Performance-Problems to several Websites
-
hello,
I have posted my problem already to the german board with no success.
http://forum.pfsense.org/index.php/topic,55326.0.htmlI have installed pfSense (2.0.1-RELEASE (amd64) ) on esxi 5.1.
At this time with 4 NICs (WAN,LAN,2nd LAN,W-LAN) and approx 25VPN-Tunnels.
On WAN side I have Ethernet Internet Connection with 20Mbit.Now (since installation) I have many performance problems. Downloads stuck or Websites are not accessible. Or websites without pictures or movies.
At this point I figured out, that some websites have problem with pings with a packetsize above 1500. e.g. www.spiegel.de
After that (I thought that esx is the problem), I installed on a Pentium 4 with 2 NICs (3c905c-TX) pfSense (2.0.1-RELEASE (i386)). -> Same problem.[2.0.1-RELEASE][root@ibsgju01.company.net]/root(17): ifconfig em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1442 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c9:bd:cf inet6 fe80::20c:29ff:fec9:bdcf%em0 prefixlen 64 scopeid 0x1 inet 10.1.1.252 netmask 0xffffff00 broadcast 10.1.1.255 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1442 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c9:bd:d9 inet6 fe80::20c:29ff:fec9:bdd9%em1 prefixlen 64 scopeid 0x2 inet xx.xxx.xxx.xxx netmask 0xfffffff8 broadcast xx.xxx.xxx.xxx inet xx.xxx.xxx.xxx netmask 0xfffffff8 broadcast xx.xxx.xxx.xxx nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1442 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c9:bd:e3 inet6 xfe80::20c:29ff:fec9:bde3%em2 prefixlen 64 scopeid 0x3 inet 192.168.1.252 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>google works…
[2.0.1-RELEASE][root@ibsgju01.company.net]/root(36): ping -s 8000 google.de PING google.de (173.194.35.159): 8000 data bytes 8008 bytes from 173.194.35.159: icmp_seq=0 ttl=58 time=22.545 ms…spiegel.de not
[2.0.1-RELEASE][root@ibsgju01.company.net]/root(15): ping -s 1472 www.spiegel.de PING www.spiegel.de (195.71.11.67): 1472 data bytes 1480 bytes from 195.71.11.67: icmp_seq=0 ttl=248 time=15.011 ms 1 packets transmitted, 1 packets received, 0.0% packet loss [2.0.1-RELEASE][root@ibsgju01.company.net]/root(16): ping -s 1473 www.spiegel.de PING www.spiegel.de (195.71.11.67): 1473 data bytes 4 packets transmitted, 0 packets received, 100.0% packet lossMy ISP could not be the reason, because I have tested this with a LANCOM-Router and two differnet PCs (Linux and Windows).
LANCOM or my PCs need no MTU settings.Ping via LANCOM
C:\Dokumente und Einstellungen\Rechner>ping www.spiegel.de -l 8000 Ping www.spiegel.de [195.71.11.67] mit 8000 Bytes Daten: Antwort von 195.71.11.67: Bytes=8000 Zeit=19ms TTL=247 Antwort von 195.71.11.67: Bytes=8000 Zeit=19ms TTL=247 Antwort von 195.71.11.67: Bytes=8000 Zeit=30ms TTL=247 Ping-Statistik für 195.71.11.67: Pakete: Gesendet = 3, Empfangen = 3, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 19ms, Maximum = 30ms, Mittelwert = 22msvia LANCOM with "don't fragment" flag
Ping www.spiegel.de [195.71.11.67] mit 1472 Bytes Daten: Antwort von 195.71.11.67: Bytes=1472 Zeit=13ms TTL=247 Antwort von 195.71.11.67: Bytes=1472 Zeit=13ms TTL=247 Antwort von 195.71.11.67: Bytes=1472 Zeit=13ms TTL=247 Antwort von 195.71.11.67: Bytes=1472 Zeit=13ms TTL=247 Ping-Statistik für 195.71.11.67: Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 13ms, Maximum = 13ms, Mittelwert = 13ms C:\Dokumente und Einstellungen\Rechner>ping www.spiegel.de -l 1473 -f Ping www.spiegel.de [195.71.11.67] mit 1473 Bytes Daten: Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt. Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt. Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt. Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt. Ping-Statistik für 195.71.11.67: Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),any suggestion?
-
Your existing router must be doing MSS clamping, set that to 1492 on WAN and I suspect that will fix it. If it weren't, you'd be able to ping through at 1473 with DF.
-
@cmb:
If it weren't, you'd be able to ping through at 1473 with DF.
huh, +28 to 1473 would be 1501 would it not? Thats not right?? 1472 would mean your maxmtu is 1500??
I can not even ping pfsense on lan with -l 1473 -f, so how would it go out past pfsense with a 1501 mtu and DF set?
-
I have tried several MTU sizes. Problem still exist. The same in combination with a lot of different MSS.
It seems that I have problems to surf to any contet, who is hosted on akamai.
e.g. ford.com: The browser is loading and loading and loading and nothing happens
If I connect my PC to an LANCOM-Router, this page opens after seconds..Pings with a big paktsize go through….
