Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    performance impact of clicking "apply changes"

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      binary_bandit
      last edited by

      Hi All,

      Can anyone give me feedback on how much packet loss I should expect when clicking "apply changes" after modifying an alias of a firewall rule?

      If I'm pinging a host from outside of the LAN about 50% of the packets drop for about 10 seconds. This is confirmed by dropped VoIP calls as well as screen sharing sessions.

      As a workaround I've set all firewall changes to occur after hours.

      Should this be expected though? When changes are applied is it normal that data flow is interrupted?

      thanks,

      James

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @binary_bandit
        last edited by

        @binary_bandit said in performance impact of clicking "apply changes":

        As a workaround I've set all firewall changes to occur after hours.

        That should always be the norm. You don't make changes when the network is busy.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • B
          binary_bandit
          last edited by

          Thanks @JKnott. Good change management is critical, agreed.

          Can anyone share their experience with the technical impact of clicking the "apply changes" button?

          I have a feeling that the 10 seconds of packet loss are normal but would like confirmation.

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire
            last edited by

            Are you on 2.4.5? https://redmine.pfsense.org/issues/10414

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            • B
              binary_bandit
              last edited by binary_bandit

              @teamits, you are the man!

              That bug describes much of what we're seeing.

              I've been combing our logs and cleaning up a few things that are showing up but I'm 99% sure that what we are seeing is related to this bug.

              We're running on Proxmox, using 2.4.5, PFBlocker and blocking bogons .... we check all the boxes described in the bug. Oh, and when I upgraded the firewall it took 15+ minutes for the first boot followed by what felt like another 15 min for the CPU utilization drop and the firewall to process packets.

              I'm considering the workarounds now.

              best,

              James

              1 Reply Last reply Reply Quote 0
              • B
                binary_bandit
                last edited by

                update:

                Yesterday evening I shut the firewall down, dropped the CPUs from 6 to 1 and rebooted it.

                It was noticible how much faster it booted. Before this there were two points in the boot where the firewall paused when loading firewall rules ... I'd have to watch a boot again to identify the exact message .... regardless this did not occur with only 1 CPU assigned to the VM.

                I'll report back in a week if we're in the clear or sooner if the issue that we were seeing repeats itself. Assuming that I have reason to change a firewall rule again, I'll test the packet loss as well.

                1 Reply Last reply Reply Quote 0
                • B
                  binary_bandit
                  last edited by

                  We're up and running with zero issues. Dropping to 1 CPU has definitely solved our problems.

                  I've done some testing for packet loss when applying firewall rules. This has been eliminated as well.

                  @teamits, it looks like the issue marked as resolved in the link that you posted:
                  https://redmine.pfsense.org/issues/10414

                  What does the process to move this to an update for 2.4.5 look like? I imagine that I can download and apply the fix without waiting (I see a link in the issue) but I'd like to know when it will show up in our firewall's software update status.

                  Thank you again for posting that link.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @binary_bandit
                    last edited by

                    @binary_bandit said in performance impact of clicking "apply changes":

                    What does the process to move this to an update for 2.4.5 look like

                    Don't know, I would think if it was easy Netgate would have a 2.4.5-p1 out pretty quickly once FreeBSD was updated, at which point it would show on your dashboard. Otherwise I suppose you'd have to figure out what needs to be compiled/updated for the FreeBSD used by 2.4.5.

                    The other workaround discussed here in various posts is to reduce the number of entries used, e.g. turn off the bogons block for IPv6 and potentially pfBlockerNG if that's in use.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • B
                      binary_bandit
                      last edited by

                      Got it. I have no issues waiting for p1 to appear I'm just trying to look at this as a learning opportunity.

                      Thanks for all your help @teamits.

                      1 Reply Last reply Reply Quote 0
                      • C clawsonn referenced this topic on
                      • C clawsonn referenced this topic on
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.