50% performance hit on overall throughput.
-
Bad cables & duplex mismatches are where I'd go first.
Agree with this. For some reason on all my pfsense boxes I have to force full duplex on the wan side. Does not matter what nic I use. BTW make sure you know the interface speed on your provider equipment. You can't force gigabit if your provider is 100baseTX
Hell it's almost enough to make me jump ship and go to some bullshit like Untangle or Sophos.
Don't give up. pfsense is worth the effort IMO. The community is good and the product works great once you learn its certain quirks. What does the interface section on your dashboard look like?
-
Thanks guys.
First off going by switch/nic LED's everything I have is 1gig full duplex. I also have to force 1gig/FD on my WAN nic too. My ISP is Charter, and my cable modem (Cisco DPC3208) has a 1gig ethernet jack.
Here's some screenshots that might help.
-
Your screenshot shows 52mbps download happening. Is there something on your network downloading that is not connected when you bypass the router to run a test?
-
That's what's messed up. A speedtest from every host on my network hits a 21mb limit. But PF itself 'sees' way more than that in traffic.
And yeah I realize that a web page based bandwidth test is not 100%. However something has to be causing this hard limit?
And if the only advice is to screw such pages as that.. then how does one accurately test bandwidth? A few hundred for ixChariot?
-
stupid question maybe but is that cisco a router or is it in bridge mode? also do you reboot it after you connect the pfsense box to it? I only ask because I had a brighthouse cable modem at one time that needed a reboot to properly get the mac address of my pfsense box when I switched it over.
-
Nah beercan it's def a bridge, stupid thing doesn't even have a web interface or status page :(
and yeah.. any time PF get's shut down for any reason it takes a lifetime of rebooting the modem and pf standing on leg, sticking our my tongue, crossing eyes and crap to get them two synced correctly so the WAN interface pulls an IP correctly.
-
heres a weird question.. the two bce interfaces I am using is a dual 1gigabit nic.. why would PF see no additional features on bce0 but flowcontrol/rxpause/txpause on the other?
Any chance it could be the lack of/existence of flow control?
-
I am really grasping here but what are your settings in system>advanced>networking? Try it with all the hardware stuff disabled if it is not already.
Edited to add – do you have any other nics you can test with? BTW none of my pfsense boxes show addition functions on the nic but most of mine are em or realtek.
-
did you see this already? https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards
it has some tweeks for bce cards -
Yessir.. already created the loader.conf.local file with the bce entries plus teh one at the bottom with regards to killing flow control. Admittedly I have no rebooted since adding the flow control line.
-
You're pulling in over 50 Mbps down it clearly shows. You're getting your full speed. What does LAN's traffic graph look like? Guessing it's pushing out over 50 Mbps as well. You're getting your speeds, just spread across multiple devices.
Looks like you have other things on the network also using bandwidth, which leaves less for your speed tests to use. Many of the "performance hit" threads here are exactly that, wrong perception of what is actually happening. "I plug my laptop in behind the firewall and it's too slow, but unplug the firewall and plug my laptop in directly and it's full speed!" What they neglect to mention is they also plugged in an office of several dozen machines, or at home also plugged in their two kids' laptops that are simultaneously Bittorrenting every movie released in the last year in the entire world. And still expecting somehow speedtest.net is supposed to show their full connection speed.
119 views, minus my own of course. This topic obviously interests people but dammit I find it funny how no one out there has any thoughts. if I were tossing hundreds of bucks at a brand new build people will crawl out of the wood work to throw in their .02
Which is a quick and easy thing to throw in an opinion on, and something a lot more people are experienced with than those who know enough to troubleshoot network performance problems. You've actually gotten very good help in this thread anyway.
But some of you guys who've been using PF for years don't have any advice?
It's highly frustrating how people who run into a tough issue that doesn't really make any sense have such a hard time finding help. This is supposed to be a community. Communities works because the 'elders' pass down their experience and knowledge to the less experienced.
