Speed? Is there anything in PFSense that would rate-limit SSH NAT?
-
I have a gigabit Internet connection, regularly getting 850mbit/s or more up and down using speedtest.net to a closeby server, and getting 700mbit/s or more on servers 1000 miles away.
My modem, which is brand new from ATT, has all the wifi turned off, coax turned off and the "Allow all applications (DMZplus mode)" option selected, sending all traffic to my Netgate device running the latest PFSense, with no other devices plugged into it. Also, ipv6 is disabled.
I have a NAT Port Forward set to forward SSH from 55222 to port 22 on a machine.
I'm using my phone as a hotspot, where I should be getting 2MBytes/sec transfers or faster.
When I test with SFTP, using a chrooted jail and sftp in read-only mode, I'm getting <5 KByte/sec and after less than 1 minute the connection stalls out and terminates.I also tested with rsync over ssh, to another account that is not chroot-jailed, and it hangs on a 250KB file, eventually transferring at <1KB/sec and then breaking the connection because it's reset by either the modem, netgate device or server running sshd(my desktop).
Is there anything that would be rate-limiting me in PFSsense? I've checked my sshd_config file and see nothing relevant. This modem, which is box-fresh, allows very fast traffic through it when I'm doing things from the inside => outside.
I spoke to ATT and they said nothing should be inhibiting my speeds, and since the modem is purely "passthrough" it shouldn't be doing much, if anything, especially since everything that I can turn off, is off.
What am I missing? I had this working fine in early 2019 with the same setup, less PFSense version being newer now, and another modem of the same model.
Thank you.
-
Try to sftp from /to pfsense either from linux, or using filezila on a windows pc, on 22 and record speed.
Sftp has speed limits being single threaded, but its on the megabits scale, so its irrelevant.
Do the same to your server locally and report speed. -
I disabled the NAT rule and opened up SSH to the Netgate device running PFSense. The SFTP speeds are the same as before; super slow into "stalled" and then the connection drops.
The ATT modem is still in "Allow all applications (DMZplus mode)" mode and my Netgate device's WAN has my IP Address from ATT.
-
@profse More or less expected. Port forward doesn't rate limit.
And setting up rate limits takes some effort and can't be done by mistake.
How about sftp speeds inside your lan? (eg between pf and your server? -
Inside my own lan, I get ~60MByte/sec.
I just removed the ATT Modem's DMZ from the Netgate device.
I plugged an old laptop with SSH Server into the ATT Modem.
The ATT modem just port forwards 22 from itself to the laptop, standard blocking on all else.
I sftp'ed to my public IP over a hotspot and I'm getting 2MByte/sec+.
-
@profse So adding pfsense with wan, on the same wan network, are you also able to get the same 2Mbyte from inside lan?
(I guess 2Μbyte is the max the laptop can do..)
-
I'm using my cellphone as a hotspot to have a machine outside of my network, that's why I'm getting only 2MB/sec. I don't get that many bars in the house.
I just tried forwarding only SSH to the Netgate device and I'm getting 2MB/sec on the hotspot.
So the only combination that doesn't work is:
Setting the modem as a passthrough so all traffic goes to the Netgate device, then SFTP speeds are terrible and stall out.
This is what the modem reads for the setting to forward all the traffic:
Allow all applications (DMZplus mode) - Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the "Allow individual applications" feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer.
Note: On LAN devices which have a Private IP address, once DMZplus mode is selected and you click save, the system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus mode from one computer to another computer, you must reboot both computers.
-
I set up the DMZplus mode to my laptop. If I SFTP to the laptop, the speeds are atrocious, just like to the netgate device. It must be the modem.