Pfsense slowing down WAN connection



  • ISP connection is 300mbps. If I connect a device to the modem's switch ports, I see 330mbps consistently.

    If I bridge the modem and put the connection through PFsense, I see 120mbps.

    PFsense WAN interface is getting my public IP properly from the ISP.

    Pfsense is on 2.4.3-RELEASE-p1 running on a SuperServer 5018A-FTN4, a C2758 chipset device with its integrated quad Gbe controller. CPU and memory usage are both below 2%.

    Clients are connected DHCP. I have 1.1.1.1 and 9.9.9.9 setup as DNS servers on the general page, and DNS resolver is enabled in forwarding mode. According to my understanding this should be using the general DNS servers. no PFBlocker, no VPNs, no fancy configurations...

    How do I speed this sucker up??



  • I should add that my upload bandwidth is also halved from ~30mbps to ~12mbps.

    pulling my hair out!



  • First thing I would do is verify that all your interfaces are connected at gigabit and full duplex. Then check the interfaces for "In/out errors" Next, verify the traffic shaper isn't configured. Then verify there are no limiters defined and applied somewhere.

    After that, I'd try testing and/or swapping your patch cables.

    If everything checks out, I would then swap both of your NIC's with PCI-e Intel brand NIC's. Those cheap Realtek's often come up short in the performance category.



  • @marvosa said in Pfsense slowing down WAN connection:

    First thing I would do is verify that all your interfaces are connected at gigabit and full duplex.

    check, 1000baseT <full-duplex>

    Then check the interfaces for "In/out errors"

    0/0 on all interfaces

    Next, verify the traffic shaper isn't configured.

    check, nothing enabled.

    Then verify there are no limiters defined and applied somewhere.

    no limiters enabled

    After that, I'd try testing and/or swapping your patch cables.

    did that, CAT6 cables, no issue

    If everything checks out, I would then swap both of your NIC's with PCI-e Intel brand NIC's. Those cheap Realtek's often come up short in the performance category.

    The nics are intel built in to the cpu... and they are capable of almost 1GB/s if I go from interface to interface.

    I had a tech come out from the ISP and all he changed all the coaxial to the building and swapped the modem, but no improvement. No errors on their end.



  • doing Iperf testing:

    TCP window size: 64.6 KByte (default)

    [ 3] local 10.16.100.2 port 17952 connected with 172.16.10.1 port 5201
    [ ID] Interval Transfer Bandwidth
    [ 3] 0.0- 2.0 sec 8.50 MBytes 35.7 Mbits/sec
    [ 3] 2.0- 4.0 sec 12.9 MBytes 54.0 Mbits/sec
    [ 3] 4.0- 6.0 sec 14.4 MBytes 60.3 Mbits/sec
    [ 3] 6.0- 8.0 sec 12.1 MBytes 50.9 Mbits/sec
    [ 3] 8.0-10.0 sec 12.5 MBytes 52.4 Mbits/sec
    [ 3] 0.0-10.0 sec 60.4 MBytes 50.6 Mbits/sec

    Getting roughly the same result to my own server and to public iperf servers.



  • Is PFsense running on bare metal or is it virtualized? If you're virtualized, I've read a few posts of people disabling "Hardware Checksum Offloading" to resolve some slowness issues when PFsense is virtualized. Although, according to the following low throughput troubleshooting article, you may want to try disabling hardware checksum offloading regardless:

    https://www.netgate.com/docs/pfsense/interfaces/low-throughput-troubleshooting.html

    What packages are you running? E.g. are you running things like... Squid, Snort, Suricata, etc? Try disabling/removing them

    Are you routing your traffic through a VPN service?

    And then there's the client integrity of the testing machine, are you testing with the same client that pulled 300+ Mbit when directly connected to the modem or something else?



  • @marvosa said in Pfsense slowing down WAN connection:

    Is PFsense running on bare metal or is it virtualized? If you're virtualized, I've read a few posts of people disabling "Hardware Checksum Offloading" to resolve some slowness issues when PFsense is virtualized. Although, according to the following low throughput troubleshooting article, you may want to try disabling hardware checksum offloading regardless:

    https://www.netgate.com/docs/pfsense/interfaces/low-throughput-troubleshooting.html

    Thank-you very much for this post! I recently installed a QNAP NAS running pfSense as a VM on the NAS and have been struggling with network performance issues, where my performance without the pfSense was about 25 Mbps and routing through the pfSense dropped it to 0.3 Mbps. I disabled "Hardware Checksum Offloading" and the performance impact of the pfSense is now negligible, I am seeing 25 Mbps through the pfSense.



