New, noob, just up and running and a little hiccup?

Gertjan

@rhosch said in New, noob, just up and running and a little hiccup?:

Put the Xfinity Arris router into bridge mode and managed to get initial pfSense configured

Put the "Xfinity" thing back in the original state - you wind up having the same network as before.
At that moment, you can hook up pfSense with 100 % original settings - into your original network, and it will behave like any other device (PC, AP, Phone, TV, etc : it will take an IP using DHCP on it's 'WAN' interface, and give you a new sub-LAN.
The only thing that has to be checked - and modified, if needed, is that if your original LAN network is 192.168.1.0/24, you should change the pfSense LAN network to 192.168.2.0/24 or 10.0.0.0/24 (adapt it's DHCP server on LAN accordingly).
Now, when you take out a PC your original "Xfinity Arris router" LAN, and hook it up to the "pfSense" LAN, you have a router-after-router setup. It should be 100 % operational **. Any delays or issues at this point should probably be located at "pfSense" level.

** that is, Windows network neighbourhood functionality won't work, because devices are not on the same network any more, but you should be able to connect to these "Xfinity Arris router" LAN devices using their IP.

Right now, without any info, issues might be:
DHCP lease storm from some LAN device => new leaqes comes in fst, and the Resolver get restarted with the same frequency : this can be checked looking at the logs.
I tend to exclude other DNS issues, as , when looking at this forum, all host names are resolved and known.
MTU issues ?

rhosch

@netblues

Thanks. I've set ipv6 on the wan interface to none. I think (!) from perusing info here that should be all that's needed to block that?

I will download the DNS performance check sometime tomorrow and see how that looks.

rhosch

@Gertjan

Thanks. I can certainly give that a try if the above has no effect. I believe the default lan on the Xfinity router is 10.0.0.1 so should be fine, I'd need to check that though.

netblues

@rhosch There is also a check box in system/advanced/networking.
Also check pfsense logs for anything strange, like dhcp etc.

Consider running a constant ping from command line to your isp while playing with the browsers.
It will give you an indication of any transient network issues.
Also in system, monitoring check quality/packet loss on the wan with resolution of 1 minute for the last 8 hours, for any issues.

Gertjan

@netblues said in New, noob, just up and running and a little hiccup?:

Give this a try https://www.grc.com/dns/benchmark.htm

pfSense, default, uses none of these - or just a subset : the main 13 Internet root servers. Then it talks to the fastest TLS servers, to find the domains name server(s), to retrieve an A or AAAA. Clean, lean, simple.
When setting up pfSEnse, , no need (I insist !) to change any DNS settings. The default setting are just perfect.

netblues

@Gertjan I agree.. However, testing for dns speed will uncover any network issues.
And certainly, the solution is not to use forwarders.

JKnott

@netblues said in New, noob, just up and running and a little hiccup?:

Consider disabling ipv6 temprorarily and see if this fixes the issue.

Why would that have any effect? Why are so many people so quick to blame IPv6?

JKnott

@rhosch said in New, noob, just up and running and a little hiccup?:

The problem is that I'm seeing what looks like very brief losses of internet connectivity that I was not seeing before.

Is there any pattern to the failures? Certain sites etc.? Certain times? It could also be an intermittent hardware problem. Several years ago, I had a problem with intermittent failures. It turned out to be a bad cable where it came in from the street to my building. Can you do some testing that might indicate what's happening? For example, in my case, I wrote a short script that would ping my ISPs router at interval and record the failures. Also, did the problem start with pfSense? I've been using pfSense for over 4 years and find it's solid.

netblues

@JKnott Because ipv6 receives less attention from isp's and occasionally problems manifest by this exact behavior that the browser first tries ipv6, fails (miserably) and then tries v4.

Its very common, unfortunately.

Gertjan

@netblues said in New, noob, just up and running and a little hiccup?:

(miserably)

is my Internet experience when I tried these futuristic LAN firewall rules :

But take note : I posted this using these rules ;)

Raffi_

My initial thought was unbound restarting too frequently. I would think streaming video would have more trouble if it were an issue with the connection to ISP. That doesn't sound to be the case. Although it could be cables. DNS troubles would cause pages to load slowly or not at all. I had this exact issue with unbound when DHCP registration was checked. Check the DNS logs to see if unbound is rebooting frequently.

Gertjan

@Raffi_ said in New, noob, just up and running and a little hiccup?:

I would think streaming video would have more trouble if it were an issue with the connection to ISP.

