Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN to webserver on same subnet really slow

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 4 Posters 2.3k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      ajackson86
      last edited by ajackson86

      Hi, I recently installed pfsense and by following loads of tutorials online I managed to get it up and running to the way I wanted it, it works wonderfully and it was a really quick set up, I am only experiencing one small issue though which I am battling with, I have 2 webservers on the same subnet, the port fowarding of pfsense is working but it is painfully slow accessing them from the internal network, when I connect to my domains from the outside they load up within a second, any suggestions how to resolve the internal issue? bearing in mind I am quite new to firewalls and routing traffic.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @ajackson86
        last edited by

        @ajackson86

        If those servers are on the same subnet as the computer trying to access them, then it has absolutely nothing to do with pfsense. Traffic entirely within a LAN does not pass through pfsense.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • A Offline
          ajackson86
          last edited by ajackson86

          @JKnott
          Thank you for the quick reply, what do you suggest I check? The URL's I own, that are in the cloud, which then have my allocated static I.P's against them, I'm not sure if I have configured this correctly, there are no onsite dns servers.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            @ajackson86 said in LAN to webserver on same subnet really slow:

            there are no onsite dns servers.

            So your clients are pointing to like google or quad9 for their dns vs using pfsense?

            If your just resolving your website to public IP (your wan IP) and your accessing from local devices the only way that works is with nat reflection.. Which sure could have some sort of performance hit..

            The correct solution to when you want to access resources that are on the same network as you - is resolve their fqdn to the local IP.. Setup a host override in pfsense for whatever fqdn your trying to access www.example.com - and point that to the IP the services are running on your local network 192.168.1.100 for example.

            Make sure your clients point to pfsense for dns.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            A 1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by stephenw10

              Sounds like you're trying to access them using the public URL and hitting a port forward. Possibly some asymmetric routing.
              https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

              Do the sites open as expected if you use the internal private IP of the webserver directly?

              Steve

              1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @ajackson86
                last edited by

                @ajackson86

                As others have mentioned, it could be the DNS sending you to your outside address. If you're behind NAT, your LAN address will be different. The way to fix this is to create a host override in your DNS resolver or forwarder that points to the local address.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • A Offline
                  ajackson86 @johnpoz
                  last edited by

                  @johnpoz

                  That's correct, the domain names are being resolved to my public I.P's, which then pass through pfsense port forward to there designated web servers. Accessing them from the outside world is quick, just trying to access them from the same network is painfully slow.

                  Does that mean I should remove NAT reflection? and by doing so would the port forward rule still route traffic from the outside world to those servers? apologies, I am quite new to all of this.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    No, you need either split DNS or NAT reflection.

                    If you use NAT reflection you will need to have 'Enable automatic outbound NAT for Reflection' set in Sys > Adv > Firewall & NAT because both client and server are on the same subnet.
                    Without that you get an asymmetric route which is probably what you're seeing.

                    Steve

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      ajackson86 @stephenw10
                      last edited by

                      @stephenw10
                      Thank you for that, I will adjust my configuration shortly, do I still need to dns resolver rules? and according to the rule above, does that mean I update the rule 'NAT reflection mode for port forwards' to PureNAT as currently it is set to NAT + Proxy?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Yeah I would use PureNAT with the auto outbound rules.

                        NAT+Proxy should work but puts a far higher load on the firewall.

                        Split DNS is usually a better solution because traffic just goes direct between the client and the server without the firewall having to do anything.

                        Steve

                        A 1 Reply Last reply Reply Quote 0
                        • A Offline
                          ajackson86 @stephenw10
                          last edited by ajackson86

                          @stephenw10

                          I've adjusted the settings as per your recommendations and unfortunately I'm not able to access the websites at all now, they can still be reached externally though.

                          1. Sys->Adv->Firewall & NAT I have modified 'NAT Reflection mode for port forwards' to now be PureNAT
                          2. 'Enable automatic outbound NAT for Reflection' - I have enabled this option

                          Should the option 'Enable NAT Reflection for 1:1 NAT' be enabled as well?

                          The firewall NAT Rules I have set NAT Reflection to default assuming it would read the main NAT rule as the NAT Reflection was previously set to NAT + Proxy.

                          I still have the DNS forwarder Host overide rules, should I remove those?

                          Thank you for all your help, I really have no idea what I'm doing.

                          Update: the webservers can't be accessed from the outside world now.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes if you have the setting in the port forward as 'use system default' is will use that.

                            You should not need the 1:1 NAT setting there but it doesn't hurt to enable.

                            If you have DNS host overrides in place then traffic will connect directly and not use NAT reflection at all.

                            None of those settings should effect traffic using the port forwards externally.

                            Steve

                            A 2 Replies Last reply Reply Quote 0
                            • A Offline
                              ajackson86 @stephenw10
                              last edited by

                              @stephenw10

                              Thank you steve, I have removed the host overides, how long does it usually take for the new config to take effect? as I'm still unable to access the websites internally and externally. it seems the only setting that did work was the NAT + Proxy, I'm not sure why, I also haven't downloaded any additional packages for pfsense either, maybe there might be something I have not configured properly. any other suggestions?

