pfSense web GUI very slow load on home page
-
Do you have the WAN port on your box connected to anything?
https://redmine.pfsense.org/issues/8987
Jeff
-
@akuma1x So all I have hooked into the WAN is what you would expect, just the line from our modem.
-
This usually is a symptom of DNS resolution issues within pfSense itself. How is DNS configured on the firewall?
One of the first things the GUI home screen does is try to contact the pfSense servers to see if there is a posted firmware update. If DNS resolution is not working properly for the firewall itself, you can get long delays as it waits for DNS timeouts.
-
@bmeeks So for DNS I did not do to much in the way of configuring, I have my DNS servers in there but other than that I stuck with most of the defaults, is there any setting in particular that you can think would be worth looking at. Also sorry for some of the basic questions, I have more of a cisco past and recently inherited this pfsense setup.
-
What version was the "old box" running?
Do these issues manifest if you do a fresh installation and just configure WAN/LAN with basic configs to get connectivity?
-
@tim-mcmanus So the old box was running 4.2.2 and the issues only seem to start when I added my domain into the domain field on the box.
-
@tantan5e said in pfSense web GUI very slow load on home page:
@tim-mcmanus So the old box was running 4.2.2 and the issues only seem to start when I added my domain into the domain field on the box.
Which "domain field"?
-
@tim-mcmanus Under General setup
-
I am leaning towards bmeeks explanation of the issue. You may have a DNS issue. When you changed the domain name and name of the box, did you update the authoritative DNS records (internal) for this change?
Do you access pfSense via domain name or IP address?
-
@tim-mcmanus So yes to the authoritative record and I am accessing the pfsense via IP
-
For a new pfSense install out-of-the-box, you need do nothing for DNS. It will be configured to resolve using Unbound which will query the DNS root servers for lookups.
If you monkeyed with any of the DNS settings under GENERAL SETUP, that is likely where the issue lies.
Unless you have a properly registered domain that you pay a fee for, and have authoritative DNS servers configured for that domain, you should generally not put anything in the DOMAIN box on the General Setup tab. The exception would be a Windows AD domain, but in that case you should be pointing pfSense to the AD DNS server (domain controller) or else have properly configured domain overrides specified on the DNS Resolver screen.
If you are importing some old config from a prior installation, be sure that you are not attempting to enable DNS Forwarder and DNS Resolver at the same time. They will fight each other and neither will successfully start up.
Do you understand the distinction between a DNS Forwarder and a DNS Resolver? I'm not trying to be snooty with the question, just asking because understanding that is key to properly configuring DNS on pfSense.
-
@bmeeks Thank you for your reply and, you are good I do not think you are trying to be snooty and I apologize I guess I should have lead with some of this other information. So I understand the difference between forwarding and resolving, forwarding is not enabled on my box. Also as far as resolving, being that this is a enterprise environment we have a Windows AD environment/DNS server that handles all of the resolution. The AD DNS servers are what I have in the pfsense box.
-
Just to confirm (graphically) your settings:
Did you disable the DNS forwarder via this checkbox at the bottom? In my config, I use internal DNS that then uses pfSense for DNS which ultimately queries the root servers. I can block outgoing DNS queries from the LAN and force all devices to use internal DNS by doing this.
In Services/DNS Forwarder, that checkbox is unchecked.
In Services/DNS Resolver, that checkbox is unchecked? Mine is checked for the reasons mentioned above.
You could also do the same. Have AD use pfSense as it's DNS resolver. Since you're in an enterprise environment, I would assume that you too have blocked DNS queries to the Internet, as it's a common enterprise config (essentially block everything from leaving the enterprise network except for common ports like 80, 443, etc.--good egress management).
Just wanted to verify your configs. I assume in the General tab your DNS is pointed to your internal AD servers and the other DNS services are disabled. You also need to check the box in the General settings so pfSense doesn't use 127.0.0.1 for DNS lookups.
-
@tantan5e said in pfSense web GUI very slow load on home page:
we have a Windows AD environment/DNS server that handles all of the resolution. The AD DNS servers are what I have in the pfsense box.
If your an AD shop your clients should be pointing to your AD, they should get their dns from that, and this should be your dhcp as well.
If you want to point your AD dns to pfsense so it can resolve that works, or you can just forward or resolve from your AD dns as well.. Pointing clients to pfsense for dns, just so it can go ask your AD dns doesn't make a lot of sense.
Just let pfsense resolve!! out of the box for the stuff it needs too.. And if you want it to be able to resolve IPs in your network, then create a domain override pointing to your AD dns so you ca do the PTRs, etc..
Your gui is prob slow because to pfsense dns is not working - or is very slow!!!
-
@johnpoz is correct. The slow GUI is most likely caused by DNS resolution difficulties on the firewall. For what it's worth, when testing things in virtual machines in the past (like switching from Forwarder to Resolver or back and forth) I've had to reboot the firewall to get things working well. Granted that was with some older pfSense versions, but if you have not rebooted the firewall it would not hurt to try that.
-
So her is what my config looks like, I have the DNS blocked out but what I have in there is my AD DNS servers
DNS Forwarding is unchecked
Thank you for the reply and the help but it looks like based off your feed back everything seems to be set correctly for my AD environment.
-
@bmeeks Ok thank you for that, I am pretty sure I have done a reboot on it since the issue started but I am not sure, I will try to do that at the end of the day. Thank you.
-
@tantan5e said in pfSense web GUI very slow load on home page:
Thank you for the reply and the help but it looks like based off your feed back everything seems to be set correctly for my AD environment.
Not exactly. pfSense is still resolving DNS since you have the resolver running. Disable it and see if it makes a difference.
Also, the way you have the resolver set up, it's listening for DNS queries on all interfaces, including your WAN. You'll notice in my screen shots that I only resolve DNS internally.
-
OK I will uncheck the enable DNS resolver here and see if that helps.
-
You do not want to check the box that says Disable DNS Forwarder on the GENERAL SETUP screen. Since you are running DNS Resolver, you may as well let pfSense use it to perform external lookups for the firewall itself.
It may be that your internal AD servers are having issues resolving the pfSense update services. Unusual if that is the case. Try unchecking that checkbox I mentioned, save and apply the changes and then reboot the firewall for good measure.
