underestimate what damage you are saving by not buying new hardware. Of course if you already have a VM host running then yes, no excuse! ;)
Steve
-
Not quite sure what numbers you're giving us there. You're seeing 15Mbps down on a 100Mbps connection?
If that's the case look for a duplex mismatch or possibly some flow control issue. Check the Status: Interfaces: page for errors/collisions.
Test directly on the box to see which interface is throttling the connection. Look at 'top -SH' at the console to see if it's a CPU or interrupt problem.Steve
Don't want to hijack the thread, but you're right. I'm getting 15Mbit down and 87Mbit up. Duplex settings look OK, flow control has been off throughout all of the testing but I actually put it on yesterday just to see if it makes a difference, but no it doesn't.
The only other thing I've found of interest is that the backbone switch log contains rows where loop protection is saying "The Packet has failed crc check so discarding". But if I view loop protection on ports there's no report on any of the ports. And no other switch is saying the same thing, neither does the pfsense. And there are currently no other hardware connected to the backbone switch. Also when testing transmission speeds on the backbone switch it's very low, like it's getting spammed or something. Still the switch doesn't report any transmission errors, loops or anything of the sort.It's hard to know if it's the switch or the router that's at fault, but at the moment the AMD router is installed and at least everything is working at the moment. Not as fast as I'd like it to, but good enough for this network. I have another router on order that I'll install just to rule out certain things. We'll see after that I guess.
-
I am now having issues where things load randomly. 99% of stuff loads fine, some things (certain Youtube videos, sometimes pictures on shopping sites), simply don't load at all, ever. Everything loads fine from my phone when on Verizon's network, so I know its a problem with my network. Add to that random slowness, videos no longer downloading using Firefox plugins to save flv files, etc… Sometimes a daily (!) pfsense reboot fixes it, most times not.
In the past 18 months I've run pfsense, I have installed numerous packages, and then uninstalled them when things broke (read: often, never could get squid to work, never could get squidguard to work, etc). I think snort is breaking things but I can't be certain, when I disable the service things are still broken, but they weren't broken before snort was installed.
After installing/giving up/uninstalling/revisiting a dozen times, I think it has left pfsense in a state where there are artifacts remaining from various packages, and the system is simply not stable or performing.
I am going to re-install pfsense from the ground up today and see what happens.
Hopefully a vanilla install will work. Although after seeing all the things squid is detecting, I really want to make sure that gets re-installed.... But it breaks things like Pandora (kids use it) and akamia stuff (youtube, amazon, etc) and I end up spending days resolving IP addresses to put them in the allow list, so we'll have to see. And I really went with pfsense largely for squid, which has broke the internet every time I installed and configured it, despite much hacking, configuring, tutorial reading, and gnashing of teeth.
I may just go back to running untangle exclusively, instead of behind pfsense.
-
Some websites not loading can be an MTU issue. Not seen that for while though.
Steve
-
the backbone switch log contains rows where loop protection is saying "The Packet has failed crc check so discarding".
What NICs is the box running? Try disabling all the hardware offloading options if any are on especially checksum offloading.
Steve