These services/devices tend to buffer (a lot) so hick-ups pass by unseen.
Internet isn't and wasn't build for real time "info" delivery. It's more a system that ensures info get's over. The 'when' part is not defined.

Raffi_

@Gertjan said in New, noob, just up and running and a little hiccup?:

@Raffi_ said in New, noob, just up and running and a little hiccup?:

I would think streaming video would have more trouble if it were an issue with the connection to ISP.

These services/devices tend to buffer (a lot) so hick-ups pass by unseen.
Internet isn't and wasn't build for real time "info" delivery. It's more a system that ensures info get's over. The 'when' part is not defined.

Good point. I like to blame unbound for everything :)

rhosch

Wow, guys, thanks for all the responses. I will be back home this evening and will try and take a look at some of the things suggested. This is all new so staring uphill at the learning curve. Even something like "check the logs for..." is going to be slow and painful but I need to get there. :)

Gertjan

@rhosch said in New, noob, just up and running and a little hiccup?:

This is all new

Start with this though : it's just another router / firewall.
Because it has so many features it doesn't mean you have to "do something" on every possible set up page.
I'm using pfSense for a decade or so, and I even didn't visit all the possibilities. because I didn't have to.
When you "un shrink wrap the box", very few settings are needed to make pfSense work for you.
Changing the admin's password is one of them ^^

Use something when you need it. And understand it.
Wana learn ? We all have 'modern PC's with capable OS's : launch a VM (or some old PC hanging around doing nothing - add a 5 $ NIC card and you're good), throw pfSense into it, and toy around.

@rhosch said in New, noob, just up and running and a little hiccup?:

o staring uphill at the learning curve

Lucky you.
Most of us started down hill .... with that heavy learning curve.
And no GUI, just this one :

[Some-RELEASE][mebeingnobody@my-device.tld - What do you want / ]  help
help: Command not found.

You'll make it work for you, I'm sure.

JKnott

@netblues

I have had 1 IPv6 problem with my ISP and it was solid. On the other hand, an IPv4 problem I had several years ago was intermittent. When trying to solve problems it helps to provide some useful info, such as pinging, as I did. Does it affect both protocols, etc.? A little investigation goes a long way, instead of jumping to conclusions.

Incidentally, my ISPs wireless network is IPv6 only. It uses 464XLAT for IPv4 sites. On the cable side, IPTV uses IPv6 exclusively, so you can be certain problems will be noticed quickly. They've been providing native IPv6 on cable for over 4 years and via tunnel for a few years more. They've had it on the cell network for several years as well. Other than address size, the main differences between IPv6 and IPv4 are things like relying a lot more on ICMP and multicasts. The basic concepts, such as routing, work more or less the same.

netblues

@JKnott Yes, but this is not the case everywhere. I have a ticket open affecting large portions of vodafone ipv6 network for two weeks now, without any resolution.
I'm not against ipv6, I even see that it can do many things better.
But wherever it is used in parallel with ipv4, it is very often to have issues, that are not addressed at the same speed as ipv4 issues do.

So when we get down to troubleshooting, simplification is a good approach.
I hope to be alive to see the day when we will say disable ipv4 and see if it works better now.
(without xlats...)

JKnott

@netblues

Incidentally, when I had that IPv6 issue, the big problem was getting the network techs to even work on it, not because it was IPv6, but because I was using my own router (pfSense). A senior tech, who came to my home verified the problem was with their network and proved the problem was with the CMTS, when he tried 4 different ones at the head end and only the one I was connected to failed. I had previously identified that CMTS by host name, by using Wireshark to examine DHCPv6-PD, as pfSense booted.

netblues

@JKnott Indeed. When they see third party equipment, its always not their fault.
And it gets worse, as they move voice to voip, on their little crappy cpe's

Reverse engineer the config, get hold of sip passwords, spoof mac addreses, and after a few months, if something breaks, hell breaks loose.

JKnott

@netblues
Actually, my VoIP has been excellent, except when I had that intermittent problem. Even then I had to go far beyond what any customer should have to, to get the problem resolved. When the first tech showed up, he insisted the cable between my living room, where the cable comes in and my "office" was bad, even though it was installed by them. He couldn't explain why it would have gone bad, when the cable from the utility room wasn't, even though it was older. Since I have two cables coming in, I was able to move things around to show the problem was not in my home. Eventually, they determined it was the cable out next to the street, where it came into my building. This was where I used the script to record the failures. What made the problem more "fun" was that affected my Internet and phone, but not TV. I have decades of experience in telecom, computers and networks, so I have the background to work through these sorts of problems. I've even done some work for that company, among others. The average customer wouldn't have a hope.