Performance issue, Throughput
-
FYI, this is my first post as I am new to firewalls in general. I decided to build a pfSense firewall to get more control and visibility into my home network as I can see that I have many scan attempts of my network after looking at my Orbi logs. I also did some Wireshark monitoring of my network and could see my devices reaching out when unprompted. For example, I have two Roku Ultra devices. One seems to constantly reachout to an outside IP address while the other is quite. This is when the devices are not in use. Hence the need to visiblity.
To build my configuration, I ordered an HP T730 thin client with 16gb of ram. Overkill but I wanted to make sure my HW was not a bottle neck and that I could run a VP at a reasonable speed. I installed a 500gb SSD and a quad port 1Gbe Intel card.
The rest of my network is as follows:
Cable Modem with 400Mb/s down speed purchased. I get 480Mb/s in reality.
Wireless device is Orbi RBR20 with many devices attached. Initially I had Orbi doing routing. I even had Orbi as a router under the FW in initial configurations. Not sure if I will back to that or not.
18" Cat 6 cable to connect Orbi to Intel quad port card on LAN port.
18" Cat 6 cable to connect WAN port on FW Intel quad port to Spectrum modem. More on this below.When I finished my initial buildout with very few rules in place, my though put was 90/Mb/s as tested with Orbi's speed test functionality. This seemed odd to have 1/5th speed. My TV was interrupted on a periodic basis. After digging in, I saw that my WAN link was only 100Mb Full Duplex. This was what the Cable modem and Intel card negotiated. I tried to hard code 1000Mb Full Duplex on that WAN link but I could not get a link to establish. Seems odd since I got a 1000Mb fd connection between the FW and Orbi. After trying multiple configurations, I started to notice that this was more of an RF interference issue. I then tried a 6" Cat 5e cable between the Modem and FW. That allowed a 1000Mb fd link to be established. In order to keep my installation clean, I swapped out the 6' Cat 5e for a 3' Cat 5e. With no other configuration change, I could not get a link to establish.
With that said, I went back to the 6' Cat 5e cable. I did a speed test with Orbi and got 240Mb/s. Better than the 90Mb/s. Next, I moved the power brick for the HP T730 way from all the other equipment. Then the speed test resulted to 480Mb/s. Pretty much the full speed I had before putting the FW in place.
I am not sure why the shorter cables would not work but if you have thoughput problems like I had, consider looking at the link speeds between your various devices.
Now I am off to put rules in place for my new configuration.
-
@learning_firewalls said in Performance issue, Throughput:
I am not sure why the shorter cables would not work
Because they are bad would be only reason ;)
Cat 5e is more than capable of plus gig speeds. If you have problem with a cable - there is something wrong with it.. If you swap out another cable and all is good - this shows that nothing wrong with the ports your plugging into. Throw the bad cables out - so you don't use them again.
I tried to hard code 1000Mb Full Duplex
This is never a good idea.. Gig should always be auto - if it doesn't come up gig, something wrong.. Forcing it to gig isn't going to fix what was wrong that it didn't come up auto.
-
@johnpoz Regarding the recommendation on allowing the OS to determine the WAN speed link, what are the implications of manually selecting it?
I just did a retry of three WAN Speed and Duplex configurations. First, I tried Autoselect, then Default, then back to the 1000M Full duplex setting. Autoselect failed to establish a link.
Default did but it was at 100Mb. And the manual entry worked as well so long as I have the proper cables in use and the HP T730 power supply moved away.Below are the results.
Non working WAN configuration:
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 90:e2:ba:XX:XX:XX
hwaddr 90:e2:ba:XX:XX:XX
inet6 fe80::92e2:baff:fe78:88c0%igb0 prefixlen 64 scopeid 0x1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrierSlow but works:
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 90:e2:ba:XX:XX:XX
hwaddr 90:e2:ba:XX:XX:XX
inet6 fe80::92e2:baff:fe78:88c0%igb0 prefixlen 64 scopeid 0x1
inet 24.88.26.115 netmask 0xfffff800 broadcast 255.255.255.255
inet 24.88.25.136 netmask 0xffff0000 broadcast 24.88.255.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: activeAnd back to manually selecting 1000M/s
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 90:e2:ba:XX:XX:XX
hwaddr 90:e2:ba:XX:XX:XX
inet6 fe80::92e2:baff:fe78:88c0%igb0 prefixlen 64 scopeid 0x1
inet 24.88.26.115 netmask 0xfffff800 broadcast 255.255.255.255
inet 24.88.25.136 netmask 0xffff0000 broadcast 24.88.255.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 1000baseT <full-duplex>
status: active -
@learning_firewalls said in Performance issue, Throughput:
on allowing the OS to determine the WAN speed link, what are the implications of manually selecting it?
Not wan speed - any gig interface.. You shouldn't be manually hard coding gig.. I suggest you read the IEEE standard..
But the biggest one is the master slave relationship on the 2 ends of the gig connection.. Hard coding does not allow for this to be determined..
From the standard
To determine the MASTER-SLAVE relationship between the PHYs at each end of the link. 1000BASE-T MASTER PHY is from a local source. The SLAVE PHY uses loop timing where the clock is recovered from the received data stream.
As I stated - if your hard coding, your doing it wrong.. And doing so is not going to fix the problem you are having on why it doesn't auto come up..
-
Yeah, something wacky there. Try putting a switch in between the modem and pfSense WAN port to test that. Each end then negotiates with the switch so if it'#s some low level problem if will probably go away.
Steve
-
@stephenw10 I do not have a switch at this time. Do you have a recommendation of one with 5-8 ports, gigabit or better and possibly vlan support?
I just got two new cables today. Both Cat6. One shielded and one not. Neither would work at gigbit speeds. I am back to my old yellow cable in the mean time with 1gb forced. I have no idea what is so special about that cable.
Thx
-
Any switch you might be able to borrow for a test.
It's failing to negotiate between those devices. Sometimes you hit some low level issue where once side (or both sides) are not 100% compliant with the spec and it causes a problem like you're seeing. By adding the switch each side is now negotiating with a different device and that can often remove the problem.
If it does then I would suggest swapping out the NIC or changing the modem.
Steve
-
@stephenw10 I think I can get access to a switch to test this out over the weekend.
I did look at the driver version for my card (Intel i340 T4) and my driver is at version 2.5.3. After referencing the Intel site, that seems quote old. I see that there is a version 2.5.9 which has an updated IGB driver. I wonder if I should upgrade the driver, as a best practice but also to see this might resolve the speed negotiation problem. Are there any dangers of upgrading the driver that I should be aware of?
I see there is also a 2.5.16 version but it seems that the readme file does not directly reference the version of controller that is on my card. I wish there was a file for these cards to indicate exactly what was changed in each new driver. If such a file exists, I could not find it.
Thank you for your input.
-
Nope, do not try to update the driver. That's the current FreeBSD driver version for that kernel.
You could upgrade to 2.5 if you want newer drivers.
It shouldn't matter though.
Steve