New, noob, just up and running and a little hiccup?
-
pfSense is brand new to me although I've been wanting to give it a shot for a while. Also not in my favor that networking in general is not my area of strength.
Anyway, managed to get up and running just a couple of days ago and have noticed behavior that doesn't seem ideal and I'm not even sure how to start tracking down the likely problem. Searched and read through several threads but honestly didn't want to just start taking shots in the dark trying "fixes" that may have nothing to do with my situation.
Background - on Comcast cable, have an 8 port PoE switch BV-tech sw800g, and for now single Ruckus R710 AP in unleashed mode. Latest stable release of pfSense successfully installed on a HCiPC machine using dual core Celeron 1037U, 4GB ram, 64GB SSD, 8x Intel 82583V NICs and 2x SFP.
Put the Xfinity Arris router into bridge mode and managed to get initial pfSense configured well enough to have all devices in the house back online. It's pretty much bone stock at the moment. I'm using the default "any" routing rule.
The problem is that I'm seeing what looks like very brief losses of internet connectivity that I was not seeing before. Most apparent in general browsing when a page won't load for 5 seconds or so, especially noticeable when going back to a previous page that was loaded just a minute or so ago. For example reading a forum like this and backing out from a thread to subforum, I may get a pause for several seconds or even sometimes an error that page wouldn't load. Multiple phone/tablet devices are seeing this behavior.
All TV's in house are using Roku boxes to access Xfinity app and stream, connected via wireless to the Ruckus. In 2 days I've only noticed one brief buffering type pause which is about typical. Netflix and YouTube on mobile devices seem to work without issue. It's just web page loads that we are consistently seeing this issue that wasn't there before.
So, how do I begin tracking down this issue? All hardware and cables are identical to before. The Xfinity router is now in bridge mode, so that has changed. The pfSense box isn't top spec hardware by any means but from my reading should be more than capable of handling my meager needs especially with no VPN or intrusion detection or other more advanced packages running yet. What would I start looking for in logs to see if this is just coincidental drops on Comcast side, or something on my side?
-
@rhosch I would suspect ipv6 issues. This behavior sounds like browser ip stack change.
Consider disabling ipv6 temprorarily and see if this fixes the issue.
The other one is dns issues
Give this a try https://www.grc.com/dns/benchmark.htm -
@rhosch said in New, noob, just up and running and a little hiccup?:
Put the Xfinity Arris router into bridge mode and managed to get initial pfSense configured
Put the "Xfinity" thing back in the original state - you wind up having the same network as before.
At that moment, you can hook up pfSense with 100 % original settings - into your original network, and it will behave like any other device (PC, AP, Phone, TV, etc : it will take an IP using DHCP on it's 'WAN' interface, and give you a new sub-LAN.
The only thing that has to be checked - and modified, if needed, is that if your original LAN network is 192.168.1.0/24, you should change the pfSense LAN network to 192.168.2.0/24 or 10.0.0.0/24 (adapt it's DHCP server on LAN accordingly).
Now, when you take out a PC your original "Xfinity Arris router" LAN, and hook it up to the "pfSense" LAN, you have a router-after-router setup. It should be 100 % operational **. Any delays or issues at this point should probably be located at "pfSense" level.** that is, Windows network neighbourhood functionality won't work, because devices are not on the same network any more, but you should be able to connect to these "Xfinity Arris router" LAN devices using their IP.
Right now, without any info, issues might be:
DHCP lease storm from some LAN device => new leaqes comes in fst, and the Resolver get restarted with the same frequency : this can be checked looking at the logs.
I tend to exclude other DNS issues, as , when looking at this forum, all host names are resolved and known.
MTU issues ? -
Thanks. I've set ipv6 on the wan interface to none. I think (!) from perusing info here that should be all that's needed to block that?
I will download the DNS performance check sometime tomorrow and see how that looks.
-
Thanks. I can certainly give that a try if the above has no effect. I believe the default lan on the Xfinity router is 10.0.0.1 so should be fine, I'd need to check that though.
-
@rhosch There is also a check box in system/advanced/networking.
Also check pfsense logs for anything strange, like dhcp etc.Consider running a constant ping from command line to your isp while playing with the browsers.
It will give you an indication of any transient network issues.
Also in system, monitoring check quality/packet loss on the wan with resolution of 1 minute for the last 8 hours, for any issues. -
@netblues said in New, noob, just up and running and a little hiccup?:
Give this a try https://www.grc.com/dns/benchmark.htm
pfSense, default, uses none of these - or just a subset : the main 13 Internet root servers. Then it talks to the fastest TLS servers, to find the domains name server(s), to retrieve an A or AAAA. Clean, lean, simple.
When setting up pfSEnse, , no need (I insist !) to change any DNS settings. The default setting are just perfect. -
@Gertjan I agree.. However, testing for dns speed will uncover any network issues.
And certainly, the solution is not to use forwarders. -
@netblues said in New, noob, just up and running and a little hiccup?:
Consider disabling ipv6 temprorarily and see if this fixes the issue.
