PfSense has slowed down my internet connection significantly

code4u

I need help resolving a slow internet connection with pfSense. My download speed is about 75 Mbps but when pfSense is connected, it significantly slows down to 5 Mbps. I have tested this by disconnecting pfSense and the internet speed is restored back to normal (75 MBps). The CPU utilization of the pfsense laptop on average remains about 10%. Memory utilization remains about 22%. My guess is that the slow internet issue it's probably due to an improperly configured setting or something. Can someone please help?

1. pfSense version: 2.3.4-RELEASE (i386)
2. WAN (xl0)
3. LAN (ue0)

Nullity

Give more details about your network, settings, etc. Anything you can think of…

The LAN ue0 device, is it USB? Is your laptop's BIOS correctly configured to allow High Speed USB 2.0?

Like I said, you need to share more details, otherwise we cannot help.

Visseroth

I just had the same problem yesterday! I noticed I was only getting 10Mbps
I had to adjust the Network interfaces under "System -> Advanced-> Networking" and at the bottom, on mine I unchecked everything. I tried using device polling but it cause my GUI to lag out something fierce.

Depending on your setup, you'll have to enable/disable and test, but after that I was able to pull a full 100Mbps and completely saturate my Internet connection and then some.

I tested by starting 4 Linux live iso downloads from 4 different locations. If I wasn't getting the speed I'd stop the downloads, tick or untick something else then start the downloads again. As I said I ended up with all the "Network Interfaces" options unticked, I'm now running full speed.

code4u

Nullity. how do I check if it is allowing High Speed USB 2.0? I don't see anything in the BIOS about this. Here's what I did. I took an old DELL latitude C840 laptop (Mobile Intel(R) Pentium(R) 4 - M CPU 2.20GHz ) with the latest BIOS (A12):  http://www.dell.com/downloads/us/products/latit/c840_spec.pdf  . I added an  "Anker 3-Port USB 3.0 Portable Data Hub with Gigabit Ethernet Port Network Adapter" for the second NIC: https://www.amazon.com/gp/product/B014ZOJX7W/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

Then, I installed the pfSense CD ISO image that I downloaded from the pfSense website. This converted the laptop from Windows XP to  FreeBSD/PfSense. Everything works OK until I check the internet spreed, which only shows 5 MBps.

Visseroth

That may be part of your problem. Running a network through a USB port isn't good practice. There are reasons why most use server grade NICs, more features, more reliability, buffers, ect.
To my knowledge, currently USB 3.0 isn't supported, but i could be wrong, which means that you are likely running in USB 2.0 mode which has a maximum throughput of 12Mbps (https://en.wikipedia.org/wiki/USB#USB_2.0). Which means you are dependent on the drivers and the manufacturer's drivers which will give you more performance are likely not native to FreeBSD and would need to be compiled into the system.

I'd recommend trying a even a PCMCIA NIC. I've thought about using a laptop too, keyboard, monitor, everything right there, just tuck it in a small space and leave it unless I need to get to it. Problem is those NICs are software driven and not of high quality.
Your best bet is a desktop computer with PCI Express ports so you can choose the NICs you want to use.

If you want better performance then you'll need to buy something capable, not to mention that come version 2.5 you won't be able to run PfSense on that hardware unless the CPU supports AES-NI encryption (https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html).

If you really want to use the laptop you will need to go to a different distro but you won't get performance going through USB.
If you want security and reliability then build yourself a AES-NI compliant appliance.
I personally forked out the money for a SuperMicro 2758 appliance last year, haven't regretted it, 20W and fast.
Another option is to buy a per-configured appliance from the PfSense foundation (https://store.pfsense.org/systems/).

code4u

Visseroth, thank you for your response. I think I'm going to abandon the laptop idea. The main reason I was going that path is because Netgate cancelled the SG-2440 appliance which I ordered and waited a whole month for it! :-( So, I then decided to use the laptop because I had an old one laying in my room. So if I build or buy a computer, what specs do you recommend? CPU? Memory? NICS? Etc? Also, do I need to sacrifice a whole computer or can I run  pfSense in a VM in a computer with two NICs?

Visseroth

There are many that do run PfSense in a VM, just make sure the CPU supports AES-NI encryption per PfSense Blogs and documentation and propagates that to the virtual machine.
There is a plugin for support for VMWare. I did that for a while as well. Make sure you secure the connection from the Internet to your virtual switch or give the PfSense virtual machine direct access to the NIC so it has control over what the NIC does and doesn't do.
Most Xeon CPUs have AES encryption, but check to be sure.

Your specs will depend on what you want to do. 8GB of RAM is great if you want to run Snort and Squid as I do, 2GB is sufficient for anything else. Personally I ran with this…

https://www.amazon.com/gp/product/B00G3ED7D4/ref=oh_aui_detailpage_o03_s00?ie=UTF8&psc=1
I put 16GB of RAM in it and a WD 250 though I try and find the cheapest and smallest WD Black if I build for others
According to my GUI I have AES-CBC,AES-XTS,AES-GCM,AES-ICM
According to this... https://ark.intel.com/products/77988/Intel-Atom-Processor-C2758-4M-Cache-2_40-GHz
I have the new AES instruction set.
That's a bit of a expensive setup but the idea is to not have to replace it for years to come. I'll have to replace drives but it's so over powered for what I do that it should handle what ever I throw at it and then some.

What you want to do and how much you want to spend will determine what you need.

PfSense's recommendations are found here...
http://www.firewallhardware.it/en/pfsense_selection_and_sizing.html
https://www.pfsense.org/hardware/#requirements

Visualization is a option for sure, just make sure you still meet the requirements and keep the virtual GUI off your Internet connection and keep your network secured.

Nullity

@Visseroth:

That may be part of your problem. Running a network through a USB port isn't good practice. There are reasons why most use server grade NICs, more features, more reliability, buffers, ect.
To my knowledge, currently USB 3.0 isn't supported, but i could be wrong, which means that you are likely running in USB 2.0 mode which has a maximum throughput of 12Mbps (https://en.wikipedia.org/wiki/USB#USB_2.0). Which means you are dependent on the drivers and the manufacturer's drivers which will give you more performance are likely not native to FreeBSD and would need to be compiled into the system.

I'd recommend trying a even a PCMCIA NIC. I've thought about using a laptop too, keyboard, monitor, everything right there, just tuck it in a small space and leave it unless I need to get to it. Problem is those NICs are software driven and not of high quality.
Your best bet is a desktop computer with PCI Express ports so you can choose the NICs you want to use.

If you want better performance then you'll need to buy something capable, not to mention that come version 2.5 you won't be able to run PfSense on that hardware unless the CPU supports AES-NI encryption (https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html).

If you really want to use the laptop you will need to go to a different distro but you won't get performance going through USB.
If you want security and reliability then build yourself a AES-NI compliant appliance.
I personally forked out the money for a SuperMicro 2758 appliance last year, haven't regretted it, 20W and fast.
Another option is to buy a per-configured appliance from the PfSense foundation (https://store.pfsense.org/systems/).

You got your USB speeds confused. USB 1.1 is limited to 12Mbit but USB 2.0 is much faster (280Mbit real-world).

I agree that OP should get a more "proper" setup with good NICs.

How much did your SuperMicro 2758 setup cost?

Visseroth

Yep, seems I mixed it up, over all my setup was 750, I was shooting for power efficient and long term setup.