50% performance hit on overall throughput.
-
Dell Optiplex 320
Pentium Dual-core 1.6ghz
2gb ddr2 800
Western Digital 80gb Sata 3
WAN nic = Broadcom BCM5709 pci-e
LAN nic= Intel gigabit pciOokla to a local node in my town through PFsense: 21mb/s down
Ookla to same local node bypass PFsense: 59.26mb/s downI have squid3, squidguard, avahi, and that;'s about it as far as packages running.. I suspect my hardware not being able to keep up.. but during download test CPU and ram usage does not spike. Maybe my old PCI nic?
-
Try turning all those packages off.
-
No help.. I uninstalled every package on my box. rebooted and still the 20-21mb/s limit. Cpu is not pegging out, plenty of free memory. Whats the deal?
-
119 views, minus my own of course. This topic obviously interests people but dammit I find it funny how no one out there has any thoughts. if I were tossing hundreds of bucks at a brand new build people will crawl out of the wood work to throw in their .02
But some of you guys who've been using PF for years don't have any advice?
It's highly frustrating how people who run into a tough issue that doesn't really make any sense have such a hard time finding help. This is supposed to be a community. Communities works because the 'elders' pass down their experience and knowledge to the less experienced.
Surely to hell someone out there would have an idea as to my hardware level being sub-par, maybe there some OS level tweak I should be doing… something.
Hell it's almost enough to make me jump ship and go to some bullshit like Untangle or Sophos.
-
Your hardware is powerful enough, certainly with no packages. You must have some physical problem. Swap cables , check for duplex issues and nic errors. If you have a switch, try connecting it between your modem and pfsense as a test.
-
Bad cables & duplex mismatches are where I'd go first.
-
Bad cables & duplex mismatches are where I'd go first.
Agree with this. For some reason on all my pfsense boxes I have to force full duplex on the wan side. Does not matter what nic I use. BTW make sure you know the interface speed on your provider equipment. You can't force gigabit if your provider is 100baseTX
Hell it's almost enough to make me jump ship and go to some bullshit like Untangle or Sophos.
Don't give up. pfsense is worth the effort IMO. The community is good and the product works great once you learn its certain quirks. What does the interface section on your dashboard look like?
-
Thanks guys.
First off going by switch/nic LED's everything I have is 1gig full duplex. I also have to force 1gig/FD on my WAN nic too. My ISP is Charter, and my cable modem (Cisco DPC3208) has a 1gig ethernet jack.
Here's some screenshots that might help.
-
Your screenshot shows 52mbps download happening. Is there something on your network downloading that is not connected when you bypass the router to run a test?
-
That's what's messed up. A speedtest from every host on my network hits a 21mb limit. But PF itself 'sees' way more than that in traffic.
And yeah I realize that a web page based bandwidth test is not 100%. However something has to be causing this hard limit?
And if the only advice is to screw such pages as that.. then how does one accurately test bandwidth? A few hundred for ixChariot?
-
stupid question maybe but is that cisco a router or is it in bridge mode? also do you reboot it after you connect the pfsense box to it? I only ask because I had a brighthouse cable modem at one time that needed a reboot to properly get the mac address of my pfsense box when I switched it over.
-
Nah beercan it's def a bridge, stupid thing doesn't even have a web interface or status page :(
and yeah.. any time PF get's shut down for any reason it takes a lifetime of rebooting the modem and pf standing on leg, sticking our my tongue, crossing eyes and crap to get them two synced correctly so the WAN interface pulls an IP correctly.
-
heres a weird question.. the two bce interfaces I am using is a dual 1gigabit nic.. why would PF see no additional features on bce0 but flowcontrol/rxpause/txpause on the other?
Any chance it could be the lack of/existence of flow control?
-
I am really grasping here but what are your settings in system>advanced>networking? Try it with all the hardware stuff disabled if it is not already.
Edited to add – do you have any other nics you can test with? BTW none of my pfsense boxes show addition functions on the nic but most of mine are em or realtek.
-
did you see this already? https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards
it has some tweeks for bce cards -
Yessir.. already created the loader.conf.local file with the bce entries plus teh one at the bottom with regards to killing flow control. Admittedly I have no rebooted since adding the flow control line.
-
You're pulling in over 50 Mbps down it clearly shows. You're getting your full speed. What does LAN's traffic graph look like? Guessing it's pushing out over 50 Mbps as well. You're getting your speeds, just spread across multiple devices.
