Pfsense performance

bigbird007

Hi all

I have noticed that every time when I hit my data cap ( Monthly Limit is 500GB ) navigating though the pfsense GUI becomes really slow.
An example is logging into pfsense and navigating to DHCP services or Snort or any other service, setting or configuration in pfsense.

This is not to be confused with the internet being slow ( which of course it would be ).

This seems really strange to me as i do understand why this would happen.
It should not matter if i have reached my data allowance or not when navigating through the GUI.
The speed should be snappy not slow as a snail.

Is there a reason so why this is happening , has anyone experience this before?

Edit:
I have also turned of the modem and tested to see if the GUI is slow and it seems to be fine

Packages I have installed are as follows:
Snort
FreeRADIUS 3
pfBlockerNG-devel
Service Watchdog
openvpn client export

Running on Intel Atom S1260 @ 2.00GHz
8GB memory
AES-NI Crypto is not support

netblues

@bigbird007 Please elaborate on what you mean by data cap.

bigbird007

@netblues I am on a 500GB monthly plan

Gertjan

@bigbird007 said in Pfsense performance:

Is there a reason so why this is happening , has anyone experience this before?

Most probably related to : when the WAN connection is down, or very slow, DNS requests are also slow. Actually, everything that has "things to to out side of your network" is slow.
Visiting the GUI does visit out side resources : like package update checks, pfSense update checks and other regular updates.
Some of these issues have been addressed. Some might somewhat persist.
There are even some bug report (resolved ?) about this issue.

edit : https://redmine.pfsense.org/issues/8987 - so 2.4.5-p1 look promesing.

So :
@bigbird007 said in Pfsense performance:

It should not matter if i have reached my data allowance or not when navigating through the GUI.

True.
If the main desktop page is loaded purely static info, it would.
There is an option to disable update checks .... but think twice before you se it : you will not get signaled anymore that ther is an update, you would have to check yourself.

I guess you see it coming :
Only admin your pfSense when you have "data" left.
Or : stop admining when data becomes low.
Take more data ?

bigbird007

Thanks Gertjan for you response quite helpful.
I have just increased my data plan :)
Because my wife and I have been working from home we have only noticed it now as its never been an issue before.

Hopefully this can be addressed in 2.4.5-p1

bmeeks

@bigbird007:

I see where you stated you had Snort installed along with Service Watchdog. Note that Snort is NOT compatible with the Service Watchdog package! If you have Service Watchdog monitoring Snort, you should immediately disable that monitoring.

Service Watchdog does not understand the inner workings of the Snort package nor does it monitor the correct parameters to see if Snort is running, thus it will foolishly attempt to restart Snort while, for example, Snort is updating rules and attempting a restart of its own. This dual restart attempt can lead to multiple Snort processes running on the same interface.

Just an FYI to be sure you are aware that Snort and Service Watchdog are not compatible, and the Snort processes should NOT be monitored using Service Watchdog.

bigbird007

@bmeeks I use Service Watchdog for FreeRADIUS as i have noticed that when my IP address changes and Dynamic DNS updates the IP address FreeRADIUS will shop running.

I have not worked out why this is the case

bmeeks

@bigbird007 said in Pfsense performance:

@bmeeks I use Service Watchdog for FreeRADIUS as i have noticed that when my IP address changes and Dynamic DNS updates the IP address FreeRADIUS will shop running.

I have not worked out why this is the case

No problem then. Only with the Snort and Suricata packages does Service Watchdog cause an issue. FreeRADIUS should be fine.

And to be specific in case others see this thread in the future, I mean Service Watchdog specifically configured to monitor Snort or Suricata causes an issue with just those packages. So long as Service Watchdog is not configured to monitor Snort or Suricata, it can be installed and monitor any other compatible packages without a problem.

Gertjan

@bigbird007 said in Pfsense performance:

i have noticed that when my IP address changes and Dynamic DNS updates the IP address FreeRADIUS will shop running.
I have not worked out why this is the case

Most packages are restarted when an IP on an interface changes. Because these changes are only picked up by the package, or actually, the services (daemons) that the package proposes.
The FreeRadius package has such a daemon. It's perfectly fine that it restarts ones in a while during an interface change.

There is no need at all have it monitored by Service Watchdog : if FreeRadius really fails, you have to find and resolve the reason. Simply have it restarted will amply the problem.
I never installed the monitored using Service Watchdog, and use the FreeRadius package for years now.

bigbird007

@Gertjan I will disable the watchdog service and wait for it to fail, see if I can work it out

bmeeks

@Gertjan is correct that when configured to automatically restart a package, Service Watchdog masks potentially severe underlying problems (such as why is the package failing?). Better to monitor a service's state and maybe send out email notifications if the monitored service stops for more than a specified period of time.

I have never used Service Watchdog personally, so I don't know if it is capable of "just monitoring and alerting". If so, that would be the preferred use in my opinion.

Gertjan

@bigbird007 said in Pfsense performance:

wait for it to fail, see if I can work it out

Finding the issue is actually easy with the FreeRadius package - process.

First : stop the FreeRaduisx instance in the GUI, if it is running.
Then, use the console or better SSH access, and enter god-mode : option 8.

Type the magic command :

radiusd -X

A boatload of log line scroll over your screen.
After an initial startup phase, thing will calm down on your screen.
You can leave this screen open, and have break, day of, some sort of delay.
When the process dies, one of the last lines will probably printed in red. That is your issue.
The question was : what is the issue.
The answer will be : read the red line.