Why would that have any effect? Why are so many people so quick to blame IPv6?
-
@rhosch said in New, noob, just up and running and a little hiccup?:
The problem is that I'm seeing what looks like very brief losses of internet connectivity that I was not seeing before.
Is there any pattern to the failures? Certain sites etc.? Certain times? It could also be an intermittent hardware problem. Several years ago, I had a problem with intermittent failures. It turned out to be a bad cable where it came in from the street to my building. Can you do some testing that might indicate what's happening? For example, in my case, I wrote a short script that would ping my ISPs router at interval and record the failures. Also, did the problem start with pfSense? I've been using pfSense for over 4 years and find it's solid.
-
@JKnott Because ipv6 receives less attention from isp's and occasionally problems manifest by this exact behavior that the browser first tries ipv6, fails (miserably) and then tries v4.
Its very common, unfortunately.
-
@netblues said in New, noob, just up and running and a little hiccup?:
(miserably)
is my Internet experience when I tried these futuristic LAN firewall rules :
But take note : I posted this using these rules ;)
-
My initial thought was unbound restarting too frequently. I would think streaming video would have more trouble if it were an issue with the connection to ISP. That doesn't sound to be the case. Although it could be cables. DNS troubles would cause pages to load slowly or not at all. I had this exact issue with unbound when DHCP registration was checked. Check the DNS logs to see if unbound is rebooting frequently.
-
@Raffi_ said in New, noob, just up and running and a little hiccup?:
I would think streaming video would have more trouble if it were an issue with the connection to ISP.
These services/devices tend to buffer (a lot) so hick-ups pass by unseen.
Internet isn't and wasn't build for real time "info" delivery. It's more a system that ensures info get's over. The 'when' part is not defined. -
@Gertjan said in New, noob, just up and running and a little hiccup?:
@Raffi_ said in New, noob, just up and running and a little hiccup?:
I would think streaming video would have more trouble if it were an issue with the connection to ISP.
These services/devices tend to buffer (a lot) so hick-ups pass by unseen.
Internet isn't and wasn't build for real time "info" delivery. It's more a system that ensures info get's over. The 'when' part is not defined.Good point. I like to blame unbound for everything :)
-
Wow, guys, thanks for all the responses. I will be back home this evening and will try and take a look at some of the things suggested. This is all new so staring uphill at the learning curve. Even something like "check the logs for..." is going to be slow and painful but I need to get there. :)
-
@rhosch said in New, noob, just up and running and a little hiccup?:
This is all new
Start with this though : it's just another router / firewall.
Because it has so many features it doesn't mean you have to "do something" on every possible set up page.
I'm using pfSense for a decade or so, and I even didn't visit all the possibilities. because I didn't have to.
When you "un shrink wrap the box", very few settings are needed to make pfSense work for you.
Changing the admin's password is one of them ^^Use something when you need it. And understand it.
Wana learn ? We all have 'modern PC's with capable OS's : launch a VM (or some old PC hanging around doing nothing - add a 5 $ NIC card and you're good), throw pfSense into it, and toy around.@rhosch said in New, noob, just up and running and a little hiccup?:
o staring uphill at the learning curve
Lucky you.
Most of us started down hill .... with that heavy learning curve.
And no GUI, just this one :[Some-RELEASE][mebeingnobody@my-device.tld - What do you want / ] help help: Command not found.
You'll make it work for you, I'm sure.
-
I have had 1 IPv6 problem with my ISP and it was solid. On the other hand, an IPv4 problem I had several years ago was intermittent. When trying to solve problems it helps to provide some useful info, such as pinging, as I did. Does it affect both protocols, etc.? A little investigation goes a long way, instead of jumping to conclusions.
Incidentally, my ISPs wireless network is IPv6 only. It uses 464XLAT for IPv4 sites. On the cable side, IPTV uses IPv6 exclusively, so you can be certain problems will be noticed quickly. They've been providing native IPv6 on cable for over 4 years and via tunnel for a few years more. They've had it on the cell network for several years as well. Other than address size, the main differences between IPv6 and IPv4 are things like relying a lot more on ICMP and multicasts. The basic concepts, such as routing, work more or less the same.
-
@JKnott Yes, but this is not the case everywhere. I have a ticket open affecting large portions of vodafone ipv6 network for two weeks now, without any resolution.
I'm not against ipv6, I even see that it can do many things better.
But wherever it is used in parallel with ipv4, it is very often to have issues, that are not addressed at the same speed as ipv4 issues do.So when we get down to troubleshooting, simplification is a good approach.
I hope to be alive to see the day when we will say disable ipv4 and see if it works better now.
(without xlats...) -
Incidentally, when I had that IPv6 issue, the big problem was getting the network techs to even work on it, not because it was IPv6, but because I was using my own router (pfSense). A senior tech, who came to my home verified the problem was with their network and proved the problem was with the CMTS, when he tried 4 different ones at the head end and only the one I was connected to failed. I had previously identified that CMTS by host name, by using Wireshark to examine DHCPv6-PD, as pfSense booted.
