Behind pfsense and my download speed is cut in half
-
My clean install default settings pfsense Protectli appliance on Xfinity 150mb down internet, has had its download speed cut in half 70mb, upload is fine.
I’ve ran a speed test from within pfsense speedtest-CLi and my download is normal 150mb, what gives? I can connect my laptop directly to my Netgear cable modem and my download speed is normal 150mb, but when I reconnect pfsense to the modem then connect my laptop I’m cut in half again.
My setup is bone stock no added nothing, no pfblocker or no snort or no traffic shaping.
-
You would have to talk about much more than that for anyone to figure out what you are seeing.
Who is Protectli and why should you expect any help here for their product?
my equipment running pfsense easily does line speed.
Here ya go- https://protectli.com/submit-ticket/
-
@chpalmer just took a look at your profile and maybe just maybe you’re a Russian Bot or worse, a Deplorable American.
Please move on and your foul language isn’t needed here, your two cents is returned.
Don’t get banned.
-
Dude.. Language? Really?
Why should you expect help based on..
You bought a device from some other company than Netgate..
You have not described a single thing about your setup other than the devices origin..
You claim to be running a default setup. Did you install pfsense from Netgates website without instruction to do so from that company? Or did it come pre installed?
I bet Im closer to that company than you are. They are down by San Diego according to their site.
And.. no ya didn't based on that comment.
-
@chpalmer this will be my last comment to you, piss off and go be Deplorable somewhere else please. Please go away before I file a complaint with Netgate.
-
File away buddy! My intent was to help but to show you that your choice of product was most likely to blame. Not the software. You have not answered a single question I asked but attacked the first sign of help that came along.
Oh yea.. Make sure you complain to the company that seems to be selling their product based on pfsense without giving credit where due.
I see a troll your direction. Prove me wrong.
I just went though all 39 of your post history here and you seem to get triggered quite easy BTW.
-
Secondly.. Based on your last 39 posts you most likely returned the properly functioning Netgate product for one you thought would suit you better and now you are back here to complain.
Lots of "deplorable Americans" in Fresno I suppose.
-
Well that escalated quickly! Let's just take a step back for a second....
Yes, Protectli enjoy a special reputation here based on their previous activities. They are only re-branding stuff anyway so I suggest simply not mentioning them at all in future questions.
We don't know what hardware you have but anything should be capable of 150Mbps so I would look at some low level issue. Check Status > Interface. Do you see any errors on the interfaces you're testing through? Are both linked at 1Gb?
Try re-assigning the interfaces to different ports.
Is the link symmetric? Do you get 150Mbps upload?
Steve
-
@stephenw10 After further testing of several different firewalls including a SG1100, all firewalls tested have the same issue, the download speed has been cut to 70mbps.
Question, could Xfinity be throttling firewalls behind their cable modem and other cable modems?
Xfinity sent out a technician to my house yesterday, and he couldn’t explain why my download speed is being cut in half even behind their own test cable modem he brought out with him.
So, the issue may not be a Netgate firewall problem after all, being that every other firewall tested behind Xfinity’s own cable modem had its download speed cut from 150mbps down to 70mbps.
-
Ah well if it still did it behind the router the technician had that's definitely an upstream problem somehow.
Hard to explain why a directly connected laptop does not though....
Steve
-
i saw once something similar with linux and realtek card, slim chance you have that?
-
Only thing off the top of my head that comes to mind would be the ttl, any router would reduce the TTL by 1 as it goes across that hop.. This seems pretty far fetched, but it is possible they could do something like that. Why it would be done in one direction only seems odd for sure.
Some isp can do such things to prevent (some even block if the ttl is not full) or discourage use of other routers.
I had comcast very long time.. Never seen such an issue before.
Other thing that comes to mind is throttling of connection for new device. Via the mac address connected to the modem.. What did you originally setup the service with? The laptop directly connected.. Also is really a modem, or a gateway device ie modem/router combo..
That when you test from the wan interface of pfsense with a speedtest-cli you get full speed would rule out the mac throttling idea - but the ttl would be full leaving pfsense own interface, vs something that was natted/routed from behind it.
Just spit balling ideas here.
I would sniff a test from you fullspeed laptop, and then on wan of router and look for issues - lots of retrans, much lower receive window size? etc.. Notice what the hop ttl is. It is possible to adjust the outbound ttl hop, so you can not tell that your connection is behind a router. I believe there was some code posted long time ago, not sure if still possible on pfsense. Have to do a bit of searching for that long ago post/threads
-
@stephenw10 My TinFoil Hat material has increased in thickness after the Xfinity tech left yesterday.;)
I don’t know why Xfinity would be throttling my home. We don’t do anything but stream and surf the net.
Maybe, Xfinity doesn’t like firewalls and VPN’s etc, behind their’s and other cable modems. Go figure I guess. This throttling, as I call it, just started by the way too. My internet speeds have been ok up until now.
After searching the forums here, you have had this similar kind of issue with several other Netgate users over the years, maybe they have Xfinity too.;)
-
here is that thread I remember about doing a mangle on the outbound ttl just for reference that it is possible to mangle that so its full value vs what is clearly an odd hop ttl.
https://forum.netgate.com/post/154305
I knew it was dated - that is from 2007 ;)
-
@johnpoz Thanks, I’ll dig into this after we get back home today.
-
There have been several cases where ISPs will throttle any traffic that isn't correctly tagged for priority. And for additional MAC addresses. But both of those would apply to a directly connected laptop equally. And you would hope a technician would be aware of those restrictions.
Steve
-
Just a wild ass guess to be honest.. But that for sure could explain why a native client is not throttled, and while something behind a router has different speeds if they are doing something with the odd ttl you would see..
Simple enough to see for yourself with some sniffing.. Here you can see traffic generated by pfsense with the 64 ttl, and then traffic that went through pfsense has 63
Again this is just spit balling an "idea" that "could" possible explain how an isp could dick with speeds if they wanted too, etc. Or could be an issue on their system that doing something based upon some other unknown details of the traffic??
That they did the test with their own equipment (router) for sure completely rules out anything pfsense is doing or not doing to cause the issue. Do you have say some wifi router you could use - that sees the same problem?
edit: What specific "modem" are you using it just a true cable modem, or is it a gateway in "bridged" mode - or is also doing nat? Asking for clarification, because seems like 9 out of 10 times someone says "modem" they really mean gateway, ie modem/router combo box and not just actual modem.. Cable connections are quite often true modems - but many of these isp like handing out gateways now..
-
@stephenw10 we’re talking about Xfinity techs here now Lol
The guy that came out went outside several time to “talk” to another Xfinity guy he knows that has a “switch” at his house that maybe could help him shed some light on what I was experiencing but the guy didn’t answer or something else.
This is why Xfinity needs real competition in the marketplace. I believe they are doing this mess and leaving their techs out to dry, so to speak, when they’re called out for this particular kind of issue.
-
@johnpoz my cable modem is an Xfinity approved Netgear CM1000.
And I truly believe that Xfinity would love for me to replace all of my own equipment for theirs.;)
-
@hpspar05 When you direct connect to the modem, what IP address do you get? The WAN address or a private address?
What is the LAN network you are using?
And what is the modem/gateway make/model?
If you have VOIP phone service and wireless without additional access points, it's a gateway not a modem. FWIW, I get 300 down through pfSense and a Netgear CM600 modem on Xfinity.EDIT - OK, so a CM1000. Are your interfaces on pfSense all set to auto-negotiate?
