L3 Traffic on LAN via pfSense GW very slow

  • Hi there,

    I am struggling with inter lan traffic.
    pfSense is setup as a router between several vlans on the lan interface.
    When connecting to services (e.g. FTP) between VLXX and VLXY, speeds are 0.0kbit with peaks up to 70kbit. After a certain time, the connection times out.
    I also setup an iperf server on the pfsense and tested speeds from source to GW and from destination to GW and achieved speeds at nearly 1GBit.
    Testing speeds between source and destination via pfsense GW is as already mentioned 0.0kbit and then connection finaly gets dropped.
    ICMP is good though - no timeouts. Even RDP sessions can be established.

    What I have done so far:
    I already disabled Hardware TCP Segmentation Offloading, which stabilized RDP connections.
    I am bypassing the proxy for traffic from private address spaces.
    Firewall rules are for routed traffic and interfaces are all allowed. No logs in the Firewall.
    Further there is a captive portal running. All routed subnets are configured as "Allowed IP Addresses" with bidirection traffic enabled.

    pfsense is running on VMware 6.5 with vmxnet3 nics and drivers. VMware tools are installed and running.
    CPU usage is also within normal ranges : 4CPUs
    All links are 1000mbit FDx

    Connection via L2 (no pfsense routing involved) is perfect. So it must be something on the pfsense, causing this.

    Any suggestions welcome!

  • LAYER 8 Global Moderator

    so your running vlans into pfsense single interface that is hosed on esxi?  Did you set 4095 on the vswitch

    Is your traffic to other VMs or to physical world..  A layout of your your connections in the virtual network and how that is connected to real world would help.  I run somewhat sim setup with intervlan traffic on esxi that is routed by pfsense VM.  Running on vmware 6.5..

    What vmware tools did you install - did you install the native vmware tools on pfsense?  What version of pfsense are you running.  Pfsense going back I think to 2.2 has had native support for vmxnet3..  There is really no use to install the native vlan tools - and causes issues if actually installed.  Just install the vmware tools package in pfsense packages.

  • Traffic is affected between physical and virtual, and virtual to virtual.
    I wasn't that confident about changing the vmware tools package and tried something else.

    In the Firewall Rules for this network, I adjusted the advanced options for TCP flags and set them to Any Flags and the State Type to Sloppy.
    Believe it or not, this fixed the problem.
    I am not 100% sure by what this TCP problem is caused (have captured the traffic with wireshark) but it must be related to TCP SYN+ACK.
    The ACK flag for whatever reason is not received and then connection gets disconnected - saw this also in wireshark.

    Thanks for help anyway!

  • LAYER 8 Global Moderator

    you got some sort of asymmetrical issue if your not seeing the full handshake and then traffic would be my guess.

    Setting state to sloppy is not something you should have to do.

    Can you layout your connectivity - how many vswitches?  How many physical interfaces - what is the setting do you have on the vswitch that has tagged vlans?

Log in to reply