Getting only 80mbps on a 175mbps WAN connection
-
In case it may be relevant, this happened both in pfSense 2.1.5 and 2.2.
Also, could the fact that my SD is only class 10 have anything to do with it? Does pfSense write to the SD while there is traffic? I doubt it very much, but I just thought I'd ask.
I added a screenshot of the interface diagnostic screen. Is it normal for WAN to be at 1492 and LAN to be at 1500?
-
I'm pretty sure with PPPoE the MTU can't be 1500, but I'm guessing and harkening back to older times. 1492 sounds right.
What link speed is being negotiated on the WAN hardware? Your graphs are right at 100Mbit and make me suspicious. Diagnostics > Command Prompt execute command ifconfig re0 and it should show you the link speed of the underlying hardware.
No, the SD card speed has no effect. It's actually in read-only mode unless you're saving config changes, etc. All of the firewall info is in RAM and the logs, etc are in a ram disk on the nano.
Certainly doesn't look like CPU, though the CPU graph doesn't appear to show much of the time the traffic graph does. Looks like it shows enough.
-
Yeah, 85Mbps sure sounds like exactly what I expect to get through a 100Mb Realtek NIC. Suspiciously so.
1492 is correct on the PPP interface, 1500 on its parent interface. You can check that using ifconfig at the console. You need the 8bits for the encapsulation.
The APU without any packages or VPNs etc should be good for >300Mbps.
Steve
-
Hi guys,
I really appreciate the replies!
So, here's what I tried. I hooked up an ASUS RT-N16 I had lying around (a surprisingly good router…), and hooked that up in the same configuration as the pfSense box.
When doing that, I got around 105mbps down but still about 60mbps up.
So from this I can conclude that the 80-105mbps limit is not due to pfSense or whichever router is connected to the ISP-supplied router, it's really the ISP-supplied router that seems to be limiting the connection speed. The RT-N16 should be fine for 175/175.
It looks like the ISP-router (the Bell Home Hub 2000) is throttling or just having that extra layer (it's basically acting as a bridge) is causing the network speed to drop.
I'm going to try something totally different now and plug the router (RT-N16 or pfSense) directly into the device that translates the fiber connection into copper (some kind of router/switch). I'm betting it doesn't speak PPPoE, but who knows. The problem if I do that is I lose my TV, because it's an IP-based TV system and the Home Hub 2000 sets up a VLAN for it. But it will at least tell me if pfSense is capable of the 175/175 speeds. If that works, I have to figure out how to make the ISP-router play nicely.
Thanks again for all your help!
Rob
Update:
I tried connecting directly to the fiber->copper box and that was a no go.
I'm starting to think I might have no hope here... I'm going to contact Bell (the ISP) and hope to speak to a super high-level tech, we'll see...
-
Do some research first! Make sure you know what you're connecting to.
What device is the fibre ONT?
The HomeHub 2000 appears to be a rebranded Sagemcom F@st 5250.
It is sometimes possible to route the IP-TV VLAN through pfSense. Search the forum for similar setups.
Steve
-
Looks like you need to set the WAN parent interface to a VLAN tagged 35.
http://www.dslreports.com/forum/r29728463-Internet-Bell-Fibe-FTTH-ASUS-Router-PPPoE-Not-Connecting
Steve
-
Thank you very much for those links, they definitely pointed me in the right direction.
I was able to bypass the Home Hub 2000 completely and connect directly to the ONT (fiber->copper box). I had to configure pfSense to grab VLAN 35 on the WAN port.
My network connection is back up to 175/175!
The only issue I have now is, I have no TV. I hear that TV is coming through on VLAN tag 34, but since it's the same physical interface, I'm not sure how to separate it and output it on another LAN port of the pfSense or how exactly that will work… maybe I need to set up a specific route for it?
If anyone has any experience with have two VLAN tags coming in on the same (WAN) port, I'd greatly appreciate some insight.
Thanks!
Robert
-
Glad to hear the APU is up to the task. This is an interesting problem. I hope to have the same sort of problem someday. :/
How does the Home Hub 2000 physically talk to the DVRs/TVs? MoCA over the whole-home coax or something?
My initial thought would be an outside switch
Tagged port with 34 and 35 to the ONT, tagged 35 to pfSense, tagged 34 to the Home Hub 2000.
