IPv6 and DNS Lead to Some Slow Websites

wre136

I have a Dell Optiplex 990 computer with a Quad-port 82575GB Gigabit Network Connection NIC running PFsense 2.4.4. It is configured with IPv4 and IPv6 from my WAN provider in which it is providing an IPv6 prefix for my internal network. I am also using DNS Resolver for local DNS on my network. I have configured my PFsense box to have Google DNS and One DNS but have also allowed ISP to override them.

Most websites I access come up just fine. However, I have a hand full of websites that are incredibly slow to bring up or do not bring up completely (missing CSS, pictures, ads and more). I connected my PC directly to my modem and the sites pull up just fine. I connected my router back up. Then on my host, I assigned DNS to Google's DNS server and still slow. Then I disabled IPv6 on my host and BOOM, it works! Any combination of the two does not work unless DNS on my host is to something other than PFSense and IPv6 is disabled on my host.

At this point, I am unaware of where to go next. Should I turn IPv6 off on my PFSense box and not use DNS Resolver? I rather not since I like to have IPv6 functionality and DNS Resolver offers internal DNS for my hosts and devices. Is there any logs I can check further into or any options that might help?

• BIOS
  Vendor: Dell Inc.
  Version: A23
  Release Date: Sun Feb 11 2018

• Version
  2.4.4-RELEASE (amd64)
  built on Thu Sep 20 09:03:12 EDT 2018
  FreeBSD 11.2-RELEASE-p3
  Version information updated at Tue Oct 2 10:02:18 CDT 2018

• CPU Type
  Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
  Current: 3100 MHz, Max: 3101 MHz
  4 CPUs: 1 package(s) x 4 core(s)
  AES-NI CPU Crypto: Yes (active)

• Hardware crypto
  AES-CBC,AES-XTS,AES-GCM,AES-ICM

• Kernel PTI
  Enabled

• Uptime
  01 Hour 19 Minutes 42 Seconds

• Current date/time
  Tue Oct 2 11:21:16 CDT 2018

• DNS server(s)
  127.0.0.1
  68.105.28.11
  68.105.29.11
  68.105.28.12
  2001:578:3f::30
  2001:578:3f:1::30
  1.0.0.1
  1.1.1.1
  2606:4700:4700::1001
  2606:4700:4700::1111
  8.8.8.8
  8.8.4.4
  2001:4860:4860::8888
  2001:4860:4860::8844

• Installed Packages:
  LADVD 1.2.2
  mailreport 3.3
  mtr-nox11 0.85.6_1
  nmap 1.4.4_1
  open-vpn-export 1.4.17_2
  RRD_Summary 2.0
  Service_Watchdog 1.8.6
  Status_Traffic_Totals 1.2.4
  sudo 0.3_1

wre136

Update:

I enabled IPv6 on my host and assigned it a static IPv6 DNS Address of 2606:4700:4700::1001 (1.1.1.1 DNS) and it worked.

So as of right now, the websites that are slow work just fine if I set my IPv4 and IPv6 DNS server entries to something other than my local pfsense router.

Still do not know why that should matter or what the fix for DNS Resolver should be.

bfeitell

Out of curiosity, what do you see for the MTU of your WAN interface under status/interfaces?

wre136

Temporarily, I have resolved the issue by changing from DNS Resolver to to DNS Forwarder. However, I rather have the local DNS server myself that using external DNS servers. So I'm still looking into this.

Below are the stats for my WAN connection. NOTE: Even though the MTU says 9000, the largest ping I can get from Windows to the Default Gateway of my WAN is 1472. I can ping with jumbo frames to the LAN interface and any object within my LAN

WAN Interface (wan, igb0)

• Status
  up

• DHCP
  up Relinquish Lease

• MAC Address
  00:1b:21:3c:42:40 - Intel Corporate

• IPv4 Address
  <omitted>

• Subnet mask IPv4
  255.255.240.0

• Gateway IPv4
  174.67.0.1

• IPv6 Link Local
  fe80::21b:21ff:fe3c:4240%igb0

• IPv6 Address
  <omitted>

• Subnet mask IPv6
  128

• Gateway IPv6
  fe80::238:dfff:fe9a:5019

• DNS servers
  127.0.0.1
  1.0.0.1
  2606:4700:4700::1001
  1.1.1.1
  2606:4700:4700::1111

