Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slow performance when routing between 2 pfsenses and weird issue

    Routing and Multi WAN
    2
    8
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fwj
      last edited by

      Hello!
      I've got a very weird issue, it all starts when trying to install a new Citrix version (XenDesktop 7.14), the unattended install wasn't working anymore, it was working with the previous version 7.13. So I though the issue was with the version 7.14 but after digging it is related to the network and more specifically this issue occurs when I route the traffic through 2 pfsenses. All my pfsenses (2.4)  are virtual running on Hyper-v 2016, I can details more my conf if needed.

      I have attached ctx7_14.jpg that described the issue, if I bypass 1 PfSense router it works. it is probably related, I notice the throughput/performance is terrible when going through the 2 PfSense routers, maybe the version 7.14 is more sensible to this. From the same VM, when using the double hop (red line in diagram), I've got a ~1.5 MB, when using 1 hop (green line), I've got ~50MB.

      I'm probably doing something wrong, but I am not sure what! Any pointer? :)

      Thanks in advance,
      Julien
      Ctx7_14.jpg
      Ctx7_14.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • F
        fwj
        last edited by

        I think I pin down the issue to having the 2 gateways in the same subnet (10.20.0.10 (client) -> ||10.20.0.250 (gw pf1) || -> || 10.20.0.254 (gw pf2) -> 172.16.30.250 (gw pf2) || -> 172.16.30.3 (client))) => bad perf but still working.

        I tested with copying some data through 2 gatways in a different subnet (10.20.0.10 (client) -> || 10.20.0.250 (gw pf1) -> 10.10.1.250  (gw pf1) || -> ||10.10.1.251 (gw pf2) -> 10.30.0.250 (gw pf2) || -> 10.30.0.10 (client)) , exact same infrastructure and this time the perf normal.

        Maybe routing through 2 gateways in the same subnet in not supported by pfsense or in general? It is in my lab so I could change the design to avoid this situation, I am just trying to understand the why, thanks! :)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "Maybe routing through 2 gateways in the same subnet in not supported by pfsense or in general? "

          Huh??  Why would you ever do such a thing anyway?  Are you wanting to setup a HA setup? Do your "gateways" have routes/connections to different networks.

          For the life of me from your drawing looks like you have your pfsense in serial so your bottom pfsense lan network is the same as its wan network?  But sounds like you have them in the same layer 2?  Is your drawing a logical drawing or a physical drawing?  What IPs/network do you have on your different pfsense interfaces?  Are they natting between these rfc1918 networks?  If so why?

          What are the routes you have on your citrix sources on top and the citrix box on the bottom in the 10.20.0/24 network??  Is the attached what you have setup?

          yoursetup.png
          yoursetup.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • F
            fwj
            last edited by

            Hi! Thanks for helping.

            It is because I've got different routes for different network. 1 pfsense (10.20.0.254) is my core PfSense, he has access to all my networks and specially to the Citrix sources 172.16.30.0/24 subnet.

            The other PfSense (10.20.0.250) is used to simulate a data center (my LAB), I've got another one (10.30.0.250) for a 2 data center lab (it is between those 2 pfsenses that I did this test "I tested with copying some data through 2 gatways in a different subnet (10.20.0.10 (client) -> || 10.20.0.250 (gw pf1) -> 10.10.1.250  (gw pf1) || -> ||10.10.1.251 (gw pf2) -> 10.30.0.250 (gw pf2) || -> 10.30.0.10 (client)) , exact same infrastructure and this time the perf normal."

            My diagram was logical, it was purely to show the gateway hops. I've got a separate WAN (different virtual NIC assigned to it) for my pfsense LABs but it is not used. The gatways 10.20.0.250 and 10.20.0.254 are in the same VLAN, same layer 2. NAT is disabled on my lab network but not on my core (default settings), I don't think NAT is used (I didn't set it up) for rfc1918 but I'll double check this.

            On the citrix sources, I've got only a default gateway set up 172.16.30.250, it is one on my PfSense core.
            For the Citrix on the bottom, 10.20.0.10, it is 10.20.0.250 (on my pfsense lab), in this conf that's where I've got the issue, the red line in my logical diagram. If I add a static route for 172.16.30.0 through 10.20.0.254 (my PfSense core) it works, the green line in my diagram.

            In your diagram, 10.20.0.250 doesn't have access to 172.16.30.0 network, that's why I did initially that. But I could change the design by giving him access, that's possible! Once again I am trying to understand what's going on :)

            Thx again for your help and if you need more info, let me know, hopefully I am clear enough.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Sorry but no your not being clear at all - please draw you network as you have it setup..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • F
                fwj
                last edited by

                OK, see the diagram attached, hopefully now it will make more sense to you.

                The description below is the green line in my diagram
                The other PfSense (10.20.0.250) is used to simulate a data center (my LAB), I've got another one (10.30.0.250) for a 2 data center lab (it is between those 2 pfsenses that I did this test "I tested with copying some data through 2 gatways in a different subnet (10.20.0.10 (client) -> || 10.20.0.250 (gw pf1) -> 10.10.1.250  (gw pf1) || -> ||10.10.1.251 (gw pf2) -> 10.30.0.250 (gw pf2) || -> 10.30.0.10 (client)) , exact same infrastructure and this time the perf normal."

                The red line is where I've got the perf issue.

                Thanks!

                Pfsense_issue.jpg
                Pfsense_issue.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Ok this drawing makes it more clear.. If your having problems with different paths then my first guest would be asymmetrical.  Your taking 1 path to get there, and another path to get back..

                  And your drawing out of wak.. You have 10.30.0.250 on your pf lab b connect to server and then same network on the pfsense core interface? And then the same sort of issue on your pf lab b..  Where is the transit networks between them.. They could be the same transit network vs this vlan 200 and vlan 300.  But looks like your putting the networks on both sides?  What is the transit network that connects pf A and B to the core?  You have your transit that connects them as 10.10.1.250 and .251 vlan 101.  Where is the transit for vlan 200 and 300?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • F
                    fwj
                    last edited by

                    I'll check for the asymmetrical, it would mean that the 10.20.0.250 GW is bypassed on the return traffic, why not …

                    Messy my diagram, really? :( I've updated a new version showing up the physical links and couple of updates to make it clearer. I've got 3 physical NICs, 1 for the core, 1 for LAB A and 1 for LAB B. The ports are set to trunk mode with correct allowed VLANs.

                    The slowness is from 10.20.0.250 (red line) or from 10.30.0.250 (yellow line), both LAB use the same configuration, it makes sense they have the same issue.
                    LAB A and LAB B talk between each other using VLAN 101, when copying data this way (green line), I have no performance issue, it works well.

                    There is static route set in pfsense LAB A for 172.16.30.0/24 to use the core gateway 10.20.0.254, the LAB A gateway is 10.20.0.250 (VLAN 200), same for LAB B (VLAN 300). LAB A and LAB B can't talk to each other though the core, I don't want it, it is only to give access to my Citrix sources.

                    Hopefully it clarify the situation.

                    Pfsense_design_issue_slowness.jpg
                    Pfsense_design_issue_slowness.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.