Strange performance problem
-
Using 2.4.5-RELEASE-p1 (amd64)
Android phone connected via WiFi to the pfSense box
Performance is generally fine - eg:
Native/Non VPN speeds: 168mbps down 202mbps up (ping 6ms, jitter 2ms loss 0%)
ExpressVPN enabled (on the phone): 71mbps down 111mbps up (ping 7ms, jitter 3ms loss 0.5%)-> OK, as expected. Obviously I suffer some performance loss over VPN. So far so good
I'm not sure what other use cases there are so I'll describe the one that hits me most:
I have Nest dooorbell (with camera) and a separate camera - I view these on my phone using the Nest app
I select the camera of interest and the app shows a timeline of thumbnail videos for the last day or two.
Now here's the weird bit:
When the VPN is running, the thumbnail videos appear quickly
But with no VPN (supposedly faster link) the videos appear excruciatingly slowly-> This is the reverse of what you would expect - why is rendering slower over a faster/unencrypted link?
I assume the traffic (video traffic, no idea what encoding) is being held up by pfSense somehow
The same traffic when encrypted would be invisible to pfsense because the payload is disguised
I'm not aware of having set up any sort of traffic shaping
I have no packages installed
Any advice would be very welcome
Thanks...
-
Does the app try to connect directly to the cameras when you're in the same subnet perhaps?
If it does and that's blocked somehow you may be hitting something.
But I imagine the actual video and hence the thumbnails are all cloud stored in which case it shouldn't make any difference.
Steve
-
The Nest app is connecting to the Nest server to download the timeline
I forgot to mention that if I turn WiFi off (so I am using cellular data) I see no lag with or without the VPN - even though the download speed is much slower than using the broadband connection
There is another example - The Reuters news app is incredibly slow to render on a direct connection, but blazingly fast when I have the ExpressVPN running
-
Solution
https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6-ra.html
See under "DHCPv6 vs Stateless Address Autoconfiguration":
Some lightweight or mobile operating systems such as Android do not contain a DHCPv6 client and will only function on a local segment with IPv6 using SLAAC.
I changed to stateless and problem solved.
I don't completely understand but it seems that an app can seek an ipv6 adddress from DNS, dosen't work, times out after 10 sec and then tries ipv4 which works. Or something. But I'm sure it is more complicated than that...
Upon further investigation it seems to be well known that Android IPV6 implementation is patchy.
I suspect there are many users out there experiencing the problem I identified without realising there is a solution or indeed a problem!
-
Is it only phone apps affected? Can you visit the Nest cloud site directly from a browser on a regular PC for example?
You could be seeing an MTU issue in the route perhaps.
Steve
-
Hi Steve
I think our replies may have crossed - I have now resolved the problem - please see my reply headed "Solution"
I think this ticket can be closed
r.
-
Ah, an IPv6 issue. Yes that can break all sort of things in interesting ways!
Glad you found it.
-
I know IPV6 is the way to go, but it seems to cause me more problems than it's worth in various environments!
-
@erintech-0 said in Strange performance problem:
but it seems to cause me more problems than it's worth in various environments!
Agreed.. While it is the "future" there is nothing saying you have to run it if your having issues, or your not up to speed on how to properly secure it and use it now..
Unless there was some resource that required you have IPv6 to access, and you had to access that resource - you running IPv6 on your network is completely up to you.
Which there are none of those really..
There are many an ISP all over the globe that don't even provide it.. And to be honest many that do - its borked anyway. So yes quite often the correct solution for you and your network might very well be to just disable its use. It is the simple solution that is for sure.
I run it on my network, and have so for many a year.. Early 2011.. But it is ran in a very controlled manner. Only some of my vlans have it enabled, and only a few hosts.. And they are very much controlled and it is used in very limited fashion for testing, etc. I do not provide it to any guest sort of network or any of my wireless networks..
There is nothing wrong with just turning it off at this point in time.. No matter who around here says you should be using it ;)
Side note - my ISP currently shows as the 6th largest in the US.. And they do not support it, and I see nothing on their road map of enabling it any time soon.. And nobody really cares.. Most users have no clue to what IPv6 even is.. Them not having it is not bothering them in the least.. And those that want to play with (like me) - just can fire up a HE tunnel in minute or two..
The only reason you might have need to have to live with it - is if your ISP was some little thing that could only provide you a cgnat IPv4.. I personally would just move to better ISP.. But depending on what part of the globe your in - that might be difficult.