• MTU
  9000

• Media
  1000baseT <full-duplex>

• In/out packets
  1638176/805107 (1.89 GiB/94.49 MiB)

• In/out packets (pass)
  1638176/805107 (1.89 GiB/94.49 MiB)

• In/out packets (block)
  6670/0 (782 KiB/0 B)

• In/out errors
  0/0

• Collisions
  0

bfeitell

Try refreshing the connection without manually setting anything for the WAN MTU, and and please report what the MTU gets set to as reported in status/interfaces.

wre136

It reports my MTU as 1500

bfeitell

Try testing your IPv6 connectivity and DNS lookup with the MTU set to default on the WAN. Do you still have the same problems?

wre136

No Go. I just switched back to DNS Resolver and still some websites are slow. As soon as I switch back to DNS Forwarder, they work fine.

bfeitell

What are your settings in DNS Resolver?

wre136

Any easy way to get that other than a screen shot?

Pippin

ICMP blocked somewhere?
Maybe Prefer IPv4 over IPv6 helps?

bfeitell

You should leave the WAN MTU at the default. Being able to send a max ping of 1472 shows that 1500 is your actual MTU on the connection. The missing 8 bytes are the ICMP header for the ping packets. Please report what you have set for "IP Do-Not-Fragment compatibility", in system/advanced/firewall&nat?

wre136

@pippin Under system i did specify for it to use IPv4 over IPv6 but sadly didn't change anything

bfeitell

A screenshot of the first settings page would be perfect.

wre136

@bfeitell I have the IP Don-Not-Fragment compatibility flag not set. Should I enable that feature?

bfeitell

I would try it, and see if it has an effect on the function of DNS Resolver. I think that playing with your MTU on the WAN might be the cause, but I'd still like to see your settings for DNS Resolver. If you are using dns over tls with the Quad9 resolvers, that might explain things. I have found the Quad9 resolvers to be very slow in comparison to the cloudflare resolvers.

wre136

Below are the basic settings I have for DNS Resolver:

bfeitell

Check the log file for DNSBL in pfblocker. Depending upon what lists you are using, you might be blocking access to certain name servers you need for DNS Resolver to work correctly. If you temporarily disable pfb_dnsbl, you will need to reload on the update page to clear any blocks. Then test the DNS Resolver again.

wre136

Pfblockerng isn't much of the issue. I factory reset my router and did a minimal setup using DNS Resolver and no pfblockerng. Still had the same issue. After seeing no change, I restored my original config bringing pfblockerng back

sigi

@wre136 I bet on https://redmine.pfsense.org/issues/8934 have own DNS on FreeBSD and get many problems with IPv6 DNS and Fragments. Disabling scrubbing helps. But then IPv4 DNS has same problems :-(

Oct  9 17:25:41 host1 kernel: ipfw: 65300 Deny TCP [2001:500:e::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 1217fb81:188@9856)
Oct  9 17:25:57 host1 kernel: ipfw: 65300 Deny TCP [2001:500:f::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 4d6091d8:188@9856)
Oct  9 17:26:45 host1 kernel: ipfw: 65300 Deny TCP [2001:500:e::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 350be3db:188@9856)
Oct  9 17:31:29 host1 kernel: ipfw: 65300 Deny UDP [2001:500:40::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag b576286c:361@9856)
Oct  9 17:51:24 host1 kernel: ipfw: 65300 Deny UDP [2001:470:1a::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 8533c2a5:642@9856)
Oct  9 17:51:26 host1 kernel: ipfw: 65300 Deny UDP [2001:5a0:10::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag e06893c2:650@9856)
Oct  9 17:53:07 host1 kernel: ipfw: 65300 Deny UDP [2001:67c:18c4:2000::11:53] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 55df3089:362@9856)
Oct  9 18:11:05 host1 kernel: ipfw: 65300 Deny UDP [2001:500:48::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 8424932b:361@9856)
Oct  9 18:11:25 host1 kernel: ipfw: 65300 Deny UDP [2001:500:b::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 9da68734:361@9856)
Oct  9 18:14:41 host1 kernel: ipfw: 65300 Deny UDP [2001:500:c::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 69a41126:361@9856)
Oct  9 18:18:05 host1 kernel: ipfw: 65300 Deny UDP [2001:500:40::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag a639e4fd:361@9856)