pfBlocker & slow speeds

Tleary

pfBlocker appears to slow down my Internet 'speed' after running fine for a couple of months.
I set up pfBlock & DNSBL with 5 built-in IP Collections, 8 custom DNSBL, like dshield, and most GeoIP. My config works great for months and the bandwidth is perfect. Then I'll start noticing latency and slow speed tests. If I disable pfBlock/DNSBL the speed returns to normal? Could pfBlock affect speeds after a period of time? Is there any maintenance I should do? Or something to be aware of while running it?

NollipfSense

@Tleary said in pfBlocker-ng slow speeds:

and most GeoIP

That's my first thought.

Tleary

@NollipfSense checking that out now.

johnpoz

How exactly does blocking dns dns slow down your "speed" Make ZERO sense..

Something either resolves or it doesn't - pfblocker as nothing to do with the traffic moving through pfsense..

Your blocked or your not blocked - how does that slow you down?

Tleary

@johnpoz I have absolutely no idea. It doesn't make any sense to me so that's why I posted. Maybe there was something I'm unaware of. It's just DNS / IP blocking. I'll notice Internet connection's 'speed' doesn't respond as fast as 500mbs should. I only have pfblock on. Regardless, when I disable IP/DNSBL everything is super fast again. I'm running off of a 3100-sg. I had the problem a few times after restoring to defaults.

johnpoz

@Tleary said in pfBlocker-ng slow speeds:

connection's 'speed' doesn't respond as fast as 500mbs should

You do understand that dns can go offline for a while if pfblocker is restarting unbound... You say 'connection' speed.. So is your dns going on and off?

This can present itself as dns not working, etc. Then sure shit could look broken.. But once you connect your speed would be fine.. Since again pfblocker has nothing to do with that connection..

Look in your log - how often is unbound restarting?

Tleary

5 dnsbl feeds unbound once a day. I'm going through the logs.

RonpfS

Is your pfblockerNG Reloading or Restarting Unbound?

When you experience the slowdown, Restart (or Stop / Start) Unbound from the Status / Services Tab to see if the slowdown persist.

Tleary

@RonpfS @johnpoz I'm looking into this, might take me some time to get accurate tests. When I get a better understanding of how Unbounding is working for my 3100-SG, I'll post back. I'm spending time deciphering the packages logs. Update will be coming. thx!!

Tleary

@johnpoz @RonpfS Alright, so I have the issue occurring, but I can't tell which log I should be checking.
The Log Files error.log:

[ pfB_Main_Block_List_IPv4_v4 - uBlockFiltersPlus_v4 ] Download FAIL [ 10/25/19 00:01:54 ]
[ raw.githubusercontent.com ] Domain listed in DNSBL

Restoring previously downloaded file contents.... unknown http status code | 0

[ DNSBL_Malicious2 - StevenBlack_BD ] Download FAIL [ 10/25/19 08:00:15 ]
[ raw.githubusercontent.com ] Domain listed in DNSBL

Restoring previously downloaded file
. unknown http status code | 0

.----------
The System Log / General is ok. Mostly says no update needed:
Oct 25 13:04:06 check_reload_status Syncing firewall
Oct 25 13:04:10 check_reload_status Syncing firewall
Oct 25 13:04:10 check_reload_status Syncing firewall
Oct 25 13:04:11 check_reload_status Reloading filter
Oct 25 13:04:11 php-fpm 362 [pfBlockerNG] Stopping firewall filter daemon
Oct 25 13:04:22 check_reload_status Syncing firewall

johnpoz

why is your download failing?

RonpfS

@Tleary said in pfBlocker-ng slow speeds:

@johnpoz @RonpfS Alright, so I have the issue occurring, but I can't tell which log I should be checking.
The Log Files error.log:

Maybe start with Firewall / pfBlockerNG / Log Browser pfblockerng.log ;-)

Tleary

Yes, lol, well, what I mean is...I went through all the logs and was wondering if there was anything to specifically identify. I had seen pfblockng.log. All it contained was my feeds really. There was one failing for githubcontent.com @johnpoz soI removed that feed. The error.log wasn't useful either. It just had two lines that repeated; the failure and status code 0. I'll keep going through the logs but even though there's so many I haven't seen one to explain this problem.

