Poor network performance
-
If you used a fetch command example I posted anywhere I probably pointed to a thinkbroadband test file. They're great if you're in the UK but not so much from the US. ;) Chris (cmb) once posted a similar site with test files he uses in the US but I can't find it now.
Steve
-
If you used a fetch command example I posted anywhere I probably pointed to a thinkbroadband test file. They're great if you're in the UK but not so much from the US. ;) Chris (cmb) once posted a similar site with test files he uses in the US but I can't find it now.
Steve
Ha. Yep, pretty sure it was your thread I read.
An an aside, after uninstalling snort a few days ago, I just now reinstalled it, and its running. My media downloader is showing 4.9-5.3MB/s download speeds, and 'top -SH' is showing 83-89% idle with that traffic passing. I typically run it at 200KB/s, at which point 'top -SH' shows 94-99% idle. 3.5MB free memory during the duration.
Do not believe this is a CPU issue…
Just as a point of curiosity, has anyone ever ranked the most system-resource-hungry packages from top to bottom? I know some of what I am running is probably unnecessary, and I'd like to leave enough headroom for other things. For one thing, I am trying to get rules working to restrict the bandwidth of some devices, as well as schedules for those devices. Not sure how much, if any, processing power that would take up. I'll also be revisiting squid at some point (which I have never seemed to get installed correctly despite following numerous youtube tutorials) as well as squidguard (same traffic).
-
'top -SH' is showing 83-89% idle with that traffic passing.
How is that divided between the cores? The central firewall/NAT process, pf, can curently only use one core so that's usually the limit. Snort will be able to use other cores though.
Steve
-
cachefly is the one I tend to use that Steve referenced, they have links to a 10 MB and 100 MB test file on their site.
http://cachefly.cachefly.net/10mb.test
http://cachefly.cachefly.net/100mb.testAs a CDN, they should be fast pretty much everywhere because you should end up at a server that's relatively close to you. Granted that depends on where you are, your ISP, and many other factors.
-
You should really take that XP box out back and shoot it. Or load some supported OS on it. Already a nice 0 day that isn't going to get patched on XP.
http://arstechnica.com/security/2014/04/active-0day-attack-hijacking-ie-users-threatens-a-quarter-of-browser-market/Those are just going to keep coming and coming. XP is dead, it's been time to move on for years.
-
'top -SH' is showing 83-89% idle with that traffic passing.
How is that divided between the cores? The central firewall/NAT process, pf, can curently only use one core so that's usually the limit.
SteveOnly true before pfSense 2.2.
-
@cmb:
You should really take that XP box out back and shoot it.
Indeed, and that's coming from a die hard XP fan. I have seen little point in upgrading Windows versions until now. XP did everything I needed it to without too much system bloat. 2K was better! ;) However I've now switched everything I had running XP to Xubuntu which runs great on older hardware. Also playing with GhostBSD which is nice with XFCE. Even so I still have one machine set to dual boot to XP which I had to use yesterday to open BIOS update distributed as a windows executable. >:(
Steve
-
'top -SH' is showing 83-89% idle with that traffic passing.
How is that divided between the cores? The central firewall/NAT process, pf, can curently only use one core so that's usually the limit. Snort will be able to use other cores though.
Steve
Just ran fetch on the 100mb cachefly file and got only 1944kBps, one cpu was 100% idle, other three were 90-94%, snort never went above 25%
-
@cmb:
You should really take that XP box out back and shoot it. Or load some supported OS on it. Already a nice 0 day that isn't going to get patched on XP.
http://arstechnica.com/security/2014/04/active-0day-attack-hijacking-ie-users-threatens-a-quarter-of-browser-market/Those are just going to keep coming and coming. XP is dead, it's been time to move on for years.
Working on it, although I'll save my bullets for other purposes. I need to migrate some things from that machine to another one, and I need to build the new one first. So, yeah, working on it.
-
@cmb:
You should really take that XP box out back and shoot it.
Indeed, and that's coming from a die hard XP fan. I have seen little point in upgrading Windows versions until now. XP did everything I needed it to without too much system bloat. 2K was better! ;) However I've now switched everything I had running XP to Xubuntu which runs great on older hardware. Also playing with GhostBSD which is nice with XFCE. Even so I still have one machine set to dual boot to XP which I had to use yesterday to open BIOS update distributed as a windows executable. >:(
Steve
Agreed, 2000 > XP > Win7 > DOS 1.0 > Win8.