Surely to hell someone out there would have an idea as to my hardware level being sub-par, maybe there some OS level tweak I should be doing… something.
Hell it's almost enough to make me jump ship and go to some bullshit like Untangle or Sophos.
Because they're just overrun with senior-level network professionals who spend significant amounts of time holding your hand troubleshooting performance issues for free? Which most of the time actually have 0 relation to the firewall itself. No, they don't. It'd probably be hard even as a paid customer of either of those two to get really top notch people to help. Here, if you're willing to put down the money for support, you're working with someone who'd be third level at places like that.
Granted, this doesn't seem like a difficult one - there is no actual performance degradation. Look at things like traffic graphs on the firewall or switch ports to gauge performance, don't blindly rely on speed test sites.
-
You are wrong here CMB. Yes normally idiots sitting at home don't realize their kids/wife/parents/whatever are streaming Netflix, torrenting Beiber BS or whatever.. while the same time armchair admin is trying to gauge his throughput.
I guess I have to apologize for not stating the GD obvious which would be: I have had no other devices hitting the internet when I performed those tests. Period.
Quite honestly I have no clue what two people you are talking about. I was not referring to any one person in particular, I mean damn there has to be at least a few hundred members of this board who are more experienced at me in freeBSD/PFsense tweaking and usage.
And like I stated earlier on in my thread here.. I DO NOT expect any website to be 100% accurate.. But really.. a 20mb limit every single time whether I have a loaded LAN segment or not? removing PFsense displays my results into the upper 50's but with it and zero other pc's/tablets/phones connected stops at 20. Tell me that doesn't sound at least a tiny bit odd to you. If it does not strike you as being weird, and you says that's just how it works then fine, I'll shut up.
-
roccor I won't speak for everyone but your tone is wrong. People are on this board helping people for free on their own time, so you can't come on here and make crazy comments because you can't figure your networking issues out. With that being said I don't want to get into a flame war with you, I will try to help.
1. Have you looked at your Interface Status?
2. Are you getting any error packets?
3. A diagram might be helpful.
4. Maybe a few pings from your host to the firewall might reveal something.
5. How is your switched network performing?
6. Can you try to make a transfer from one computer on your network to another?
7. What is the link speed on your WAN? (Not your provisioned speed)
8. What is PfSenese reporting your link speed at?
9. 20Mbps sounds like CAT3 speeds, a poorly terminated cable can cause this.
10. What type of cable modem do you have?
11. Is your PfSense getting a private IP or a public IP?
12. What does your rule set look like?
13. Is this a clean install?
14. What version of PfSense
15. What the the client OS
16. Are you running a personal firewall on your PC?These are just a few quick questions that come off the top of my head.
There are a lot of questions that one could have, because of the lack of details most people reading your original post would probably would not respond. Now if it were me, I would backup my config file. Wipe my configuration back to factory defaults and then go from there. If performance is as expected then I would add packages one at a time, check performance and continue. I would keep repeating these steps until the problem has manifested itself or the setup you are looking for is complete.
-
You are seeing some packetloss on WAN. What IP are you monitoring?
-
The only thing here that seems odd to me is the fact the only screenshot you posted of your traffic graph is actually higher than your connection's limit, so there is nothing here showing any kind of problem, yet you don't answer questions people have to try to help you narrow it down.
What does the LAN graph look like at the time? WAN always up at ~45-60 Mbps?
You are wrong here CMB. Yes normally idiots sitting at home don't realize their kids/wife/parents/whatever are streaming Netflix, torrenting Beiber BS or whatever.. while the same time armchair admin is trying to gauge his throughput.
I guess I have to apologize for not stating the GD obvious which would be: I have had no other devices hitting the internet when I performed those tests. Period.
Based on the information you provided thus far I'm right, you posted a screenshot that proves it - something is downloading at your connection's rated speed and actually in excess of it. The only question is what. Now if that particular traffic graph looks abnormal vs. every other test, post other graphs, that may not be true.