                              1 Reply Last reply Reply Quote 0
                              • A Offline
                                ajackson86 @stephenw10
                                last edited by

                                @stephenw10

                                It was my mistake, I was getting confused with my url's, it is all working now and a lot quicker than before, all your instructions helped with resolving my issue, Thank you very much Steve.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @ajackson86
                                  last edited by johnpoz

                                  @ajackson86 said in LAN to webserver on same subnet really slow:

                                  That's correct, the domain names are being resolved to my public I.P's,

                                  Not what I asked at all.. I ask where your client points to for dns..

                                  From what you have posted - seems like your using nat reflection vs doing in the correct way and using split dns.. But you know the wrong way is better than performance any day of the week ;)

                                  Why not bounce local traffic through my firewall via a hairpin.. Makes perfect sesnse to do it that way ;)

                                  Hmm want to go to the bathroom... Let me walk through the house out onto the front porch, then back in vs just going straight to the bathroom... Way more efficient that way ;) Might make sense if your wanting to hit your 10k step goal via your fitbit, but packets don't need steps ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  A 1 Reply Last reply Reply Quote 0
                                  • A Offline
                                    ajackson86 @johnpoz
                                    last edited by ajackson86

                                    @johnpoz

                                    I thought I answered your question:) I purchased a domain name from names.co.uk, I have Static I.P's assigned by my ISP and have assigned those static I.P's to my domain names in names.co.uk, those domains point to the 2 webservers I have behind the pfsense box.

                                    Thinking about it now, if you're talking about the dns servers, they are provided by my ISP.

                                    Using NAT reflection is helping and it is a whole lot faster than what it was before, but I would still like to learn the proper way, I understand what you're saying completely, it really doesn't make sense for the internal traffic to go out and come back in again just so I can reach my servers, but it is working a whole lot better than what it was when I tried to set it up myself.

                                    Could you perhaps enlighten me as to what the proper way it please then I could apply those settings instead? I'm still a newbie with regards to all of this:)

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Yes, split DNS is far more efficient for traffic flow. NAT reflection is usually easier.

                                      But you can enable NAT reflection and add split DNS so that clients who use public DNS or other URLs that point to the same server fall back to NAT reflection.

                                      Of course if it's working fine for you as it is..... 😉

                                      Steve

                                      A 1 Reply Last reply Reply Quote 0
                                      • A Offline
                                        ajackson86 @stephenw10
                                        last edited by

                                        @stephenw10

                                        Thank you Steve, how would I go about adding split DNS? I'm not familiar with that term.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Using host overrides exactly as you were trying:
                                          https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html?highlight=reflection#method-2-split-dns

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by johnpoz

                                            Lets asks a basic question first.. Where do your clients point for dns?? If your clients directly point to some outside dns.. Then you can not use split dns..

                                            So for the 3rd time going to ask the very basic question - where do you your clients point.. You stated you do not use local dns..

                                            there are no onsite dns servers.

                                            But this is not true if you have pfsense.. Unless you specifically do not point dns for your computers, laptops, devices, etc.. to it for dns.. Out of the box the dhcp server of pfsense will point clients to pfsense IP for dns, and then resolve for external fqdn.

                                            On a windows machine do a ipconfig /all - where does it show you pointing for dns?

                                            $ ipconfig /all                                                            
                                                                                                                       
                                            Windows IP Configuration                                                   
                                                                                                                       
                                               Host Name . . . . . . . . . . . . : I5-Win                              
                                               Primary Dns Suffix  . . . . . . . : local.lan                           
                                               Node Type . . . . . . . . . . . . : Broadcast                           
                                               IP Routing Enabled. . . . . . . . : No                                  
                                               WINS Proxy Enabled. . . . . . . . : No                                  
                                               DNS Suffix Search List. . . . . . : local.lan                           
                                                                                                                       
                                            Ethernet adapter Ethernet:                                                 
                                                                                                                       
                                               Connection-specific DNS Suffix  . :                                     
                                               Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller  
                                               Physical Address. . . . . . . . . : 00-13-3B-2F-67-63                   
                                               DHCP Enabled. . . . . . . . . . . : No                                  
                                               Autoconfiguration Enabled . . . . : Yes                                 
                                               IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)            
                                               Subnet Mask . . . . . . . . . . . : 255.255.255.0                       
                                               Default Gateway . . . . . . . . . : 192.168.9.253                       
                                               DNS Servers . . . . . . . . . . . : 192.168.3.10                        
                                               NetBIOS over Tcpip. . . . . . . . : Enabled                             
                                            

                                            See where is says DNS Servers... Where do your clients point?? If they are not pointing to pfsense or some other local dns - then you can not do split dns.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            A 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.