Looks like you have other things on the network also using bandwidth, which leaves less for your speed tests to use. Many of the "performance hit" threads here are exactly that, wrong perception of what is actually happening. "I plug my laptop in behind the firewall and it's too slow, but unplug the firewall and plug my laptop in directly and it's full speed!" What they neglect to mention is they also plugged in an office of several dozen machines, or at home also plugged in their two kids' laptops that are simultaneously Bittorrenting every movie released in the last year in the entire world. And still expecting somehow speedtest.net is supposed to show their full connection speed.
119 views, minus my own of course. This topic obviously interests people but dammit I find it funny how no one out there has any thoughts. if I were tossing hundreds of bucks at a brand new build people will crawl out of the wood work to throw in their .02
Which is a quick and easy thing to throw in an opinion on, and something a lot more people are experienced with than those who know enough to troubleshoot network performance problems. You've actually gotten very good help in this thread anyway.
But some of you guys who've been using PF for years don't have any advice?
It's highly frustrating how people who run into a tough issue that doesn't really make any sense have such a hard time finding help. This is supposed to be a community. Communities works because the 'elders' pass down their experience and knowledge to the less experienced.
Surely to hell someone out there would have an idea as to my hardware level being sub-par, maybe there some OS level tweak I should be doing… something.
Hell it's almost enough to make me jump ship and go to some bullshit like Untangle or Sophos.
Because they're just overrun with senior-level network professionals who spend significant amounts of time holding your hand troubleshooting performance issues for free? Which most of the time actually have 0 relation to the firewall itself. No, they don't. It'd probably be hard even as a paid customer of either of those two to get really top notch people to help. Here, if you're willing to put down the money for support, you're working with someone who'd be third level at places like that.
Granted, this doesn't seem like a difficult one - there is no actual performance degradation. Look at things like traffic graphs on the firewall or switch ports to gauge performance, don't blindly rely on speed test sites.
-
You are wrong here CMB. Yes normally idiots sitting at home don't realize their kids/wife/parents/whatever are streaming Netflix, torrenting Beiber BS or whatever.. while the same time armchair admin is trying to gauge his throughput.
I guess I have to apologize for not stating the GD obvious which would be: I have had no other devices hitting the internet when I performed those tests. Period.
Quite honestly I have no clue what two people you are talking about. I was not referring to any one person in particular, I mean damn there has to be at least a few hundred members of this board who are more experienced at me in freeBSD/PFsense tweaking and usage.
And like I stated earlier on in my thread here.. I DO NOT expect any website to be 100% accurate.. But really.. a 20mb limit every single time whether I have a loaded LAN segment or not? removing PFsense displays my results into the upper 50's but with it and zero other pc's/tablets/phones connected stops at 20. Tell me that doesn't sound at least a tiny bit odd to you. If it does not strike you as being weird, and you says that's just how it works then fine, I'll shut up.
-
roccor I won't speak for everyone but your tone is wrong. People are on this board helping people for free on their own time, so you can't come on here and make crazy comments because you can't figure your networking issues out. With that being said I don't want to get into a flame war with you, I will try to help.
1. Have you looked at your Interface Status?
2. Are you getting any error packets?
3. A diagram might be helpful.
4. Maybe a few pings from your host to the firewall might reveal something.
5. How is your switched network performing?
6. Can you try to make a transfer from one computer on your network to another?
7. What is the link speed on your WAN? (Not your provisioned speed)
8. What is PfSenese reporting your link speed at?
9. 20Mbps sounds like CAT3 speeds, a poorly terminated cable can cause this.
10. What type of cable modem do you have?
11. Is your PfSense getting a private IP or a public IP?
12. What does your rule set look like?
13. Is this a clean install?
14. What version of PfSense
15. What the the client OS
16. Are you running a personal firewall on your PC?These are just a few quick questions that come off the top of my head.
There are a lot of questions that one could have, because of the lack of details most people reading your original post would probably would not respond. Now if it were me, I would backup my config file. Wipe my configuration back to factory defaults and then go from there. If performance is as expected then I would add packages one at a time, check performance and continue. I would keep repeating these steps until the problem has manifested itself or the setup you are looking for is complete.
-
You are seeing some packetloss on WAN. What IP are you monitoring?