Quite honestly I have no clue what two people you are talking about.
Not people, the two companies/products you offered as some savior.
-
This post is deleted! -
Guys, I apologize. I am normally quick to anger but this past week/weekend was worse and coupled with these weird friggin issues made things worse for me.
Since I'm an admin in IRL, I chose to work with computers 15 years ago because I lack the people skills to work with people. That said I tend to try three handfuls of things in trying to resolve a problem but I don't always explain every one of them. I play the assumption game.. like since I am posting here I assume you guys would know certain things like the not trying to test my throughput while my kids are streaming youtube and the like.
I get irritated by questions like Mikeisfly posted because I find some of them beneath me. However I've done my stint in technical support, I know you must treat every caller as an idiot. That would work here too so if I had a perceived tone then I'm sorry.
Suncatalyst: Another poster here mentioned he had to force/lock speeds and duplexes on his PF box so I don't feel that that is meaningful of a problem.
cmb: Aside from these last couple posts from overnight I don't see where I have not answered someones question. During the time I was running the OOkla tests I do not know what the WAN chart was showing. I was running them at around 2:30am EST.. tv's, and other computers were all off. Something would have had to be sucking down data at what.. 15-20mbps in order to cause Ookla to stop at 21mb itself. Additionally I never used the word savior.. I was pissed and tossed them out there as alternatives to Pf the product. I thought that was obvious.
Supermule: I'm not sure I follow you here.. I'm not monitoring any IP.
Mikeisfly: 1. Interface status are good, up, full duplex and 1 gigabit.
2. To my knowledge no.
3. Shortly.
4. That night all were under 5ms with the occasional spike to 10ms
5. Ok I guess, no observed weirdness or change from normal
6. I can this evening
7. I have 60mb, but actual like to the modem is 1gb, link from modem to cloud.. no way of knowing.
8. Link to.. what?
9. All of my cables are pre-made save for the one feeding the WAP, I spliced it late one night because I did not have my crimpers at home. While I've never had a problem with splices in the past I can terminate it correctly tonight and see if that was it.
10. Cisco DPC3208
11. Public IP
12. Honestly I have no rules except the builtin couple.
13. No it's an upgrade from 2.1.2
14. 2.1.4
15. Windows 8.1Pro, Windows 7 Pro
16. Hell no! Why would someone do that with a PF box? -
At lunch today.. I have the kids pc's all set to shut down for a couple hours starting at noon. The Roku was off, ipad was is sleep mode and charging..
On a whim from Mike I cut and replaced the rj45's on both ends of the wap and my pc's uplink cables. Visually they all looked pretty ok in condition, but they were both 5-6 years old. WAN utilization on the Dashboard chart was showing under 1mbps in overall traffic. Ookla speedtest to nearest node exceeded 45mbps. That was with squid3 and squidguard all running. Stopping those two services didn't really change the results.
The only devices that could have been generating any traffic was my iphone and background traffic from my desktop. But that's still a much improved result. Laster I will re-test with everything else unplugged and compare results but it does seem that my once-thought sub-par hardware is good enough to handle the advertised 60mb download rate.
Your home network is only as strong as it's weakest link.. it sucks that a cable with no visually apparent physical damage was indeed somehow going bad on me, but I guess the simplest causes should have been checked first.
-
Your home network is only as strong as it's weakest link.. it sucks that a cable with no visually apparent physical damage was indeed somehow going bad on me, but I guess the simplest causes should have been checked first.
This is the case everywhere, not just at home. I run into bad cables all the time. You can try buying better stuff but these days it's all made in China at cut-rate prices. Buying a "Shielded CAT 7" cable doesn't mean it's any better than normal 5e or 6.
-
True Jason.. to a point. I've been in IT professionally for over 15 years. I can count the number of actual bad patch cables I've run into on less than two hands.