Poor performance with 2.4.1

Guest

@JKnott : What is your RTT and RTTsd values under WAN Gateway? Have you seen any significant change from version 234 to 241?
If you have a spare disk with your 234 backup copy and you can swap between 234 and 241 you can quickly get to the bottom of the speed issue.

hda

@JKnott:

… I'm thinking perhaps a DNS issue.  I'm using the resolver.

Do you also use in "General DNS Resolver Options" Network Interfaces :: "All" and Outgoing Network Interfaces :: "All" ?

I myself see better performance if using Network Interfaces :: "All" (or any iface selections) and Outgoing Network Interfaces :: "WAN"

But then… the DNS Resolver Log records like mad with the address of my WAN Link-Local IPv6 like:

Oct 30 17:30:29 unbound 45462:3 error: can't bind socket: Can't assign requested address for fe80::20d:b9ff:fe40:79b8
Oct 30 17:30:29 unbound 45462:3 error: can't bind socket: Can't assign requested address for fe80::20d:b9ff:fe40:79b8
….

Why ? I did not select it…  Is this error an unwanted feature ?
And why does the logging keep quiet when selecting "All & All".

JKnott

I just ran dig.

When I don't specify server:
dig cnn.com

; <<>> DiG 9.9.9-P1 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59675
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cnn.com.                      IN      A

;; ANSWER SECTION:
cnn.com.                59      IN      A      151.101.129.67
cnn.com.                59      IN      A      151.101.193.67
cnn.com.                59      IN      A      151.101.1.67
cnn.com.                59      IN      A      151.101.65.67

;; Query time: 410 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Oct 30 16:12:31 EDT 2017
;; MSG SIZE  rcvd: 100

The server the response comes from is the 2nd in resolv.conf.  PfSense is the first.

When I specify that same DNS server:

dig cnn.com

; <<>> DiG 9.9.9-P1 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59675
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cnn.com.                      IN      A

;; ANSWER SECTION:
cnn.com.                59      IN      A      151.101.129.67
cnn.com.                59      IN      A      151.101.193.67
cnn.com.                59      IN      A      151.101.1.67
cnn.com.                59      IN      A      151.101.65.67

;; Query time: 410 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Oct 30 16:12:31 EDT 2017
;; MSG SIZE  rcvd: 100

Now when I specify the pfSense firewall:

dig @

<address removed="">cnn.com

; <<>> DiG 9.9.9-P1 <<>> @

<address removed="">cnn.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Looks to me like my pfSense DNS resolver is not working at all for servers on the Internet.  It does appear to work for local hosts.  The delay when I first try to access a site would be caused by the failure and then trying the 2nd DNS listed in resolv.conf.
</address>

</address>

Derelict

;; connection timed out; no servers could be reached

Not responding at all. check the config on whatever

<address removed="">is. Make sure you can reach that. Make sure that query is not blocked by firewall rules, etc etc etc</address>

JKnott

@Derelict:

;; connection timed out; no servers could be reached

Not responding at all. check the config on whatever

<address removed="">is. Make sure you can reach that. Make sure that query is not blocked by firewall rules, etc etc etc
</address>

That

<address removed="">is the public address for the LAN side of my firewall.  Since I can get to the Internet through pfSense, I can certainly reach it, access the configuration etc..
</address>

JKnott

Do you also use in "General DNS Resolver Options" Network Interfaces :: "All" and Outgoing Network Interfaces :: "All" ?

I have WAN selected for outgoing and everything but WAN for the LAN side.

JKnott

@haleakalas:

@JKnott : What is your RTT and RTTsd values under WAN Gateway? Have you seen any significant change from version 234 to 241?
If you have a spare disk with your 234 backup copy and you can swap between 234 and 241 you can quickly get to the bottom of the speed issue.

I have never checked RTT etc., so I don't know what they were before.  However, as I mentioned in another note, pfSense is flat out failing to resolve external addresses, but appears to be OK for local.

Derelict

I have WAN selected for outgoing and everything but WAN for the LAN side.

Just select All and All and try again. It sounds like you are not actually listening on the address you are specifying.

JKnott

The service status shows DNS Resolver stopped and I can't start it.

The log has several lines of "Oct 30 16:18:37 unbound 95941:0 error: can't bind socket: Can't assign requested address for fe80::214:d1ff:fe2b:edea".  That's the link local address for my WAN port.

JKnott

@Derelict:

I have WAN selected for outgoing and everything but WAN for the LAN side.

Just select All and All and try again. It sounds like you are not actually listening on the address you are specifying.

That seems to have it working.  Why would this change between versions?

hda

@JKnott:

I have WAN selected for outgoing and everything but WAN for the LAN side.

Finally I found the Resolver corresponding settings which work perfect, fast and no errors in Log.

For me I have set with GUI:
Network Interfaces: LAN, OPT1, OPT2, Localhost
Outgoing Network Interfaces: Localhost

In unbound.conf that is correctly found as:

Interface IP(s) to bind to

interface: 192.168.1.1
interface: 2001::####:1::1
interface: 10.8.4.1
interface: 192.168.22.1
interface: 2001::####:3::1
interface: 127.0.0.1
interface: ::1

Outgoing interfaces to be used

outgoing-interface: 127.0.0.1
outgoing-interface: ::1

Besides this, the "All & All" works too, but you probably don't want listening on WAN ;)

My setup in 2.4.1 (upgraded from 2.4.0) about DNS:

• No Forwarding with Resolver
• Nothing set or checked for DNS in [System > General Setup]
• No other DNS config for DHCP(6) servers || RA

JKnott

^^^^
I'll give those a try.  DNS through pfSense has now failed completely.

JKnott

Didn't work.  I still have complete DNS failure with pfSense.  I cannot resolve either Internet or local host names.  Something is clearly messed up here.  Is there any way to revert back to 2.4.0?

kejianshi

For a test.  Disable resolver and enable forwarder.  See what happens.

JKnott

@kejianshi:

For a test.  Disable resolver and enable forwarder.  See what happens.

That appears to work, though I no longer have the local hosts available through it.

kejianshi

Yeah - I'm having the same troubles on both a pfsense vm and opnsense vm.  In vmware with a private IP at wan.

JKnott

If there isn't a fix for the resolver soon, I'll have to copy all my local devices into the forwarder.

kejianshi

I think its a resolver specific issue and it will be fixed.  til then, I like your fix.

Derelict

No idea what you guys are doing. Resolver works fine in 2.4.1.

JKnott

@Derelict:

No idea what you guys are doing. Resolver works fine in 2.4.1.

I updated to 2.4.1.  I guess I shouldn't have done that.