Pfsense not working very well anymore
-
I got pfsense running on EXSi6 type1 hypervisor on a Zotac CI323 mini pc box. It took some fiddling but got it ESXI6 working, the pfsense install was crazy easy - all is fantastic for a few months, but now my corporate laptop on its UDP vpn suffers HORRIBLE performance (i do tons of PuTTY/SSH sessions and its readily apparent there is something going on, lots of delays and just abrupt session drops). Same thing for my Cisco IPPhone which has its own embedded UDP VPN client.
Not as noticeable from home PCs or Netflix though - but very problematic from my Corporate gear, which is bad as Im 100% home telecommuter.
As a troubleshooting method I spun up an untangled OVA install and switched home routing/firewalling to it and the problems immediately went away. So this tells me my HW is good. Dont really like untangled though for a myriad of reasons.
I did just do a pfsense update to latest to see if that helped, it didnt. Is there any general guide/process to troubleshoot this kind of issue?
-
I did not have a good experience with bare metal esxi.
I scrapped the whole idea as it was absolutely awful to use in my scenario.
I'm sure if I had a certified machine for it the trial may have gone smoother. I also have issues with how it works compared to how other platforms do it - like usb management. My use case requires the USB to be accessible and it simply would not work. No errors, no nothing.
Anyway - I went with super efficient platform for my needs and it actually works out better imo.
-
Yep.
I ran pf on a considerably robust esxi system, and it never ran 100%. And I also experienced the same thing you are, over time the system became less and less useful/stable/happy, sorta like a Windows machine that's getting a little long in the tooth.
Went back to bare metal for pf, never going back to VMs, period.
-
hrmph!
thanks for the info all. wonder if i would have different results on hyperv?
-
hrmph!
thanks for the info all. wonder if i would have different results on hyperv?
I had a great experience with pf on parallels when I was first checking it out. I think the problem has something to do with bare metal hypervisors. This is just a guess.
I am not sure how efficient the networking would be on something like hyper-v sitting on top another OS. Does network activity hit the cpu in this case or can it do the passthrough stuff that I could not manage to get working in esxi?Lots of questions.
-
Can I assume you guys are using consumer-grade gear? I've been running pfSense on ESXi for years without issue with a 100/100 Mbps fibre link. The servers I'm using are HP ProLiant and Dell NX series blades.
-
@KOM:
Can I assume you guys are using consumer-grade gear? I've been running pfSense on ESXi for years without issue with a 100/100 Mbps fibre link. The servers I'm using are HP ProLiant and Dell NX series blades.
Probably certified to be working with vmware in the first place, too. 8)
-
i mean the hyper v server, i have access to it free as my student status in a MSCS program. yes, consumer grade hardware for home use, on a 30mbps cable modem connection. and I rarely ever even use that much bw, especially when im at home alone on my corp laptop trying to SSH to equipment in the network
-
I saw the same sort of thing, but with pfsense running on a physical box.
I have 3m/768k DSL and with the Frontier supplied firewall, buffer bloat would make my network unusable when any sort of data was going upstream. I implemented pfsense on an old AMD system, set up some rudimentary traffic shaping (mostly so that ACK packets go to the head of the queue) and life was good.
At some point, my performance just started to suck for N devices when N+1 devices were transferring data across the Internet connection - it didn't even have to come close to saturating the link. I jacked around with the traffic shaping, then deleted it. No help.
Now admittedly, the AMD box wasn't high power, but it ran pfsense just great for a long time and I seldom saw more than 3% sustained utilization.
I finally gave up and moved to the free Sophos UTM for home product. I'm running it under ESXi 6 on the cheapest AMD quad core CPU available (along with an asterisk based PBX and a Server 2003 file server) with no problems at all.
-
I saw the same sort of thing, but with pfsense running on a physical box.
I have 3m/768k DSL and with the Frontier supplied firewall, buffer bloat would make my network unusable when any sort of data was going upstream. I implemented pfsense on an old AMD system, set up some rudimentary traffic shaping (mostly so that ACK packets go to the head of the queue) and life was good.
At some point, my performance just started to suck for N devices when N+1 devices were transferring data across the Internet connection - it didn't even have to come close to saturating the link. I jacked around with the traffic shaping, then deleted it. No help.
Now admittedly, the AMD box wasn't high power, but it ran pfsense just great for a long time and I seldom saw more than 3% sustained utilization.
I finally gave up and moved to the free Sophos UTM for home product. I'm running it under ESXi 6 on the cheapest AMD quad core CPU available (along with an asterisk based PBX and a Server 2003 file server) with no problems at all.
I liked the GUI for Sophos and tried the same thing. I had to reinstall several times as it wouldn't take the root password I set. I felt like I was being trolled.
Then I was like, "Dude it took you 3 years to grasp pfsense, do you really want to learn it all again?"
My issues on one pf install was strange, I got a ton of php errors in the log. I backed up and opened the .xml and found a ton of ungraceful things about old packages still leaving remnants in the config. I cleared all of it out and did a simple reload and it solved the issue.
-
Then I was like, "Dude it took you 3 years to grasp pfsense, do you really want to learn it all again?"
I figured Sophos UTM out enough to get up and running in an hour. I've spent about 20 hours more digging around and I I understand it better than I understand pfsense after using it for 5 years.
In some areas, Sophos UTM isn't nearly as complex or flexible as pfsense, so that eliminates a LOT to have to understand. Traffic shaping for example - in Sophos, it is fairly simple. In pfsense, it could be the subject of a college masters program.
Sophos also has a 900 page admin guide which is actually fairly useful - you can typically find the info you want in a few minutes, as opposed to scouring wikis and forum posts for hours for pfsense.
-
Then I was like, "Dude it took you 3 years to grasp pfsense, do you really want to learn it all again?"
I figured Sophos UTM out enough to get up and running in an hour. I've spent about 20 hours more digging around and I I understand it better than I understand pfsense after using it for 5 years.
In some areas, Sophos UTM isn't nearly as complex or flexible as pfsense, so that eliminates a LOT to have to understand. Traffic shaping for example - in Sophos, it is fairly simple. In pfsense, it could be the subject of a college masters program.
Sophos also has a 900 page admin guide which is actually fairly useful - you can typically find the info you want in a few minutes, as opposed to scouring wikis and forum posts for hours for pfsense.
There's a pfsense book that should be pushed more on the community as it really is extremely helpful.
But sure, I like sophos and everything. It just gave me a bad first impression whereas I have yet to find fault with pfsense - if something is wrong it's usually something else. 8)
-
There's a pfsense book that should be pushed more on the community as it really is extremely helpful.
Are you talking about the official book? It is for version one and is seven years old.
The book for version two is due "real soon now", or so says a two year old post on the documentation forum.
-
There's a pfsense book that should be pushed more on the community as it really is extremely helpful.
Are you talking about the official book? It is for version one and is seven years old.
The book for version two is due "real soon now", or so says a two year old post on the documentation forum.
I bought it and it cleared up so many misconceptions that I had immediately. I could easily be where I'm at with it within a week compared to the years I spent. Not a huge deal as the move to pfsense has been very solid compared to where we came from. I can do a lot more with it now, is all.
-
Probably certified to be working with vmware in the first place, too.
Of course. Why would I run critical stuff on RandomCo hardware??
Are you talking about the official book? It is for version one and is seven years old.
No, he's probably talking about this one. There will never be another hardcopy book, says JimP. This is a living document and will get updated as required. Available to Gold subscribers only.
