Slow performance when routing between 2 pfsenses and weird issue
-
Hello!
I've got a very weird issue, it all starts when trying to install a new Citrix version (XenDesktop 7.14), the unattended install wasn't working anymore, it was working with the previous version 7.13. So I though the issue was with the version 7.14 but after digging it is related to the network and more specifically this issue occurs when I route the traffic through 2 pfsenses. All my pfsenses (2.4) are virtual running on Hyper-v 2016, I can details more my conf if needed.I have attached ctx7_14.jpg that described the issue, if I bypass 1 PfSense router it works. it is probably related, I notice the throughput/performance is terrible when going through the 2 PfSense routers, maybe the version 7.14 is more sensible to this. From the same VM, when using the double hop (red line in diagram), I've got a ~1.5 MB, when using 1 hop (green line), I've got ~50MB.
I'm probably doing something wrong, but I am not sure what! Any pointer? :)
Thanks in advance,
Julien
-
I think I pin down the issue to having the 2 gateways in the same subnet (10.20.0.10 (client) -> ||10.20.0.250 (gw pf1) || -> || 10.20.0.254 (gw pf2) -> 172.16.30.250 (gw pf2) || -> 172.16.30.3 (client))) => bad perf but still working.
I tested with copying some data through 2 gatways in a different subnet (10.20.0.10 (client) -> || 10.20.0.250 (gw pf1) -> 10.10.1.250 (gw pf1) || -> ||10.10.1.251 (gw pf2) -> 10.30.0.250 (gw pf2) || -> 10.30.0.10 (client)) , exact same infrastructure and this time the perf normal.
Maybe routing through 2 gateways in the same subnet in not supported by pfsense or in general? It is in my lab so I could change the design to avoid this situation, I am just trying to understand the why, thanks! :)
-
"Maybe routing through 2 gateways in the same subnet in not supported by pfsense or in general? "
Huh?? Why would you ever do such a thing anyway? Are you wanting to setup a HA setup? Do your "gateways" have routes/connections to different networks.
For the life of me from your drawing looks like you have your pfsense in serial so your bottom pfsense lan network is the same as its wan network? But sounds like you have them in the same layer 2? Is your drawing a logical drawing or a physical drawing? What IPs/network do you have on your different pfsense interfaces? Are they natting between these rfc1918 networks? If so why?
What are the routes you have on your citrix sources on top and the citrix box on the bottom in the 10.20.0/24 network?? Is the attached what you have setup?
-
Hi! Thanks for helping.
It is because I've got different routes for different network. 1 pfsense (10.20.0.254) is my core PfSense, he has access to all my networks and specially to the Citrix sources 172.16.30.0/24 subnet.
The other PfSense (10.20.0.250) is used to simulate a data center (my LAB), I've got another one (10.30.0.250) for a 2 data center lab (it is between those 2 pfsenses that I did this test "I tested with copying some data through 2 gatways in a different subnet (10.20.0.10 (client) -> || 10.20.0.250 (gw pf1) -> 10.10.1.250 (gw pf1) || -> ||10.10.1.251 (gw pf2) -> 10.30.0.250 (gw pf2) || -> 10.30.0.10 (client)) , exact same infrastructure and this time the perf normal."
My diagram was logical, it was purely to show the gateway hops. I've got a separate WAN (different virtual NIC assigned to it) for my pfsense LABs but it is not used. The gatways 10.20.0.250 and 10.20.0.254 are in the same VLAN, same layer 2. NAT is disabled on my lab network but not on my core (default settings), I don't think NAT is used (I didn't set it up) for rfc1918 but I'll double check this.
On the citrix sources, I've got only a default gateway set up 172.16.30.250, it is one on my PfSense core.
For the Citrix on the bottom, 10.20.0.10, it is 10.20.0.250 (on my pfsense lab), in this conf that's where I've got the issue, the red line in my logical diagram. If I add a static route for 172.16.30.0 through 10.20.0.254 (my PfSense core) it works, the green line in my diagram.In your diagram, 10.20.0.250 doesn't have access to 172.16.30.0 network, that's why I did initially that. But I could change the design by giving him access, that's possible! Once again I am trying to understand what's going on :)
Thx again for your help and if you need more info, let me know, hopefully I am clear enough.
-
Sorry but no your not being clear at all - please draw you network as you have it setup..
-
OK, see the diagram attached, hopefully now it will make more sense to you.
The description below is the green line in my diagram
The other PfSense (10.20.0.250) is used to simulate a data center (my LAB), I've got another one (10.30.0.250) for a 2 data center lab (it is between those 2 pfsenses that I did this test "I tested with copying some data through 2 gatways in a different subnet (10.20.0.10 (client) -> || 10.20.0.250 (gw pf1) -> 10.10.1.250 (gw pf1) || -> ||10.10.1.251 (gw pf2) -> 10.30.0.250 (gw pf2) || -> 10.30.0.10 (client)) , exact same infrastructure and this time the perf normal."The red line is where I've got the perf issue.
Thanks!
-
Ok this drawing makes it more clear.. If your having problems with different paths then my first guest would be asymmetrical. Your taking 1 path to get there, and another path to get back..
And your drawing out of wak.. You have 10.30.0.250 on your pf lab b connect to server and then same network on the pfsense core interface? And then the same sort of issue on your pf lab b.. Where is the transit networks between them.. They could be the same transit network vs this vlan 200 and vlan 300. But looks like your putting the networks on both sides? What is the transit network that connects pf A and B to the core? You have your transit that connects them as 10.10.1.250 and .251 vlan 101. Where is the transit for vlan 200 and 300?
-
I'll check for the asymmetrical, it would mean that the 10.20.0.250 GW is bypassed on the return traffic, why not …
Messy my diagram, really? :( I've updated a new version showing up the physical links and couple of updates to make it clearer. I've got 3 physical NICs, 1 for the core, 1 for LAB A and 1 for LAB B. The ports are set to trunk mode with correct allowed VLANs.
The slowness is from 10.20.0.250 (red line) or from 10.30.0.250 (yellow line), both LAB use the same configuration, it makes sense they have the same issue.
LAB A and LAB B talk between each other using VLAN 101, when copying data this way (green line), I have no performance issue, it works well.There is static route set in pfsense LAB A for 172.16.30.0/24 to use the core gateway 10.20.0.254, the LAB A gateway is 10.20.0.250 (VLAN 200), same for LAB B (VLAN 300). LAB A and LAB B can't talk to each other though the core, I don't want it, it is only to give access to my Citrix sources.
Hopefully it clarify the situation.
