Random Websites slow under VLAN

idscomm

Hi guys,

I have a pfsense (2.4.4 p3) setup with a Guest VLAN. The guest VLAN is tagged through UniFi Access point.

Im having issue with some websites I.e.: www.wannawin.ca which loads super slow (about 1 minute to load) while my LAN side loads it instantly.

I did some research, played with the MTU/MSS of my guest interface, I also ticked Disable Hardware checksum offload but I can’t find the problem!?

Any ideas? I’m fairly new with pfsense as I just switched from Check Point.

Thanks!

Gertjan

Hi,

Just found another tip, check this : is your VLAN using IPv6 (and your pfSense isn't routing IPv6 ) ?

idscomm

Hi Gertjan,

Thanks for the reply. I am not using IPv6 on my network... the option I believe is still check tho, wonder if I should block all IPv6 traffic... not sure it would help or not.

My installation is fairly basic - couple network interface (Broadcom and Realtek), LAN, VLANs (Guests and Cameras), DMZ for the Web Servers. Only package installed on my Box are Snort and pfBlockerNG which I tried to stop the services and I was still experiencing the issue...

I wonder is this has anything to do with the VLAN itself. My LAN and VLAN shared the same NIC, no issues with the LAN side but the VLAN can't access some sites, others are super slow to load... Not sure where to look anymore..

Gertjan

@idscomm said in Random Websites slow under VLAN:

I.e.: www.wannawin.ca which loads super

Btw : a site that talks about money and isn't accessible by https ..... worse, it has a certificate, it expired more then a year ago.
I would enter this site into pfBlockerNG ... not as an exception, but as a block.

Do you have another example with a more serious site ?

idscomm

@Gertjan
I totally agree with you on that one, the site is used by a couple of people... not much I can do about their gambling "hobby" lol.

I will try to find a few sites for you, I will run some test. I need to solve that because Like I said this affects more than one site... Hopefully it'll be fix sooner than later... I'd hate switching for another product now that I am all setup.

JKnott

@idscomm said in Random Websites slow under VLAN:

Thanks for the reply. I am not using IPv6 on my network... the option I believe is still check tho, wonder if I should block all IPv6 traffic... not sure it would help or not

If set up properly, IPv6 is not the problem. You might have slow response if you have IPv6, beyond link local addresses, on your LAN, but no routing off your network. In this instance, when the DNS reply contains AAAA records, that will be tried first, falling back to the IPv4 A record. I experienced this last year, when my ISP had a problem with IPv6. You will not experience delays to IPv4 only addresses, if this is the cause.

If you don't have any other IPv6, you should at least have link local(fe80::) addresses.

idscomm

Update for the ones interested, well, I have done more testing and although I had "authorized" or whitelist the IP address for the sites in pfblockerNG, it seems that it was the issue. I de-activated pfblockerNG and tried accessing these sites and quick as lightning now!

I will have to dig a bit into the config to see where it "hangs" ...

idscomm

• UPDATE *
  I did more test today and I don't understand why pfblocker NG causes the issue on my VLAN but not my LAN since both networks are assigned to the same interface and screened by the same rules under pfblockerNG... The IP was white listed therefore it should not be an issue in my opinion...

@BBcan177 Maybe you can shed some light on my issue if you have time, I would appreciate that. :)

Thanks in advance!