intermittent web page latency
-
Recently installed pfsense 2.5.2 on standard ATX hardware (Intel Q9550 8GB RAM Intel 4-port NIC) and im getting relatively frequent web page browsing hiccups: Some pages delay loading for several seconds, some timeout, although timouts are rare.
I've got a fibre 500/500 connection and my previous router, an ASUS RT-AC68U worked fine, no speed issues whatsoever. In fact, the ASUS was faster at loading pages. Everything else on the network is the same, ive just swapped out the router. Same DNS servers as well, testing from wired PC.
How do I start troubleshotting such an intermittent issue?
-
First guess would be that unbound of pfsense is restarting a lot..
What are you pointing your client to for dns, by default it would point to pfsense IP, if it got dhcp from pfsense.
-
@johnpoz It's pointed to pfsense first with fallback to remote dns. DNS servers in use are from my ISP, and they've always been the fastest.
I get a few levels of latency happening;
1 - pages delays slightly in loading, but then loads ok
2 - page loads text only version of page and I need to press F5 to reload and get graphical version
3 - page times out (quite rare in comparison to the others), but pressing F5 a few times ususally gets me there.I've re-purposed an old PC for this (known working cpu/mobo/mem/gfx card), but never used a standard ATX PC before as a router. Not sure if the mechanical HDD is spinning down or not, or whether the 4-port Intel NIC i got donated to me from a server 'has issues'. Would need to buy a new NIC to test that out.
What should I look for and in which logfile, to identify issues?
-
@finite9 said in intermittent web page latency:
with fallback to remote dns
Normally a bad idea.. Since for example you were doing any sort of filtering on pfsense (say pfblocker) Or any sort of aliases resolving stuff on pfsense that you wanted to block or allow - its possible if the client asks some different dns your more likely to get a mismatch in what IP is returned for some fqdn.
You never know what NS is going to talk to if there is more than 1, is not like it always checks 1st listed, and only complete failure asks 2nd..
As to log - just look in the dns resolver log, do you see it restarting? You can always just check its uptime as well..
[21.05.1-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.12.0 verbosity: 2 threads: 4 modules: 2 [ validator iterator ] uptime: 480606 seconds options: control(ssl) unbound (pid 58236) is running... [21.05.1-RELEASE][admin@sg4860.local.lan]/root:480k seconds would be about 5.5 days..
Another possibility - out of the box unbound resolves, and does not forward. If your connection not well suited for resolving. Say satellite for example, dns could be problematic
-
@johnpoz said in intermittent web page latency:
unbound-control -c /var/unbound/unbound.conf status
Was wrong about using local with fallback...im using remote DNS servers, ignore local DNS.
But that status message was showing 11 mins since restart:
code_[2.5.2-RELEASE][admin@wiggum.localdomain]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.12.0 verbosity: 1 threads: 4 modules: 2 [ validator iterator ] uptime: 707 seconds options: control(ssl) unbound (pid 27136) is running... text -
So you have pfsense set never to use itself for dns?
You have this selected?
Why exactly? If that is the case? You don't want pfsense to be able to resolve any local resources? What about your clients - where do they point for dns, do they point to anything other than pfsense? That setting only has to do with pfsense own queries.. Not what some client will do.
But being up 11 minutes only... Did you just manually restart dns, or change a setting or reboot pfsense? Do you have it set to register dhcp clients? Are you using pfblocker?
But if unbound is restarting - you loose all your cache, and if you hit it while its say restarting then yeah dns would fail, etc. Which could present as clients having issues loading pages, partial loads (say the css url didn't load, or other resources on the pages fqdn didn't resolve, etc) And then the browser only loads from what it has in cache, etc.
-
@johnpoz Yeah... that was probably me that changed enabled ssh setting and saved the changes... would that have cycled unbound at the same time?
This is a basic standard of install of pfSense: i've not configured anything especially from what the ootb settings are configured to. I did have the DNS set to the default setting initially, but decided to change it 3-4 days ago to see if it made any difference with my issue.
All my clients are pointing to the pfsense box to get their dns, and the status page shows my 2 ISP dns servers listed.
-
@finite9 said in intermittent web page latency:
would that have cycled unbound at the same time?
No - but changing settings in unbound itself would.. But no other settings like firewall rules or the like shouldn't.. Changing say an IP of interface would I think because it would have to rebind to the new IP, etc..
Well I would set it back to default for that setting.
How long does unbound show up now? It should be up for 3 hours and 11 minutes or there about.. Unless you have done other things that could of restarted it.
As you can see mine hasn't restarted since I posted mine
[21.05.1-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.12.0 verbosity: 2 threads: 4 modules: 2 [ validator iterator ] uptime: 500267 seconds options: control(ssl) unbound (pid 58236) is running... [21.05.1-RELEASE][admin@sg4860.local.lan]/root: -
@johnpoz said in intermittent web page latency:
unbound-control -c /var/unbound/unbound.conf status
[2.5.2-RELEASE][admin@wiggum.localdomain]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.12.0 verbosity: 1 threads: 4 modules: 2 [ validator iterator ] uptime: 12037 seconds options: control(ssl) unbound (pid 27136) is running...looks ok now. I've not changed any other settings. As i've got things right now, I tested loading several random web pages from bookmark links, and it's all running smoothly, no latency that I notice.
I'll change the dns back to the default setting and re-test.
-
That setting has nothing to do with clients.. That has to do with how pfsense resolves.. It just what you want pfsense to do when it needs to resolve - say resolve an IP in the firewall logs, or asking for alias fqdn, or checking for its own update. Clients asking unbound - that has no effect on.
But with how you have it now - pfsense would not be able to resolve any local resources.. It could have a hard time working out what client is at say 192.168.1.43 for example in your firewall logs..
