High Ping on Lan WHEN Captive Portal is active

bqbqr

Up because subject updated. Thx

Gertjan

Hello,

When you talk about 'ping', you ping the pfSense box (this is the place you should ping), or some host on the Internet (which of course, can situation the problem everywhere, not only locally) ?

When your 'ping' is Ok, what WAN is used ? And when its very slow ?

You tested with only ONE WAN interface ?

Portal users are authenticated, right ?

Why not running captive Portal running from a dedicated interface ?

LAN Firewall rules ?

bqbqr

sorry, must have been more concise. Yeah that's the ping on the Pfsense box that is very slow. 1ms without Captive portal, 41ms with at best, but generaly more around 2000ms… :(

Got the same problem with only 1 WAN yes

Portal users are authenticated yes, I'm using the built-in user manager (could it be the problem knowing I have 300+ users?)

Captive portal is run on the whole LAN network, if that's what you mean by "Dedicated interface"

Gonna C/p the rules as soon as I'm on my pfsense network, thanks!

Gertjan

@bqbqr:

sorry, must have been more concise. Yeah that's the ping on the Pfsense box that is very slow. 1ms without Captive portal, 41ms with at best, but generaly more around 2000ms… :(

Ping FROM pfSense to 'else where' or ping from client PC, connected to LAN - wired or Wifi - try both - through pfSense to the outside (internet) ?

@bqbqr:

Portal users are authenticated yes, I'm using the built-in user manager (could it be the problem knowing I have 300+ users?)

Ones authenticated, firewall rules will not block or slow down pings ….
If the pfSense box can handle the load.

@bqbqr:

Captive portal is run on the whole LAN network, if that's what you mean by "Dedicated interface"

LAN is the 'admin' netwrok, ment to attach trusted devices etc.
An extra NIC (will be called OPT1, but you can rename it) is advised to receive the Captive Portal facility.

bqbqr

Ping FROM pfSense to 'else where' or ping from client PC, connected to LAN - wired or Wifi - try both - through pfSense to the outside (internet) ?

From any computer on the Wifi to the pfsense. IF i'm connected by RJ45, ping from a computer to the pfsense box is then normal.
And when I deactivate the CP, Ping from wifi to pfsense is normal. (less than 10ms)

If the pfSense box can handle the load.

I let everyone today connecting without authentication and it seem to handle the load perfectly today (Better than with portal activated)

An extra NIC (will be called OPT1, but you can rename it) is advised to receive the Captive Portal facility.

That's a good advice, I'm gonna try that.

Thanks for the tip :)

bqbqr

Got more data:
So, the trouble I had with the high ping from computer on network to PFsense box is cleared: It was because the computer was in the pass through mac in the CP.

Now my problem is that for a ping from the LAN to the network is very high IF CP is activated
And it's doing that on Lan for administration and OPT1 for clients…

Got something between 80 and 200ms to google.com without CP and something between 500 and Timeout WITH CP.
And of course, internet is very slow when CP on

Again, could it be that I got too many users in the pfsense user manager? (Idk why I focus on that but that's my last idea... ^^)

Thanks!

Gertjan

@bqbqr:

Got more data:
So, the trouble I had with the high ping from computer on network to PFsense box is cleared: It was because the computer was in the pass through mac in the CP.

When a device (PC) has its MAC on the pass through list this will not influence the PING reply time.

I have some devices (among them: some PC's) on the MAC pass through list (Captive portal settings page).
I never saw what you described here.

@bqbqr:

Now my problem is that for a ping from the LAN to the network is very high IF CP is activated
And it's doing that on Lan for administration and OPT1 for clients…
Got something between 80 and 200ms to google.com without CP and something between 500 and Timeout WITH CP.
And of course, internet is very slow when CP on

You have what I have :
A WAN NIC, a LAN NIC and a OPT1 NIC - your own devices are on the LAN, clients are on the Captive Portal, which is OPT1.
It's NOT because I have clients connected to my portal http://www.test-domaine.fr/munin/brit-hotel-fumel.net/pfsense.brit-hotel-fumel.net/index.html#portalusers that my "Internet becomes slower". Actually, it does ;) but the ping (to the outside world) stays practicality the same.

@bqbqr:

Again, could it be that I got too many users in the pfsense user manager? (Idk why I focus on that but that's my last idea… ^^)

If you have more then 'several thousands' users in your "User Manager', that might be related …. :)
So : no way, that can't be related.

Next time, login to SSH on your pfSense box, and ping from there to google.com. Timings is the same ? Different ?
Do also a trace route.

Do you have packages installed (some really do f*ck up the system) ?

Another way to solve the issue: re-install from scratch. Do not re-use your actual setting (the config.xml file). Setting up pfSEnse isn't hard, and doesn't take much time. It look like that something is broken, and it can be pfSense - I'm using the SAME ONE as you. Tell us afterwards everything that you took away from 'default'.

bqbqr

And now, I also have DNS service crashing once in a while..

Gonna redo everyhting from scratch yeah, seem like the best idea because I really have some weird things

Quick question if I may ask:

After building the new pfsense box, If do a backup, inject the user list into the xml file and restore the pfsense box with the updated xml file, It should work right?

Also, can all of my problem come from a bad hardware? I've done a big memtem86+ and everything seems ok but I'm still wondering why it's not flawless

Thanks a lot for your help Gertjan

Gertjan

@bqbqr:

After building the new pfsense box, If do a backup, inject the user list into the xml file and restore the pfsense box with the updated xml file, It should work right?

That will be the best way to have the identical situation back.
=> Hardware : no change
=> Software : no change
=> Settings : no change
means
=>> same situation.

Redo settings from scratch. Just do de minimum so things start working. Then add settings step by step ….

bqbqr

So i misexplained what I wanted to do,

1: Backup the Old box
2: Set the new box. without using anything from the Old box
3: Backup the new box when set up is OK
4: Inject in the newbox.xml the user list from oldbox.xml
5: Restore newbox.xml on the newbox.

Seems like the right thing to do for keepin my user list .. no?

Gertjan

@bqbqr:

…
Seems like the right thing to do for keepin my user list .. no?

You can keep your user list from the 'old' XML file: It's a copy and paste thing between files ;)
XML files are human readable and have a simple structure.