Actually scratch that, put "punch cards" ahead of Win8.
My speeds are remaining consistent, just consistently slower than I had anticipated given my setup.
-
[Just ran fetch on the 100mb cachefly file and got only 1944kBps[/quote]
Then I think you'll have to test your connection speed to cachefly without the pfSense box because that's slower that anything else.
scratch that, put "punch cards" ahead of Win8.
Technically I don't think punch cards count as an operation system. Then again you could say the same for Win8. ;)
Steve
-
I failed to mention that it was just lying around collecting dust. It was a previous gaming pc. However, I do realize the kind of damage that I was causing to the environment and now I am running pfsense in a virtual machine. Then again I just have that itch again to build it back up and run it. I need to get a dynamat for the box though. It was only $40 so as you could guess it is way too loud. Something like that really does not draw that much power with amd cool and quiet on. Most of the time it ran at 800mhz and .75v. The tdp was embarrassingly high at 1.47v and 140w at full load so yes I had a big thermaltake maxorb cooling it.
edited in the interest of not messing up a topic. I must hold back on the caffeine intake late at night.
-
I just wanted to jump in on this as I am seeing the same type of issue.
I bought an OPNsense appliance running Intel Atom 1.6Ghz, 2GB RAM, 2GB CF, and in a production environment on a 100Mbit fibre connection it gives me 15/87. Sent it back on warranty and got a reply that it was a config / software mismatch, but when it got back I rebuilt the entire config manually and the problem persists. I use some advanced NAT (reflection, Virtual IP's, 1:1 etc) but almost no packages except dhcpd, dns and whatever is default.
I'm thinking hardware issue but I'm not sure. Seems strange since the hardware is brand new. Maybe you've got the same issue as I do?
-
Not quite sure what numbers you're giving us there. You're seeing 15Mbps down on a 100Mbps connection?
If that's the case look for a duplex mismatch or possibly some flow control issue. Check the Status: Interfaces: page for errors/collisions.
Test directly on the box to see which interface is throttling the connection. Look at 'top -SH' at the console to see if it's a CPU or interrupt problem.Steve
-
I do realize the kind of damage that I was causing to the environment
Don't underestimate what damage you are saving by not buying new hardware. Of course if you already have a VM host running then yes, no excuse! ;)
Steve
-
Not quite sure what numbers you're giving us there. You're seeing 15Mbps down on a 100Mbps connection?
If that's the case look for a duplex mismatch or possibly some flow control issue. Check the Status: Interfaces: page for errors/collisions.
Test directly on the box to see which interface is throttling the connection. Look at 'top -SH' at the console to see if it's a CPU or interrupt problem.Steve
Don't want to hijack the thread, but you're right. I'm getting 15Mbit down and 87Mbit up. Duplex settings look OK, flow control has been off throughout all of the testing but I actually put it on yesterday just to see if it makes a difference, but no it doesn't.
The only other thing I've found of interest is that the backbone switch log contains rows where loop protection is saying "The Packet has failed crc check so discarding". But if I view loop protection on ports there's no report on any of the ports. And no other switch is saying the same thing, neither does the pfsense. And there are currently no other hardware connected to the backbone switch. Also when testing transmission speeds on the backbone switch it's very low, like it's getting spammed or something. Still the switch doesn't report any transmission errors, loops or anything of the sort.It's hard to know if it's the switch or the router that's at fault, but at the moment the AMD router is installed and at least everything is working at the moment. Not as fast as I'd like it to, but good enough for this network. I have another router on order that I'll install just to rule out certain things. We'll see after that I guess.
-
I am now having issues where things load randomly. 99% of stuff loads fine, some things (certain Youtube videos, sometimes pictures on shopping sites), simply don't load at all, ever. Everything loads fine from my phone when on Verizon's network, so I know its a problem with my network. Add to that random slowness, videos no longer downloading using Firefox plugins to save flv files, etc… Sometimes a daily (!) pfsense reboot fixes it, most times not.
In the past 18 months I've run pfsense, I have installed numerous packages, and then uninstalled them when things broke (read: often, never could get squid to work, never could get squidguard to work, etc). I think snort is breaking things but I can't be certain, when I disable the service things are still broken, but they weren't broken before snort was installed.
After installing/giving up/uninstalling/revisiting a dozen times, I think it has left pfsense in a state where there are artifacts remaining from various packages, and the system is simply not stable or performing.
I am going to re-install pfsense from the ground up today and see what happens.
