Poor performance with 2.4.1
-
@JKnott : We do maintain a large number of pfSense boxes for our SOHO users at large, all built on relatively modest hardware, some of them as old as 10, some brand new, mostly Intel but also some AMD cpus.
My system is built on an refurb HP computer with an AMD CPU. There was no problem upgrading, but the performance hit was immediately noticeable. I had not seen a performance change with any other update in the 1.5 years I've been running pfSense. I'm also a lot stronger on Linux than FreeBSD.
-
If you think it's DNS, dig/drill are your friends.
-
I just verified it's the pfSense DNS. I set my computer's DNS back to pfSense and the first time I reloaded the forum index page, it took several seconds. Subsequent reloads were quick. I also tried the Google news page. The first time is took about 18 seconds, the next 2.
-
dig/drill
-
@JKnott : What is your RTT and RTTsd values under WAN Gateway? Have you seen any significant change from version 234 to 241?
If you have a spare disk with your 234 backup copy and you can swap between 234 and 241 you can quickly get to the bottom of the speed issue. -
… I'm thinking perhaps a DNS issue. I'm using the resolver.
Do you also use in "General DNS Resolver Options" Network Interfaces :: "All" and Outgoing Network Interfaces :: "All" ?
I myself see better performance if using Network Interfaces :: "All" (or any iface selections) and Outgoing Network Interfaces :: "WAN"
But then… the DNS Resolver Log records like mad with the address of my WAN Link-Local IPv6 like:
Oct 30 17:30:29 unbound 45462:3 error: can't bind socket: Can't assign requested address for fe80::20d:b9ff:fe40:79b8
Oct 30 17:30:29 unbound 45462:3 error: can't bind socket: Can't assign requested address for fe80::20d:b9ff:fe40:79b8
….Why ? I did not select it… Is this error an unwanted feature ?
And why does the logging keep quiet when selecting "All & All". -
I just ran dig.
When I don't specify server:
dig cnn.com; <<>> DiG 9.9.9-P1 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59675
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cnn.com. IN A;; ANSWER SECTION:
cnn.com. 59 IN A 151.101.129.67
cnn.com. 59 IN A 151.101.193.67
cnn.com. 59 IN A 151.101.1.67
cnn.com. 59 IN A 151.101.65.67;; Query time: 410 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Oct 30 16:12:31 EDT 2017
;; MSG SIZE rcvd: 100The server the response comes from is the 2nd in resolv.conf. PfSense is the first.
When I specify that same DNS server:
dig cnn.com
; <<>> DiG 9.9.9-P1 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59675
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cnn.com. IN A;; ANSWER SECTION:
cnn.com. 59 IN A 151.101.129.67
cnn.com. 59 IN A 151.101.193.67
cnn.com. 59 IN A 151.101.1.67
cnn.com. 59 IN A 151.101.65.67;; Query time: 410 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Oct 30 16:12:31 EDT 2017
;; MSG SIZE rcvd: 100Now when I specify the pfSense firewall:
dig @
<address removed="">cnn.com
; <<>> DiG 9.9.9-P1 <<>> @
<address removed="">cnn.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reachedLooks to me like my pfSense DNS resolver is not working at all for servers on the Internet. It does appear to work for local hosts. The delay when I first try to access a site would be caused by the failure and then trying the 2nd DNS listed in resolv.conf.
</address></address>
-
;; connection timed out; no servers could be reached
Not responding at all. check the config on whatever
<address removed="">is. Make sure you can reach that. Make sure that query is not blocked by firewall rules, etc etc etc</address>
-
;; connection timed out; no servers could be reached
Not responding at all. check the config on whatever
<address removed="">is. Make sure you can reach that. Make sure that query is not blocked by firewall rules, etc etc etc
</address>That
<address removed="">is the public address for the LAN side of my firewall. Since I can get to the Internet through pfSense, I can certainly reach it, access the configuration etc..
</address> -
Do you also use in "General DNS Resolver Options" Network Interfaces :: "All" and Outgoing Network Interfaces :: "All" ?
I have WAN selected for outgoing and everything but WAN for the LAN side.
-
@haleakalas:
@JKnott : What is your RTT and RTTsd values under WAN Gateway? Have you seen any significant change from version 234 to 241?
If you have a spare disk with your 234 backup copy and you can swap between 234 and 241 you can quickly get to the bottom of the speed issue.I have never checked RTT etc., so I don't know what they were before. However, as I mentioned in another note, pfSense is flat out failing to resolve external addresses, but appears to be OK for local.
-
I have WAN selected for outgoing and everything but WAN for the LAN side.
Just select All and All and try again. It sounds like you are not actually listening on the address you are specifying.
-
The service status shows DNS Resolver stopped and I can't start it.
The log has several lines of "Oct 30 16:18:37 unbound 95941:0 error: can't bind socket: Can't assign requested address for fe80::214:d1ff:fe2b:edea". That's the link local address for my WAN port.
-
I have WAN selected for outgoing and everything but WAN for the LAN side.
Just select All and All and try again. It sounds like you are not actually listening on the address you are specifying.
That seems to have it working. Why would this change between versions?
-
I have WAN selected for outgoing and everything but WAN for the LAN side.
Finally I found the Resolver corresponding settings which work perfect, fast and no errors in Log.
For me I have set with GUI:
Network Interfaces: LAN, OPT1, OPT2, Localhost
Outgoing Network Interfaces: LocalhostIn unbound.conf that is correctly found as:
Interface IP(s) to bind to
interface: 192.168.1.1
interface: 2001::####:1::1
interface: 10.8.4.1
interface: 192.168.22.1
interface: 2001::####:3::1
interface: 127.0.0.1
interface: ::1Outgoing interfaces to be used
outgoing-interface: 127.0.0.1
outgoing-interface: ::1Besides this, the "All & All" works too, but you probably don't want listening on WAN ;)
My setup in 2.4.1 (upgraded from 2.4.0) about DNS:
- No Forwarding with Resolver
- Nothing set or checked for DNS in [System > General Setup]
- No other DNS config for DHCP(6) servers || RA
-
^^^^
I'll give those a try. DNS through pfSense has now failed completely. -
Didn't work. I still have complete DNS failure with pfSense. I cannot resolve either Internet or local host names. Something is clearly messed up here. Is there any way to revert back to 2.4.0?
-
For a test. Disable resolver and enable forwarder. See what happens.
-
For a test. Disable resolver and enable forwarder. See what happens.
That appears to work, though I no longer have the local hosts available through it.
-
Yeah - I'm having the same troubles on both a pfsense vm and opnsense vm. In vmware with a private IP at wan.