Throughput on Gigabit Internet & WebUI intermittently available via LAN?

Bear

Using Intel Gigabit NICs on a PCIe bus, and a quad core sandy bridge i5 2500k with 8GB of RAM, 2 Samsung SSDs in RAID-1.  I pull about 525/450 on my gigabit connection through my PFSense filtered bridge.  When I connect directly to the modem, I pull 920/930 or thereabouts.

No traffic shaping, I am running OpenVPN (but this is without clients and not over the VPN).  Running a filtered bridge between the cable modem and my internal so my firewall rules work.

Been driving me batty - Anyone able to lend a helping hand?  I can provide more information if anyone things it'd help.

Another weird thing is that my web interface is only intermittently available over my LAN connection…sometimes it just doesn't respond.

Thanks!
Bear

Harvy66

Could you post the System Activity? Both idle and during one of your speed tests.

Bear

First is no load, next is with speedtest.


Bear

I'm about to junk PFSense.  Again, I keep getting intermittent access denials to my web interface and I don't know why.

If I plug into the cable modem, I get my full bandwidth.  Using Intel PCIe gigabit NICs, I -INTERMITTENTLY- get half the throughput that I should.  I don't know why this is, and I haven't been able to get any help.

I'd gladly pay for a support contract if I knew that two incidents would cover this issue…but I'm not thinking that's the case.

All CPU/RAM usage is low, I'm getting no errors on the NICs, plugging a system directly into the Intel NIC, bypassing the switch makes no difference in performance.  Once in a while, PFsense will pass the full bandwidth...then for no reason at all, it gets halved.  Sometimes worse than halved.  Each time, I do a check directly at the RG, and the bandwidth is 100% there.

Does anyone have any ideas what might be going on?  I've been using PFSense for years, and m0n0wall before that, but if I can't get to the root of this issue, it may be time for another package.

w0w

What is ISP connection type, PPPoE?
When pfSense connected to modem, is it in bridge mode?

Bear

RG isn't in bridge mode.  It's UVerse Fiber, so I'm not sure of the specific type.  I've got static IPs that are assigned manually on the LAN side of the filtered bridge with the WAN side's gateway set to the RG.

Let me know what other info's relevant, and thanks for the response. :)

keyser

Have you tried to disable all hardware offload on the NiC's under SYSTEM -> ADVANCED -> NETWORKING?

Mine have very strange behaviour if i have hardware checksumming offload enabled.

Bear

@keyser:

Have you tried to disable all hardware offload on the NiC's under SYSTEM -> ADVANCED -> NETWORKING?

Mine have very strange behaviour if i have hardware checksumming offload enabled.

Yes I have.  And I increased the MBUFs.  On or off makes no difference.

keyser

Hmm, well then it's probably link/duplex related. Seen it more than I'd care to remember.

Have you tried plugging your modem directly into you switch and then test directly with your desktop connected to the switch (no pfsense in the chain)? This way we know if the switch can handle the link/duplex of your modem.
If it can, then plug your PFsense into the switch and then your desktop directly into to the other NIC of your pfsense.

This test will show if your pfsense NiC has link/duplex issues wih the modem. The test relies on hoping your pfsense have no such issues with your switch  :)

Bear

@keyser:

Hmm, well then it's probably link/duplex related. Seen it more than I'd care to remember.

Have you tried plugging your modem directly into you switch and then test directly with your desktop connected to the switch (no pfsense in the chain)? This way we know if the switch can handle the link/duplex of your modem.
If it can, then plug your PFsense into the switch and then your desktop directly into to the other NIC of your pfsense.

This test will show if your pfsense NiC has link/duplex issues wih the modem. The test relies on hoping your pfsense have no such issues with your switch  :)

I've plugged my system directly into PFSense's LAN side and still had throughput issues.  I haven't tried with the switch directly connected though.  From my understanding, duplex shouldn't be an issue since I'm running all gigabit connections from the modem, WAN, and LAN sides.

keyser

Well yes and no. I'm questioning the LINK stability of your PFsense Intel NiC to the Modem NIC (usually some very cheap crap NiC).
By inserting a switch you may be able to solve any issues there. I have seen similiar problems more than once - leading me to create a 2 port VLAN on the switch for the WAN link and the PFsense WAN nic.
That has solved it more than once for me.

Bear

@keyser:

Well yes and no. I'm questioning the LINK stability of your PFsense Intel NiC ti the Modem NIC (usually some very cheap crap NiC).
By inserting a you may be able to solve any issues there. I have seen similir problems more than once - leading me to create a 2 port VLAN on the switch for the WAN link and the PFsense WAN nic.
That has solved it more than once for me.

By inserting a what? :)  Switch?  You're thinking that if I just put a switch (or VLAN) between the RG and the Intel NIC on the PFSense box, this may resolve the issue?  Wouldn't link stability issues manifest themselves in errors on an interface?

keyser

That's exactly what i'm propossing.

Most likely the interface errors that occurs happens on the crap nic in the modem. And i'm guessing you have no access to counters on that interface?

Just try it out. Like I said, it has solved issues for me more than once,

keyser

You just need to verify the switch works correctly by testing with your desktop directly connected to the switch first (no pfsense). That way we can effectively rule out link issues with the modem NIC before pfsense is introduced into the equation.

w0w

https://forum.pfsense.org/index.php?topic=104947.0
Can be related to ISP.

Bear

Took PFSense out of the equation, and things did improve a bit.

I've migrated from using the RG in router mode to pass-through with the WAN address MAC now being assigned the RG's IP via DHCP.

So that much is working.  Throughput is still not where it ought to be.  So next step is to possibly replace my TPLink 24-port Gigabit switch with a Cisco 24-port to see if that helps.

Though all of this created a new problem with my OpenVPN install no longer working, even after I changed its IP and created new certs for OpenVPN Connect.  Posted in the OpenVPN section on issues I've got there now…OpenVPN Connect will authenticate to the firewall, but then has access to nothing.