Hopefully a vanilla install will work. Although after seeing all the things squid is detecting, I really want to make sure that gets re-installed.... But it breaks things like Pandora (kids use it) and akamia stuff (youtube, amazon, etc) and I end up spending days resolving IP addresses to put them in the allow list, so we'll have to see. And I really went with pfsense largely for squid, which has broke the internet every time I installed and configured it, despite much hacking, configuring, tutorial reading, and gnashing of teeth.
I may just go back to running untangle exclusively, instead of behind pfsense.
-
Some websites not loading can be an MTU issue. Not seen that for while though.
Steve
-
the backbone switch log contains rows where loop protection is saying "The Packet has failed crc check so discarding".
What NICs is the box running? Try disabling all the hardware offloading options if any are on especially checksum offloading.
Steve
-
"I am now having issues where things load randomly. 99% of stuff loads fine, some things (certain Youtube videos, sometimes pictures on shopping sites), simply don't load at all, ever."
I'm almost positive that it is Snort. The HTTP INSPECT goes wild often and for me anyways when pictures are loading on Amazon for instance this will happen:
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6AND when downloading a file this happens sometimes:
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419I would just try suppressing those. Maybe even clear out your alert list afterward and try accessing the site again and then check your blocklist in Snort to make the necessary suppressions. That's the thing about Snort. It's a wonderful program but it also needs babysitting to make it work right. I have found that if my firewall rules are good then I don't even need it but then again I don't have anything facing the public.
I would also just run one package at a time to see where the problem may be coming from as well.
"After installing/giving up/uninstalling/revisiting a dozen times, I think it has left pfsense in a state where there are artifacts remaining from various packages, and the system is simply not stable or performing. "
This can also be an issue so you're on the right track. I have noticed that for instance with HAVP, if I disable the proxy but I don't clear the checkboxes strange anomalies happen where things would just be very slow etc… Especially if you checked something that uses a RAM DISK. That needs to be unchecked along with any other customizations. I know that other packages have that option so you might want to check that out.
Also, one way to fix some problems is to go to your console and run a shell and then type fsck. I think that you only have to run a shell if your console is password protected. Normally I could just press CTRL C to get the # to popup and then you can type fsck. It will check your file system for integrity problems.
"Hopefully a vanilla install will work. Although after seeing all the things squid is detecting,"
That may be your best bet. Until you get a handle on a package I just wouldn't use it and if you're really concerned about younger users and where they go, HAVP worked very well for me when I needed it for that purpose. Simply because, say they go to a site that you don't want such as something complicated where it's not just zzz.youtube.com or whatever it may be. Say it's zzz.cn.thissite.dontgothere.com Let's say the prefix changes from cn to zb. If you put an item on your blocklist like this the site and the whole domain would not be accessible.
These are the formats that are available for HAVP.
*Enter each destination URL on a new line that will be accessable to the users without scanning. Use '*' symbol for mask. Example: .github.com/, sourceforge.net/clamav-, /.xml, /.inc
So you could type in the blacklist area something like this .thissite.dontgothere.com/ so that even if the prefix changes it's blocked still. You could do it all the way up to just .dontgothere.com/ . HAVP is very powerful in that effect. As you can see, by typing something like /.xml you can block all of xml. You can do the same thing to any extension. You could block anything like .org, .mil, .cn, .php or whatever your fancy is that day. You could essentially do the same thing with the allow list but I don't recommend that. Another thing to consider is to just make your own blacklists.
I have found that downloading blacklists is not nearly accurate enough to provide a lot of use. Also, there is a great set of rules in snort that prevent going to sites that young people shouldn't be going to.
Which is emerging-innapropriate.rules. Just enable them all and if there is a problem find which rule is doing it and suppress it.I had to remove that because it did not work for me. Perhaps Dans Guardian would do a better job.Back to HAVP though. Just like any other package of this sort there will be false positives such as when Adobe flash needs to be updated it will flag it as a virus so that's when you have to do your homework and find out exactly what addresses it needs to do the updating without problems and then use the allow list. Like I said before though. If your Lan rules are golden then you really don't even need these packages. You could just make aliases and block the sites by way of ip address that you don't want people to go to. There's a lot of ways to use pfsense that are made redundant by some packages. Just something to keep in mind. Get used to using the ping tool in pfsense to help with sorting out IP addresses. Then go look it up at CIPB if you want to block an entire IP range via cidr.
Have a good day.
Cmellons