Alternately you could create VLAN 34 on the same pfSense interface going to the ONT. Then create VLAN 34 on an extra OPT interface and bridge them. Then plug the Home Hub 2000 into the OPT interface. You shouldn't need to set ip addresses on the bridge, if I'm scheming correctly.
They really should have documentation on exactly how their stuff works.
All guesses. Never done it.
-
There's a thread that decsribes a very similar setup to this using Google fibre somewhere here.
There's no problem putting both VLANs 34 and 35 on the same parent interface and bridging or routing as appropriate as Derelict says. I have played with some AT&T gear that does similar things to this and it used a hidden wifi network to talk to the TV boxes.Ah, it's more complex than I remembered but worth reading through:
https://forum.pfsense.org/index.php?topic=71806.0Steve
-
Glad to hear the APU is up to the task. This is an interesting problem. I hope to have the same sort of problem someday. :/
How does the Home Hub 2000 physically talk to the DVRs/TVs? MoCA over the whole-home coax or something?
My initial thought would be an outside switch
Tagged port with 34 and 35 to the ONT, tagged 35 to pfSense, tagged 34 to the Home Hub 2000.
Alternately you could create VLAN 34 on the same pfSense interface going to the ONT. Then create VLAN 34 on an extra OPT interface and bridge them. Then plug the Home Hub 2000 into the OPT interface. You shouldn't need to set ip addresses on the bridge, if I'm scheming correctly.
They really should have documentation on exactly how their stuff works.
All guesses. Never done it.
Hi, thanks for the reply.
I'm thinking that I want to do this:
From the WAN port of the pfSense box, I set up VLANs 34 and 35. VLAN 35 I assign to the WAN port which is what I've done now and that works great.
Then somehow I want to bridge VLAN 34 to the OPT port of my APU box. To that port I connect the Home Hub 2000, and hope that it is able to extract the TV signal from there.
I just have to see if it's possible to bridge a VLAN to a physical port as opposed to the entire physical port. I basically want to bridge only VLAN 34 from the WAN port to the OPT port.
I hope this makes sense…
Rob
-
There's a thread that decsribes a very similar setup to this using Google fibre somewhere here.
There's no problem putting both VLANs 34 and 35 on the same parent interface and bridging or routing as appropriate as Derelict says. I have played with some AT&T gear that does similar things to this and it used a hidden wifi network to talk to the TV boxes.Ah, it's more complex than I remembered but worth reading through:
https://forum.pfsense.org/index.php?topic=71806.0Steve
Holy moly, that looks extremely complicated.
The "good news" is I do have a fully manageable NetGear switch so if it comes to that I can use it… maybe to send the ONT port to that, split to VLANs 34 and 35, and then send VLAN 35 to the pfSense box and VLAN 34 to the Home Hub 2000.
We'll see...
Rob
-
Yes, you can bridge a tagged VLAN interface on WAN with another interface. I think you're going to have to tag VLAN 34 out your OPT1 port because the device will be expecting VLAN 34 tagged. So you'll be bridging, for example, lan0_vlan34 with lan1_vlan34.
-
Yes, you can bridge a tagged VLAN interface on WAN with another interface. I think you're going to have to tag VLAN 34 out your OPT1 port because the device will be expecting VLAN 34 tagged. So you'll be bridging, for example, lan0_vlan34 with lan1_vlan34.
Hi Derelict,
Yes, that's exactly what I wanted to do…
Bridge the VLAN34 part of the WAN port with the OPT1 port (which I've renamed to BELLTV).
Unfortunately, when I go to the "Bridges" tab I only see physical interfaces, not the virtual ones with the VLAN tagged. See attached.
Is there an advanced option somewhere in pfSense to allow bridging of VLANs as well as physical interfaces? (or in this case a VLAN interface to a physical interface...)
-
Did you enable the interfaces? You don't have to set an IP.
Interfaces > (assign) Click on the VLAN interface and enable it.
-
Did you enable the interfaces? You don't have to set an IP.
Interfaces > (assign) Click on the VLAN interface and enable it.
Wow, you know your stuff!
