pfSense becomes sluggish at times
I am using pfSense since 4 weeks. I have two OpenVPN clients setup for NordVPN (with load-balancing) and all traffic is routed through that. All works well except that at times the whole pfSense slows down. This is especially in the evenings for a window of 2-3 hrs everyday. At this time webpages don't open or opens only after refresh. During this time even the pfSense web-interface takes considerably long to load.
I am using Unbound in the forwarder mode with Google DNS. Also pfBlockerNG is active with the default block-lists.
This is very similar to the issue reported here https://forum.netgate.com/topic/125872/newbie-unbound-sometimes-is-really-slow-up-to-20sec. The thread however does not mention any solution.
Here are the steps I did until now to troubleshoot.
- Make sure it is not a hardware problem, CPU is not overloaded and the temperature is always in the operating limits. The hardware I use is here with Intel I210 NICs
- Make sure there is no additional LAN traffic in the time-span the problem occurs
- No packet Errors/Collisions on the WAN and LAN interfaces
- Switch VPN servers which is used for load-balancing
- Switch VPN service providers (tried 3 until now within the 30 days eval period)
- Turn pfBlockerNG off
- Try differ public DNS severs and the ones from VPN provider
- Do speedtests on WAN and VPN - WAN shows always good speed, VPN too shows always good speed except that when the problem happens, speedtest.net takes longer time to open the page and find a test server. Speedtest CLI times out during this time with an error, but again random
- Do packet loss tests - No packet loss on WAN, VPN shows in the range of 2% to 10% (randomly) when the problem happens.
- There is nothing unusual in any Logs (System, DHCP, Unbound, OpenVPN). Also I did not see any repeated restart of Unbound.
- Adjusting MTU. mtu-tun 1500; mssfix ranging from 1300 to 1450; Ping test with no-fragment returns values ranging from 1400 (VPN DNS) to 1472 (google.com).
I have been trying to troubleshoot this in different ways, but nothing works until now :( Does anyone have a hint where I could potentially look into?
Gertjan last edited by
for a window of 2-3 hrs everyday.
Your check list is quiet complete.
Even the most smallest pfSense capable devices like these can crank out several tens of megabits per second, nearly always limited by what happens upstream.
The solution is easy : don't use VPN suppliers during that observed windows.
Remember : they all work with the "best effort" methods. And it seems that legal video streaming services ran out of 'not seen' content so the less legal providers are even more used. Which explains the massive "VPN" usage and it's consequences.