LAN to webserver on same subnet really slow
-
Hi, I recently installed pfsense and by following loads of tutorials online I managed to get it up and running to the way I wanted it, it works wonderfully and it was a really quick set up, I am only experiencing one small issue though which I am battling with, I have 2 webservers on the same subnet, the port fowarding of pfsense is working but it is painfully slow accessing them from the internal network, when I connect to my domains from the outside they load up within a second, any suggestions how to resolve the internal issue? bearing in mind I am quite new to firewalls and routing traffic.
-
If those servers are on the same subnet as the computer trying to access them, then it has absolutely nothing to do with pfsense. Traffic entirely within a LAN does not pass through pfsense.
-
@JKnott
Thank you for the quick reply, what do you suggest I check? The URL's I own, that are in the cloud, which then have my allocated static I.P's against them, I'm not sure if I have configured this correctly, there are no onsite dns servers. -
@ajackson86 said in LAN to webserver on same subnet really slow:
there are no onsite dns servers.
So your clients are pointing to like google or quad9 for their dns vs using pfsense?
If your just resolving your website to public IP (your wan IP) and your accessing from local devices the only way that works is with nat reflection.. Which sure could have some sort of performance hit..
The correct solution to when you want to access resources that are on the same network as you - is resolve their fqdn to the local IP.. Setup a host override in pfsense for whatever fqdn your trying to access www.example.com - and point that to the IP the services are running on your local network 192.168.1.100 for example.
Make sure your clients point to pfsense for dns.
-
Sounds like you're trying to access them using the public URL and hitting a port forward. Possibly some asymmetric routing.
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.htmlDo the sites open as expected if you use the internal private IP of the webserver directly?
Steve
-
As others have mentioned, it could be the DNS sending you to your outside address. If you're behind NAT, your LAN address will be different. The way to fix this is to create a host override in your DNS resolver or forwarder that points to the local address.
-
That's correct, the domain names are being resolved to my public I.P's, which then pass through pfsense port forward to there designated web servers. Accessing them from the outside world is quick, just trying to access them from the same network is painfully slow.
Does that mean I should remove NAT reflection? and by doing so would the port forward rule still route traffic from the outside world to those servers? apologies, I am quite new to all of this.
-
No, you need either split DNS or NAT reflection.
If you use NAT reflection you will need to have 'Enable automatic outbound NAT for Reflection' set in Sys > Adv > Firewall & NAT because both client and server are on the same subnet.
Without that you get an asymmetric route which is probably what you're seeing.Steve
-
@stephenw10
Thank you for that, I will adjust my configuration shortly, do I still need to dns resolver rules? and according to the rule above, does that mean I update the rule 'NAT reflection mode for port forwards' to PureNAT as currently it is set to NAT + Proxy? -
Yeah I would use PureNAT with the auto outbound rules.
NAT+Proxy should work but puts a far higher load on the firewall.
Split DNS is usually a better solution because traffic just goes direct between the client and the server without the firewall having to do anything.
Steve
-
I've adjusted the settings as per your recommendations and unfortunately I'm not able to access the websites at all now, they can still be reached externally though.
- Sys->Adv->Firewall & NAT I have modified 'NAT Reflection mode for port forwards' to now be PureNAT
- 'Enable automatic outbound NAT for Reflection' - I have enabled this option
Should the option 'Enable NAT Reflection for 1:1 NAT' be enabled as well?
The firewall NAT Rules I have set NAT Reflection to default assuming it would read the main NAT rule as the NAT Reflection was previously set to NAT + Proxy.
I still have the DNS forwarder Host overide rules, should I remove those?
Thank you for all your help, I really have no idea what I'm doing.
Update: the webservers can't be accessed from the outside world now.
-
Yes if you have the setting in the port forward as 'use system default' is will use that.
You should not need the 1:1 NAT setting there but it doesn't hurt to enable.
If you have DNS host overrides in place then traffic will connect directly and not use NAT reflection at all.
None of those settings should effect traffic using the port forwards externally.
Steve
-
Thank you steve, I have removed the host overides, how long does it usually take for the new config to take effect? as I'm still unable to access the websites internally and externally. it seems the only setting that did work was the NAT + Proxy, I'm not sure why, I also haven't downloaded any additional packages for pfsense either, maybe there might be something I have not configured properly. any other suggestions?
-
It was my mistake, I was getting confused with my url's, it is all working now and a lot quicker than before, all your instructions helped with resolving my issue, Thank you very much Steve.
-
@ajackson86 said in LAN to webserver on same subnet really slow:
That's correct, the domain names are being resolved to my public I.P's,
Not what I asked at all.. I ask where your client points to for dns..
From what you have posted - seems like your using nat reflection vs doing in the correct way and using split dns.. But you know the wrong way is better than performance any day of the week ;)
Why not bounce local traffic through my firewall via a hairpin.. Makes perfect sesnse to do it that way ;)
Hmm want to go to the bathroom... Let me walk through the house out onto the front porch, then back in vs just going straight to the bathroom... Way more efficient that way ;) Might make sense if your wanting to hit your 10k step goal via your fitbit, but packets don't need steps ;)
-
I thought I answered your question:) I purchased a domain name from names.co.uk, I have Static I.P's assigned by my ISP and have assigned those static I.P's to my domain names in names.co.uk, those domains point to the 2 webservers I have behind the pfsense box.
Thinking about it now, if you're talking about the dns servers, they are provided by my ISP.
Using NAT reflection is helping and it is a whole lot faster than what it was before, but I would still like to learn the proper way, I understand what you're saying completely, it really doesn't make sense for the internal traffic to go out and come back in again just so I can reach my servers, but it is working a whole lot better than what it was when I tried to set it up myself.
Could you perhaps enlighten me as to what the proper way it please then I could apply those settings instead? I'm still a newbie with regards to all of this:)
-
Yes, split DNS is far more efficient for traffic flow. NAT reflection is usually easier.
But you can enable NAT reflection and add split DNS so that clients who use public DNS or other URLs that point to the same server fall back to NAT reflection.
Of course if it's working fine for you as it is.....
Steve
-
Thank you Steve, how would I go about adding split DNS? I'm not familiar with that term.
-
Using host overrides exactly as you were trying:
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html?highlight=reflection#method-2-split-dns -
Lets asks a basic question first.. Where do your clients point for dns?? If your clients directly point to some outside dns.. Then you can not use split dns..
So for the 3rd time going to ask the very basic question - where do you your clients point.. You stated you do not use local dns..
there are no onsite dns servers.
But this is not true if you have pfsense.. Unless you specifically do not point dns for your computers, laptops, devices, etc.. to it for dns.. Out of the box the dhcp server of pfsense will point clients to pfsense IP for dns, and then resolve for external fqdn.
On a windows machine do a ipconfig /all - where does it show you pointing for dns?
$ ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : I5-Win Primary Dns Suffix . . . . . . . : local.lan Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : local.lan Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller Physical Address. . . . . . . . . : 00-13-3B-2F-67-63 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : Enabled
See where is says DNS Servers... Where do your clients point?? If they are not pointing to pfsense or some other local dns - then you can not do split dns.