PFSense Packetloss and slow connection



  • I have here this scenario:
    PFSense 2.3.1-RELEASE-p5
    Virtualized in: VMWare VSphere Hypervisor ESXi
    16 cores processor
    4GB ram

    This virtual Server running inside a Dell Cluster Server, with 4 servers, where each server have 2 processors Xeon Octa Core and about 100GB of memory (some servers have much memory, and others any less) in each server, run's about 25 virtual servers;

    Running Services:
    10x IPSec Tunnel (VPN to other units SiteToSite VPN);
    1x OpenVPN ClientToSite VPN with no more than 20 connections simultaneously;
    2 WAN's With Load Balance and Fail Over;
    10 LAN's;
    In all my LAN's I have squid active with SquidGuard applying acces (content filter) policies;
    In all my LAN's I have Captive Portal Active, in 8 of my 10 LAN's Captive Portal work in transparent mode (all machines of the network are pré configured in captive portal, to do not as authentication - I use this to control bandwidth of all hosts, because with squid active limiters in firewall don't work good; in 2 LAN's captive portal ask authentication in each new connection to network, the authentication work: pfSense - NAP Server - AD Database);
    In all my 10 LAN's I have about 2000 host connected to my network simultaneously;
    Squid generate access log's for all active LAN's;
    For all my LAN's I have about 20 - 30 firewall rules that control access.
    For all LAN's I have DHCP Active, some of the LAN's mask is /21;

    with this scenario, I have much packet loss, but it's not in all time of the day, only in some moments, and this moments don't have a rule of logic.

    Someone have this problem too, or can help-me with the solution? I tought to buy this pfSense hardware: https://store.pfsense.org/XG-1540/
    Is this the best hardware to solution my problem?
    I live in Brazil, and here, this hardware is much expensive, I have one other way, buy one dell server, with 16GB ram, 2 processors xeon Octa Core through the half of a pfSense hardware, and install on it pfSense System, and this server will be dedicated to run pfSense.
    What is the best way?



  • nothing? :( my network is too slow



  • When reading your summary it is clear to me that changing hardware will not change anything.

    Your setup is broken. Fix your overcomplicated situation (start from scratch)

    Using captiveportal to limit bandwidth for squid on 8 interfaces for 2k users = recipe for disaster



  • @heper:

    When reading your summary it is clear to me that changing hardware will not change anything.

    Your setup is broken. Fix your overcomplicated situation (start from scratch)

    Using captiveportal to limit bandwidth for squid on 8 interfaces for 2k users = recipe for disaster

    So, do you have other way to limit bandwidth for network connected hosts with squid active in transparent mode? (I have to use transparent mode, because in your network, most users are students, and we can't configure their machines to work with authenticated proxy (mainly because if we make this, their machines are not work in other networks). their machines not work inside our domain controller (AD).



  • I'd use traffic shaping to control the big stuff.

    I'd use captive portal for one off's.



  • @W4RH34D:

    I'd use traffic shaping to control the big stuff.

    I'd use captive portal for one off's.

    here I don`t use traffic shaping, do you have a good tutorial to configure it?



  • Sorry for late reply, didn't know there was one.

    No I don't have a tutorial but it is pretty simple.

    I'd recommend getting the book, though.

    Add a captive portal to the interface you're using.
    Add your devices that do not need to be bounce checked in the mac section.
    Any device not on the whitelist on the interface will be resent to the captive portal page if you want but you also have the ability there to limit the bandwidth.



  • No I don't have a tutorial but it is pretty simple.

    :o  IMO traffic shaping is one of the hardest concepts to understand, especially if your use case is outside what the wizard supports.


Log in to reply