  • @marvosa

    Thanks for continuing to dig here!

    The only package I have installed during testing is iPerf. I actually blew away the Pfsense install and started from scratch, just to eliminate anything I may have configured previously.

    Pfsense is running bare metal on 5018A-FTN4, nothing else running on the box.

    Checksum offloading doesn't seem to affect the speeds at all.

    No VPN

    Yes testing from the same client machine, directly connected via CAT6 (tried different cables, too).



  • At this point, assuming (even though I hate to) you've tested your cables and your switch.... here's what I would do... try a different distro (Untangle, IPCop, Endian, ClearOS, Smoothwall, Zentyal, etc)... via LiveCD or bare metal install and let's see what the performance looks like.

    If you see a vast improvement in your bandwidth test, then you most likely have either a configuration issue or possibly a driver issue.

    If you see the same lackluster performance from a different distro, then there's a hardware issue (or limitation) somewhere in the data path from the workstation to the modem and you'll have to investigate everything in-between.

    I was once testing a 1 gig fiber line at a friend's place and for some reason, I was only getting 400-600 Mbit speeds from a speed test. I was about to advise calling the ISP, but the issue turned out to be my laptop. For some reason, it couldn't push the data fast enough (and yes, I was hardwired)... even though all indicators suggested it was capable... e.g. connected at 1 Gbit full duplex and it was an HP laptop with an i5 CPU. As soon as I plugged an i5 HP desktop... I got 930+ Mbit, so I chalked it up to my laptop not being a good candidate for testing gigabit WAN for whatever reason.

    So, we've covered most of the usual suspects... unfortunately, everything's not always cut and dry. We're just going to have to start thinking out of the box with our testing and eventually something will jump out at us.

    After the above is exhausted, I see the next step as testing PFsense on different hardware.



  • I am having the same problem with 2.4.x!

    If I use 2.3.5 it works well at full speed. If I do a clean install or upgrade to 2.4 then my speed more than halves from 80mbs to 30mbs.

    So now I stay on 2.3.5 until it is fixed.....

    (ASRock J3455B with quad Intel adaptor) edited to fix version numbers


  • Netgate Administrator

    @vinceepic said in Pfsense slowing down WAN connection:

    If I bridge the modem and put the connection through PFsense, I see 120mbps.

    Did you try testing a client connected to the bridged modem directly? From what you have tested it could still be the ISP device slowing things down. That hardware you're running pfSense on is capable of 300Mbps without breaking a sweat.

    @spants said in Pfsense slowing down WAN connection:

    I am having the same problem with 2.4.x!

    Unless you're using identical hardware including the same modem from the same ISP you're probably hitting some different issue. You should start you own thread and provide as much detail as possible there.

    Steve



  • @spants said in Pfsense slowing down WAN connection:

    I am having the same problem with 2.4.x!

    If I use 2.5.3 it works well at full speed. If I do a clean install or upgrade to 2.4 then my speed more than halves from 80mbs to 30mbs.

    So now I stay on 2.5.3 until it is fixed.....

    (ASRock J3455B with quad Intel adaptor)

    You mean 2.3.5 correct? I’m a pfsense newbie but I could tell you that 2.4.3-RELEASE-p1 doesn’t throttle anything, I have no problem getting 940/940 out of my ISP.. The reason I replying to you is because I see you referenced the ASRock. My firewall appliance doesn’t support AES-NI so I have an ASRock J3355B board coming in next week so I could enable AES-NI. I wonder if that was a mistake? if that has issues I'll install FreeNAS and use if for a NAS and buy something else. here's my speedtest with 2.4.3-RELEASE-p1



  • @s762 Sorry, v2.3.5 as you guessed!. I know nothing is being throttled but there is a problem on my hardware.

    Will start my own thread to fix it but wanted to let the OP know so that he can check if 2.3.5 works at full speed for him



  • Regarding MY issue (just to update the OP): Speed is ok on the 2.4.4 RC version...
    2.5.3 = OK
    2.4.3 = slow network
    2.4.4rc = OK


Log in to reply