I now have added it as an interface on its own, and enabled it, and bridged it. It sure "looks" good, but unfortunately it doesn't work. I tried connecting the OPT1 physical port directly to one of the Bell receivers, and that didn't work. So then I tried connecting it to the WAN port of the Home Hub 2000 to see if it would get a TV signal (but not an internet signal). Unfortunately, it's not getting a TV signal.
Do I have to enable/create some routes somewhere in pfSense?
–---
Other questions:
I currently have the two VLAN interfaces, the bridge interface and, the physical OPT port and the physical LAN port all enabled. Should they all be enabled? The bridged, OPT and VLAN 34 are all set to IPV4 type = None, is that right? It should just pass through VLAN 34 to the bridged port and hence the Home Hub 2000?
Thanks!
Rob
-
These are the steps I would do:
Interfaces > (assign)
Create VLAN 34 on the physical interfaces for both WAN and OPT
Create two new interfaces. pfSense will name them OPTX and OPTX+1.
Assign OPTX to VLAN 34 on WAN physical
Click on the interface, enable it and name it WAN_34 or something, no IPAssign OPTX+1 to VLAN 34 on OPT physical
Click on the interface, enable it and name it OPT_34 or something, no IPCreate a bridge. Members should be WAN_34 and OPT_34.
Then I think you have to enable the new interface BRIDGE0. Don't set an IP address.
That should be it.
ETA: net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. default (1) enabled, put pass any any any rules on LAN_34 and OPT_34. I don't believe you want any rules on BRIDGE0, but I'm not sure. I use switches for this stuff.
ETA2: Actually, thinking about it, I would probably:
set net.link.bridge.pfil_member to 0
set net.link.bridge.pfil_bridge to 1that should eliminate the requirement for rules on the member interfaces.
Then for good measure I would probably put a reject ip any any any on BRIDGE0.
-
These are the steps I would do:
Interfaces > (assign)
Create VLAN 34 on the physical interfaces for both WAN and OPT
Create two new interfaces. pfSense will name them OPTX and OPTX+1.
Assign OPTX to VLAN 34 on WAN physical
Click on the interface, enable it and name it WAN_34 or something, no IPAssign OPTX+1 to VLAN 34 on OPT physical
Click on the interface, enable it and name it OPT_34 or something, no IPCreate a bridge. Members should be WAN_34 and OPT_34.
Then I think you have to enable the new interface BRIDGE0. Don't set an IP address.
That should be it.
ETA: net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. default (1) enabled, put pass any any any rules on LAN_34 and OPT_34. I don't believe you want any rules on BRIDGE0, but I'm not sure. I use switches for this stuff.
ETA2: Actually, thinking about it, I would probably:
set net.link.bridge.pfil_member to 0
set net.link.bridge.pfil_bridge to 1that should eliminate the requirement for rules on the member interfaces.
Then for good measure I would probably put a reject ip any any any on BRIDGE0.
I did everything you mentioned, except I'm not sure where to pass those custom net parameters. I'm looking around for that. Without them, the setup is still not working unfortunately. :(
Edit: Found the settings in system tunables. Set them and still no go. Very sad! :)
Edit 2: I've attached some screenshots of my setup.
-
If you set those system tunables after you created the bridge you will to reboot for them to have any effect. (Or re-create the bridge)
Steve
-
Well, I would put something on tagged 34 on WAN and tagged 34 on OPT and be sure they can talk. Again, I'd be using a switch for this, not a pfSense bridge.
Or I'd start looking at packet captures to make sure the bridge is doing what you need and that the traffic from the unit is really on tagged 34.
-
Check your firewall logs. Do you see a load of hits on WAN_34 (or whatever you called it)?
Then run a packet capture to make sure you are seeing any VLAN34 tagged traffic.
IPTV is probably multicast or broadcast so you may need to add that capability to the bridge or add IP options to any firewall rules.
I agree though to be honest this is a waste of good firewall interfaces unless you are really planning to filter the IPTV traffic in some way. Just get a cheap managed switch and use it to separate the two VLAN connections at the ONT.
Of course you may find that the homehub won't handle the IPTV traffic at all unless it has an internet connection to pass back data (like everything you ever view! ;))
Lastly you will not be the first person out there to try this. Someone else will have done it and blogged it so it's probably more productive to research first than to experiment, even though that's the fun part.Steve