The failed log is in another post: https://forum.netgate.com/topic/124227/dnsbl-blocks-itself/3

Tleary

Following up. I just had the issue again. This time I checked out my Resource Monitor. The TCP Connection monitor was very high but I did not have a ridiculous amount of browsers open. I looked at TCP View and the connections were fine; quantity, bytes sent/received, software connected. Proccess Explorer was fine. I have a very good computer. i7 9xxx 32gb ddr4. m.2. My ISP gives me a lot of bandwidth. Anyway, the bandwidth went down to 30MiB. I disabled my NIC. When I reenabled it the speed tests were fine again. So, I have to look more into managing my network adapter I suppose. The driver's updated. I'm not sure why it's getting such a loss of performance. I'll have to look at a way to clear it just like disabling it does. I'll continue to review the DNSBL logs and post anything notable. The issue is fixed by disabling pfBlocker but I'm not clear on the connection.

Post Note: The Resource Monitor showing 90% TCP connections are on tons of computers, including a work computer. I don't know if the conclusion was correct. I'm going to run ipconfig /flushdns next time or I'm going to sleep all my tabs next time.

Tleary

Post Comment: It still occurs sometimes. If I use a VPN client to bypass the pfsense the Internet 'speeds' are fine and fast. Instantly after connecting everything loads ultra fast.

gmxpt

@tleary just got started into pfsense two months ago, previously I was using a commercial router and PiHole as my DNS blocker. I'm currently experiencing the same problems you describe. I've noticed that while browsing certain content (or the website itself) will take a longer time to load, but once it loads the speed is ok. For example, one website I visit often is 9gag.com, the website will load fast enough, but when I want to see the comments on a post it takes a long time for the content that is not text to load i.e. images and videos inside the comments. Speed tests don't really help, it takes "longer" to load the speedtest website, but once it loads the speed test results are great.
I haven't done much troubleshooting in the issue, but as you mention, if I turn on my VPN on my phone (which bypasses the firewall rules created by pfblocker) or when I disable pfblocker everything loads at a normal/faster speed. BTW I'm using the SG-1100.
I don't have a solution, but at least we know we are not alone with this problem.

Tleary

@gmxpt That's awesome to hear. I've been using it for two years now. I found that I was filtering too much. It was like a nice simple dns request would get to pfBlocker and freak out. So I worked on tuning DNS at a few different levels. I set the pfSense to use OpenDNS. I added the Squid proxy app and it made a big difference. I got rid a lot of duplicates, unnecessary filter rules, and started considering the DNS process as a whole, and took down that roadblock. When I was connected with VPN it got to skip past my configs. I wish I watched the two Packt Pub video modules first.

catchman

I can also (kind of) confirm this.

But just to be clear - a speed test will result in full speed.
But some web pages will open very slow, at first i thought my dns is very slow.
As when the page load it does at a normal speed, just very delayed.

As nearly every website is using sources(scripts, ad, tracker,...) from all over the place, its hard to pinpoint.
I think it might be slow if some parts of the page are blocked.

But I don't know if the browser is waiting for a timeout or a js script has trouble.

Orwi

@johnpoz said in pfBlocker & slow speeds:

How exactly does blocking dns dns slow down your "speed" Make ZERO sense..

Something either resolves or it doesn't - pfblocker as nothing to do with the traffic moving through pfsense..

Your blocked or your not blocked - how does that slow you down?

may the dead live forever.
So I exhume this thread here ;)

It is >=4 years later and the behavior still exists.
Using pfBlocker leads here and there, more than less, to a creeping slow experience on SOME sites.

An answer like yours is very... how can I say it withuot being unpolite... not helpful and sounds more like defending the own team.

Speaking about teams - with another sense and it's integrated lists, I was able to circumvent this - half way. The other half: Just using another unbound didn't do the trick for me. But after I disabled pfBlocker - my internet experience was blazing again - also without ads.

jrey

@Orwi said in pfBlocker & slow speeds:

It is >=4 years later and the behavior still exists.

let me see, how can I say it without being un-polite...

I can't, if you still have not figured it out after 4 years, sounds like a you problem.

I'm not part of any team, club or otherwise in regards to Netgate, pfSense or pfBlockerNG.

However, if you have a problem, dragging up an old thread and saying "it is broken, can you make it go" provides zero benefit to you or anyone else.

pfBlockerNG is likely not the direct cause of your throughput issue (aka slow speeds). I use pfB, understand what and how it is doing what it is doing. Zero throughput issues.

You should open a new thread and provide details of your specific and current issue. You just never know, in that case, someone might actually help.
Certainly not going to troubleshoot an issue that is being perceived to be the same as something from 4 years ago.