DMZ connections throttled
-
I am running pfSense in a split configuration (WAN:LAN/DMZ). Every device (physical and virtual) that gets put in the DMZ ends up with a B/s download speed. My ISP provides 300MB/s service, which I get on the LAN. My DMZ is configured for 100MB/s (switch limited), but does not reach that speed at all.
Does anyone have any ideas?DMZ (100baseT <full-duplex>) em0@pci0:1:0:0: class=0x020000 card=0x115e8086 chip=0x105e8086 rev=0x06 hdr=0x00 vendor = 'Intel Corporation' device = '82571EB/82571GB Gigabit Ethernet Controller D0/D1 (copper applications)' class = network subclass = ethernet LAN (1000baseT <full-duplex>) em1@pci0:1:0:1: class=0x020000 card=0x115e8086 chip=0x105e8086 rev=0x06 hdr=0x00 vendor = 'Intel Corporation' device = '82571EB/82571GB Gigabit Ethernet Controller D0/D1 (copper applications)' class = network subclass = ethernet WAN (1000baseT <full-duplex>) re0@pci0:2:0:0: class=0x020000 card=0x213d103c chip=0x816810ec rev=0x0c hdr=0x00 vendor = 'Realtek Semiconductor Co., Ltd.' device = 'RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller' class = network subclass = ethernet iperf3 (device to pfsense): [SUM] 0.00-10.00 sec 118 MBytes 0.10 Gbits/sec 1 sender [SUM] 0.00-10.03 sec 113 MBytes 0.09 Gbits/sec receiver iperf3 (device to WAN port) [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 109 MBytes 91.8 Mbits/sec 1 sender [ 5] 0.00-10.00 sec 109 MBytes 91.6 Mbits/sec receiver speedtest-cli Retrieving speedtest.net configuration... Testing from ISP ()... Retrieving speedtest.net server list... Selecting best server based on ping... Hosted by SOMEONE_ELSE [90.87 km]: 47.647 ms Testing download speed................................................................................ Download: 0.06 Mbit/s Testing upload speed...................................................................................................... Upload: 4.64 Mbit/s Firewall rules: States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions PASS 1 /385 B IPv4 TCP/UDP DMZ net * This Firewall 53 (DNS) * none Allow internal DNS BLOCK 0 /0 B IPv4 TCP/UDP DMZ net * * 53 (DNS) * none Block all other internal/external DNS PASS 0 /0 B IPv4 * DMZ net * DMZ address * * none Allow access to DMZ network interface BLOCK 0 /0 B IPv4 TCP/UDP DMZ net * privateNetworks * * none Block all other internal/private networks PASS 0 /0 B IPv4 * DMZ net * ! privateNetworks * * none Allow access to all other traffic v2Random info:
- Firewall stuff
- privateNetworks is an alias for 10.0.0.0/16, 172.16.0.0/16, 192.168.0.0/16
- block network rules not logging any states or traffic
- disabling all rules blocks all traffic from the DMZ
- minimum set to get traffic is DNS and allow all outbound
- Allow any source to any destination does not improve speed
- Outbound NAT is automatic and has both LAN and DMZ subnets in the autorule
- Disable hardware checksum is NOT checked
- Traffic shaping not configured
- Running pfBlockerNG-devel & acme packages
- Same server internal gets full 300MB/s download (tested moving a VM in proxmox from DMZ to LAN)
- DL380P with 4 port NIC, moved the physical wire between pfSense ports to test, moved a container on virtual cards bound to different ports connected to DMZ and LAN
In summary: My DMZ blocks no outbound traffic but is slow as molasses in January
- Firewall stuff
-
@uruloki Intel is usually pretty good with drivers, however, in the distant past I did run into somebody's NIC which was super slow at I think set down to 100 vs at the default 1000, in Windows. IIRC at the time we suspected a bad/unoptimized driver. Had another more recently where a client with old wiring got a phone system from us, and putting the 1000 phone in between the PC and the 100 switch seemed fine until they ran the overnight backups and those were like 5x longer than just running at 100. We forced the PCs to 100 to speed it up. (and yes we did finally replace the wiring this year)
Does it work fast if you set that port to 1000? If so you could try setting a limiter on it instead, in pfSense. Alternately you could try a different switch.
-
@SteveITS The original configuration used em0 as the WAN with a direct connection to the modem. I saw weird behavior on it, to include a 10baseT reading with correct cabling. When I switched ports to re0, I got the full gigabit connection. This was verified at the router, em0 never synced at 1000baseT, re0 did it instantly.
Going to em0 as the DMZ, I thought it was a driver issues possibly, but the iperf results would seem to indicate otherwise. This also accounts for going from one NIC to another in the pfSense box because I explicitly bound the WAN interface from the internal box (second test results).
I will research Intel driver updates and report back.
-
@SteveITS From what I can tell, drivers are up to date.