If its more trouble than its worth - then shut it off and get back to you when you want.. 2 or 3 years from now you could give it another go ;) But prob still be in the same place it is now - a vast majority of devices that were using up IPv4 - mobile phones for example have gone full IPv6.. This is really slowed down the whole IPv4 apocalypse ;) And we could be in a state of dual stack for many many many years to come.. With it being used to provide IPs to the billions of devices that are mobile.. While your home and work connection don't even have it available..
-
@johnpoz said in Strange performance problem:
There is nothing wrong with just turning it off at this point in time.. No matter who around here says you should be using it ;)
Agreed. Although I believe strongly that we need to leave IPv4 behind, I see no penalty for running an IPv4 only network at the moment.
We'll see if anyone decides to argue that doing so is contributing to the downfall of humanity... ;)
-
@jwj
Oh I know who will ;) As soon as he sees this thread he will chime in that if your not running IPv6 your doing it wrong ;) And your personally holding back the migration in doing so..
I too believe that at some point IPv4 will be gone.. I just don't think it will be in any time soon.. I am sure I will be retired from the biz long before that is the case.. And unless I hit the lottery or something.. that is many years off still.
There are a lot of good things about it sure.. And the end of nat will be fantastic.. But there is nothing saying you need to run it if you don't want too. Your not slowing down the slow and steady migration at all that is for sure.
Its no different than any other protocol - and just like every other protocol out there, if you have no actual need of it. You shouldn't be running it.. Until such time that "you" actually require it to do something you want to do - leaving it off is the simple solution, and the more secure one.
At some point gas cars will be a thing of the past as well - doesn't mean you have to go buy a electric vehicle today.. Sure when your looking to buy a new car 20 years from now that might be your only option. But just because that is the future - doesn't mean its here today.
And if you want an electric car you could for sure get one - but it comes with issues that is for sure. Charging stations, limits to your range, etc. And while there are great things as well - its not for everyone, or everywhere. Nor is it a requirement that your car be electric to drive on the road. So if you want to put it off - put it off.. Just like IPv6..
-
I mean IMO you should be trying to run IPv6 if only to become familiar with how it can fail.
And if you can do it natively on your connection you should use that.But if your ISP is supplying something broken then it's just going to be pain trying to use it. Petition them to supply you real IPv6 connectivity and use an HEnet tunnel in the mean time.
Steve
-
@johnpoz IPv6 certainly has it's appeal. Everyone gets a public address and the firewall controls access. Simple.
I'll ask some questions about DHCPv6 and SLAAC and getting clients registered in local DNS so I can "see" them in my pi-hole logs like I can with IPv4 in another thread at some point in time. How to go about it without complicating the implied simplicity mentioned above. Not today though...
-
Agree completely - there are many a great thing about it. And I wish the day was here already that could just turn off IPv4.. But that is not the case.
But me or you or a million other people using it or not using it isn't going to change how fast it gets adopted and we can turn off IPv4
Now if a million users of some ISP said - give us IPv6!!! Or we are leaving, sure you might get that ISP to enable it. But sadly there isn't anything driving that..
Maybe if some game maker like cyberpunk 2077 requirement was that you had to have IPv6 ;) You could get some normal users to complain to their ISP that they need it, or complain that their current IPv6 deployment is lacking, etc. But that is not the case now is it..
What if the new ps5 required native IPv6.. Bet you that would get some users behind moving towards it. What do you think of the odds of something like that happening are? ;)
What if amazon said hey dec 31st, 2021 we are turning off IPv4 and if your not on IPv6 you can't use us.. Or how about they even just enable its use ;) Don't tell me that amazon doesn't have the skills and resources to enable IPv6 - but its not.. Why is that? Well because it gets them nothing currently.. It would be a lot of work, and cost a lot of money, and cause many a growing pain, training required for their IT staff, etc. etc.. There is no "need" for them to enable it at this time.. Will it come sure.. Me or you using it or not using it isn't going to speed it up..
-
@johnpoz said in Strange performance problem:
What do you think of the odds of something like that happening are? ;)
Zero. How many home networks are out there with old cheap crap "routers" that want you to believe that NAT is a firewall...
So much stuff is going on. My ISP (Spectrum, formally Time Warner) will give me a /56 prefix. Nice. But, this same ISP thinks that power cycling is the cure for all issues. Begging is required to access someone who knows their head from a hole in the ground. A lot needs to improve.