WebGUI slow on IPv6 on WAN

kalledk

Hi

I got an APU2D4 with pfSense my ISP gives me a single public ipv4 via dhcp, an ipv6 address via dhcp, and a /48 ipv6 net delegated, all this on vlan 101 on the wan interface.

If I connect to the gui from LAN on the ipv4 / ipv6, then all is fine. If I connect to the gui from the wan side, then the ipv4 is fine, but the ipv6 is really slow. If I connect from outside to one of the ipv6 delegated ip's that is on a server, then no problem , so routing the ipv6 is no problem. Connecting to the ipv6 adresse from inside is no problem, only from outside. Connecting to ssh via ipv6 from outside is no problem, only the webgui. And again if i tried to use the ipv4 from outside, no problem... So its only the combination of Outside + webgui + ipv6 that seems to trigger it. Problem is both on https and http.

What the problems seems to boil down to is... If you are on the outside, and connect to the webGui on any ipv6 adresses, then the webpage is slow.

I did a packetcapture on the pfsense, and what I saw was that every requests (tcp) that my browser did, would only get a response upto a second later. So the delay is not in retransmit, but simply in waiting for something internally to response to the requests

Seconds
0.0 REQ ->
1.0 RESP <-
1.1 REQ ->
1.9 RESP <-
2.0 REQ ->
3.2 RESP <-

Gertjan

Hi,

Check if the DNS works as well for IPv4 as for IPv6.
falling back from IPv6 to IPv4 because the latter isn't working will introduce delays.
Btw : I admit I'm not sure if it is a DNS issue.

Also : accessing the web GUI from WAN ? That's, normally, a non-issue as you shouldn't even do that ;)
Use a VPN if you have to access the WebGUI from the outside.

kalledk

Hi

Pretty sure it's not dns, as that problem should be the same when I try it from the inside.

From test-ipv6.com
---|----
Test with IPv4 DNS record | ok (0.130s) using ipv4
Test with IPv6 DNS record | ok (0.108s) using ipv6
Test with Dual Stack DNS record | ok (0.106s) using ipv6
Test for Dual Stack DNS and large packet | ok (0.091s) using ipv6
Test IPv6 large packet | ok (0.061s) using ipv6
Test if your ISP's DNS server uses IPv6 | ok (0.107s) using ipv6
Find IPv4 Service Provider | ok (0.017s) using ipv4 ASN 203953
Find IPv6 Service Provider | ok (0.065s) using ipv6 ASN 203953

I know that you shouldn't connect directly to WAN, but im pretty sure that https + firewall rules so only a few ipv6 adresses can reach it, is okay for a home user :)

None the less, if it's a bug it should be fixed :)

Gertjan

I tested my IPv6 access :

I introduced a firewall rule on my HENET interface :

I have a DNS record that point's to my WAN IPv4, not my WAN IPv6, so I had to use my IPv6 WAN IP to connect to the GUI.
I had a cert warning from my browser, of course.

But the access worked well :

"Well" means for me : knowing that my IPv6 is using a tunnel to tunnel.ne.net (Huricane IPv6 ISP) the speed was somewhat limited, about 10 Mbytes /sec.
I could browse the entire pfSense GUI very well, no hick-ups ....

edit : I'll leave the IPv6 access open for a while.
PM me, and I can even send you an 'access' so you can test drive yourself.
That is, if you promise not to change something, as this is a "live' environment ;)