Upload Tests Fail - New install

derrick4real · Jan 2, 2017, 9:43 PM

Uploads are failing when using speedtest.net (or similar) and I can't figure out why. When I disable the firewall it works.

This is a new install with only the default firewall rules enabled. When I route traffic around pfsense or when I disable the firewall (using it as a router only) the upload test works fine.

I thought it had something to do with dropping fragmented packets but I'm not so sure. I checked "Do-Not-Fragment compatibility" but this didn't make a difference although I don't think it's related to this.

Wireshark capture shows packets leaving my browser are being fragmented during the upload test but no related firewall rules appear to be hit when I look at the firewall logs.

Any ideas?

New install (2.3.2-RELEASE-p1 (amd64)), testing with IPV4.

Thanks!

hendersonmc · Jan 2, 2017, 10:46 PM

Select the Rules item from the Firewall menu.
Select the LAN link to display rules for your LAN
Create a new rule at the top of your rules using the [^Add] button.
Change Address Family to "IPv4+IPv6"
Change Protocol to "any"
Change Source to "LAN net"
Type into the Description field "All LAN traffic"
Click [SAVE]
Click on [APPLY]

You now have (at least) one rule that will pass traffic from home to the internet the same way most home WiFi routers operate.

Now add two more rules.

Create a new rule at the top of your rules using the [^Add] button.
Change Source to "LAN net"
Change Destination port range to "HTTP (80)"
Type into the Description field "LAN TCP HTTP traffic"
Click [SAVE]

Create a new rule at the top of your rules using the [^Add] button.
Change Protocol to "UDP"
Change Source to "LAN net"
Change Destination port range to "UDP (53)"
Type into the Description field "LAN UDP DNS traffic"
Click [SAVE]

Click on [APPLY]

You now have two rules appears above the "All LAN traffic" rule, so the firewall considers it first. It then passes packets matching these rules to the internet, so the "All LAN traffic" rule has fewer packets to process.

The goal is to add rules for trusted protocols until the final rule gets only a few packets to consider. You can monitor that your rules are matching packets by looking at the label View of the pfTop diagnostic.

You then change that rule to Block instead of Pass traffic and enable the logging feature of the rule.

derrick4real · Jan 3, 2017, 1:38 AM

Thanks for the response! Unfortunately, the first rule didn't make a difference.

And I'm noticing now that a browser based chat service to which I'm connected and another app that streams tcp data constantly can't stay connected more than about a minute before timing out. When I reconnect all is well for another ~60 seconds.

Here's my setup. I actually have three interfaces: WAN, OAM and LAN but OAM is disabled. WAN gets IP from DHCP, LAN is set statically.

WAN has no firewall rules. LAN only has the one I posted below that came from you.

The client I'm connecting with gets IP via DHCP with the LAN IP as the default gateway (10.0.1.2).

One unique setup I have (although I don't know why it would matter) is that pfsense is behind another router that is the real connection to the Internet. It's setup like this while I get this configuration sorted out. So it's:

Windows-Client: 10.0.1.73 DHCP –> PFSense: 10.0.1.2 Static LAN –> 10.0.1.214 DHCP WAN –> Router (ap-office): 10.0.1.1 Static --> Public IP

chpalmer · Jan 3, 2017, 3:00 AM

Your WAN and LAN appear to be the same subnet..

That wont work.

derrick4real · Jan 4, 2017, 4:59 AM

That was it! Funny it works fine for a while and then stops.

I changed WAN to the actual WAN network and now all is well.

Thanks for the help!