Ping wird ausgeführt für www.web.de [217.72.200.132] mit 5000 Bytes Daten:
Antwort von 217.72.200.132: Bytes=5000 Zeit=14ms TTL=57
Antwort von 217.72.200.132: Bytes=5000 Zeit=13ms TTL=57
Antwort von 217.72.200.132: Bytes=5000 Zeit=13ms TTL=57Speedtesters shows perfect performance.
Dirk
-
The MTU-Problems solved:
Check "IP-do-not-fragment compatibility"…the issue to surf to several websites (e.g. ford.com) still exist.
I have all packages uninstalled except NRPE...Other Routers/Firewalls (LANCOM, IPFire) doesn't cause this problem.
On fresh bare metal installation (Pentium 4 with 3c905-TX) I have the same issue.suggestions are welcome
-
update…
on my test environment (Pentium 4 with 2 x 3c905-tx) -fresh installation -No packages- - I have checked/unchecked serveral boxes in the menu "Advanced".
Finally I installed 2.1-BETA0.
No improvement.need help...
-
Now I have this problems
with www.spiegel.dePacket Capture
Interface: DMZ (192.168.1.x)12:31:50.653400 00:0c:29:bb:ff:9c > 00:0c:29:c9:bd:e3, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 15617, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.112.1662 > 195.71.11.67.80: Flags [s], cksum 0x041b (correct), seq 1276027028, win 64240, options [mss 1460,nop,nop,sackOK], length 0 12:31:53.614686 00:0c:29:bb:ff:9c > 00:0c:29:c9:bd:e3, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 15648, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.112.1662 > 195.71.11.67.80: Flags [s], cksum 0x041b (correct), seq 1276027028, win 64240, options [mss 1460,nop,nop,sackOK], length 0 12:31:59.630321 00:0c:29:bb:ff:9c > 00:0c:29:c9:bd:e3, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 15704, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.112.1662 > 195.71.11.67.80: Flags [s], cksum 0x041b (correct), seq 1276027028, win 64240, options [mss 1460,nop,nop,sackOK], length 0 [/s][/s][/s] -
Without some more capture parameters (what filters were specified?, is this an edited version of the capture? etc) it is not possible to give an accurate interpretation of the capture.
Is this traffic blocked by firewall rule? (By default, all traffic on NON-LAN interfaces is blocked.)
Does a packet capture on the WAN interface show this traffic leaving pfSense? Does it get a response?
-
After your post suddenly www.spiegel.de works.
Now I have the same problem.
I have installed a new Workstation in our DMZ (no restrictions from DMZ (192.168.1.0) to external (.)
this is the output from wieshark of this machine with pfsense and LANCOM as default gateway.other domains are accessible.
Can you instruct me, how I capture and filter the WAN-Nic, because we have on this a high load.
Thanks….
[spiegel via LANCOM.txt](/public/imported_attachments/1/spiegel via LANCOM.txt)
[spiegel via pfsense.txt](/public/imported_attachments/1/spiegel via pfsense.txt) -
… you see in the report -pfsense-
after waiting approx 30Seconds, the Internet Explorer open BING to query "www.spiegel.de"... -
you have checked your problematic sites also externally ?
http://www.speedguide.net/analyzer.php
My "Share your Results":
« SpeedGuide.net TCP Analyzer Results » Tested on: 2013.02.27 13:10 IP address: 5.145.xxx.xx Client OS/browser: Linux (Firefox 17.0) TCP options string: 020405b40402080a5b0ce8630000000001030307 MSS: 1460 MTU: 1500 TCP Window: 5888 (NOT multiple of MSS) RWIN Scaling: 7 bits (2^7=128) Unscaled RWIN : 46 Recommended RWINs: 64240, 128480, 256960, 513920, 1027840 BDP limit (200ms): 236kbps (29KBytes/s) BDP limit (500ms): 94kbps (12KBytes/s) MTU Discovery: ON TTL: 53 Timestamps: ON SACKs: ON IP ToS: 00000000 (0)and```
« SpeedGuide.net TCP Analyzer Results »
Tested on: 2013.02.27 13:12
IP address: 91.102.xx.xxx
Client OS/browser: Windows 7 (Firefox 19.0)TCP options string: 020405b40103030201010402
MSS: 1460
MTU: 1500
TCP Window: 65700 (multiple of MSS)
RWIN Scaling: 2 bits (2^2=4)
Unscaled RWIN : 16425
Recommended RWINs: 64240, 128480, 256960, 513920, 1027840
BDP limit (200ms): 2628kbps (329KBytes/s)
BDP limit (500ms): 1051kbps (131KBytes/s)
MTU Discovery: ON
TTL: 117
Timestamps: OFF
SACKs: ON
IP ToS: 00000000 (0)Bests Reiner -
Hi Reiner,
thanks for your reply.
Allmost all websites are accessible, just a few site (spiegel.de) are sometimes not (for a few days).
OK I send you the requested reports… -
Hi this was only an idea because years ago it was often a problem for ADSL users especially from Yahoo and AOL which had only ~1448 and ~1412 bytes MTU instead of "normal" 1492 so many sides weren't working..
-
Now suddenly spiegel.de works again.
strange. ???