-
@JKnott Indeed. When they see third party equipment, its always not their fault.
And it gets worse, as they move voice to voip, on their little crappy cpe'sReverse engineer the config, get hold of sip passwords, spoof mac addreses, and after a few months, if something breaks, hell breaks loose.
-
@netblues
Actually, my VoIP has been excellent, except when I had that intermittent problem. Even then I had to go far beyond what any customer should have to, to get the problem resolved. When the first tech showed up, he insisted the cable between my living room, where the cable comes in and my "office" was bad, even though it was installed by them. He couldn't explain why it would have gone bad, when the cable from the utility room wasn't, even though it was older. Since I have two cables coming in, I was able to move things around to show the problem was not in my home. Eventually, they determined it was the cable out next to the street, where it came into my building. This was where I used the script to record the failures. What made the problem more "fun" was that affected my Internet and phone, but not TV. I have decades of experience in telecom, computers and networks, so I have the background to work through these sorts of problems. I've even done some work for that company, among others. The average customer wouldn't have a hope. -
Two days in a row getting home late, not enough time to try much.
I did want to report back though, since disabling ipv6 in WAN and system/networking, we haven't noticed any of the issues with pages not loading etc.
As for patterns, the wife and I seem to do the same habitual few things most days. I noticed issues with pages loading on several different discussion forums, and she noticed pauses in loading images and feeds on social media like Facebook and Instagram.
Hoping to check into the more, get familiar with the logs, so when I turn ipv6 back on I can try to spot any errors.
-
OK, haven't seen any odd issues browsing the web since disabling IPv6.
I just ran the DNS lookup benchmark, first with IPv4 only (on top) then again after enabling IPv6.
I will leave IPv6 enabled for a while and see if problems return. If they do then maybe that will have helped limit the possibilities.
-
Yeah, already this morning I've had it sit for a minute or so trying to load a page while navigating through a website. If I refresh or go back to previous page when this happens it loads instantly. But if I do nothing it just sits and waits for a while.
I took a peek at the system logs but didn't see an obvious error with this timestamp on it. But there are so many logs and such... any pointers on where to look to start narrowing down what might be going on?
-
@rhosch Please elaborate, what did you notice? with what stack? Is this on a desktop/laptop ?
Under windows? What browser? -
So far have noticed the issue most readily on mobile devices including Android Samsung Galaxy s8 chrome browser and iPhone X safari browser as well as Facebook and Instagram apps. Have spent very little time on desktop computers since getting pfSense up and running.
The issue seems to manifest as a delay in page loading while browsing the web or social media, either incomplete loading where some images either won't load or take a long time to load, or complete failure where a web page just won't load until back navigation or page refresh.
We use Roku ultimate boxes to stream Xfinity app for TV and have seen just a couple of short buffering pauses when ipv6 was enabled, but those have happened occasionally before pfSense was in the chain so hard to know if those are related or not.
-
@rhosch Its difficult to pinpoint due to the nature of this (if it is v6 related that is)
Browsers first try to connecti via ipv6. This means the browser will request the AAAA address of whatever site you are visiting.
If it receives a valid dns reply, it will try connecting to this addess.
If it gets nothing, it will repeat the dns request, now looking for an A record and then try to connect via ipv6.
In practice this means that there are two networks, and the browser tries to use ipv6 and then fallbakcs to ipv4.
The think is that if there are ipv6 routing issues, this will only manifestwhen trying to connect to a specific site.
Nothing would be logged on pf, obviously.You could use a browser that can disable ipv6 (ie firefox) and use it in parallel with your ipv6 enabled browser. if it doesn't happen on ff but happens on the rest, then you've found the curlpit, and there is nothing you can do to fix it.
-
I saw some options in pfSense about forcing ipv4 preferentially or enabling tunnels but not going to start monkeying around until I learn more.
We are moving in a couple of weeks, going from Xfinity cable to c-spire fiber. Not sure if the problem is ISP related but I will probably just sit tight and see what I have after the move. Maybe there won't be a problem to worry about there.
-
I suspect that this setting affects pfsense per se. since there is no straight forward means to do this for others, without to reverting doing tricks like denying aaaa replies or cutting access altogether. Again, this is something I only speculate.
Its impossible to draw any conclusions just by swapping isp's.
You could also checkout status monitoring, and have a look at quality graphs, that can catch previous outages for last hours with 1 minute resolution.
The thing is that if your problem is somewhere upstream, it won't show there.
But it will tell if you are experiencing local intermittent connection issues -
@netblues said in New, noob, just up and running and a little hiccup?:
Browsers first try to connecti via ipv6.
If they - the devices on a LAN - have an IPv6 that can route to the outside, and they have a IPv6 gateway.
A solution might be : set IPv6 to None on the pfSense LAN interface setting. Devices on LAN can still communicate among each other using IPv6 using auto assigned IPv6 addresses - the fe80.... ones - but will not use IPv6 to visit "the world".