SG-2440 Upload Speed Limited After a Few Minuites
-
@steve1515 : I just did a pcap on the WAN interface while trying to access the modem IP x.x.x.186 from the LAN. I can see that the packets go out from x.x.x.185 (pfSense WAN) to x.x.x.186 (modem IP), but no packets ever come back!
It's almost like the modem is somehow ignoring the pfSense but talks when I use the laptop.
I am surprised that the modem responds to packets containing its WAN address (x.x.x.186) that it receives on its LAN port (when sent via the laptop). Most modems have a LAN-side (private) address for administration. BTW, having a WAN-side address might open the modem to hacking via the WAN.
I wonder whether the modem is routing the packets to x.x.x.186 from pfSense out via its default gateway (that is, onto the WAN), which, if so, is why nothing ever comes back to pfSense.
Does traceroute from pfSense to the speed-test site return different values when your connection is fast and when it's slow?
Also do you happen to have RIP (https://docs.netgate.com/pfsense/en/latest/packages/routed.html ) enabled on pfSense? Or on the modem?
-
Try running a port test to it from pfSense dircetly (Diag > Test Port) that should duplicate what the laptop does exactly.
About the only difference here would be the TTL value of incoming traffic. Packets coming through pfSense have already been routed so would have a lower value. Usually that makes no difference because the TTL is high enough it never gets close to 0.
It's been a while since I looked at it but cell phone providers used to us that as a way on enforcing only a single client when tethering, you could not connect a router to it.Steve
-
@bPsdTZpW I think the modem implementation is a little more like this diagram I drew.
You can see that the modem has both my routed x.x.x.184/30 network with it's interface assigned the x.x.x.186 IP and also the 10.1.10.1 IP for it's NATing. In this diagram the laptops on the 10.1.10.1 network can get to the modems web page by going to 10.1.10.1 and if I were to configure a laptop with the x.x.x.185/30 IP and plug it in place of the pfSense then it could get to the modem web page via the x.x.x.186 IP. The weird thing is when I'm using either the pfSense Port Test or a PC on the pfSense LAN the modem doesn't ever return any packets back to a connection attempt to x.x.x.186 port 80.
Are you saying there's a way to setup static routes to make this work?
I also checked the traceroutes to the test server and there appears to be no change between fast and slow upload times. I also do not have RIP installed on the pfSense. The modem doesn't give me any RIP options in it's config. I also didn't see any RIP related packets when doing pcaps.
@stephenw10 I tried the Port Test and did a pcap while it was happening. I get the same thing... zero packets back from the modem. I took a look at the TTL of the traffic coming out of the pfSense WAN in the captures and it's well above zero. This seems pretty strange that the Port Test would not get any packets back, doesn't it?
This is really starting to look like the modem knows it's a pfSense box and is doing something strange.
-
It's still surprising (to me at least!) that is can do both those things at once.
Did you test it without anything connected locally to the 10.1.10.X subnet?
Or conversely did you test a laptop at the x.x.x.185 IP with another client on the 10.1.10.X subnet?
Steve
-
Are the router and 4port switch all part of the Comcast modem?
Kind of going off of @stephenw10 does the IP follow the port on the switch? -
@steve1515 stephenw10 earlier suggested:
I guess maybe run a pcap on the WAN at exactly the time is starts clamping and see if it's sending something that pfSense doesn't respond to.
I'd suggest a pcap of the entire sequence from plugging (freshly-rebooted) pfSense into the (freshly-rebooted) modem until the speed test begins slowing down. I'm particularly interested in the initial negotiation (e.g. BOOTP/DHCP) sequence between pfSense and the modem. BTW, what gateway does pfSense get from the modem? Is it that same as the gateway that the laptop gets when it's directly connected to the modem?
Are you saying there's a way to setup static routes to make this [connecting from a LAN device to a modem on pfSense's WAN port] work?
The typical way is to have the modem respond to a private (e.g., 192.168.m.n) address, then to set a static route on pfSense to reach that address using pfSense's WAN gateway. Your modem is weird in responding to a WAN address ( x.x.x.186) instead. [1] When you try to reach that address, pfSense sends it out its default gateway. I suspect that the modem gives pfSense a different default gateway (say g1) than it gives the laptop (say g2), and that packets sent out via g1 go directly onto the internet, and nothing ever responds to them, hence you're not seeing anything come back on the pcap. Whereas I suspect g2 is multiplexed internally to the modem, which realizes that x.x.x.186 is its own GUI's address, and routes it accordingly.
[1] This probably means that the modem's GUI can be reached from the internet at large. That would be a security risk.
-
@steve1515 said in SG-2440 Upload Speed Limited After a Few Minuites:
You can see that the modem has
Why do you not have pfsense immediately after your modem/router with all of your network on pfsense
-
@stephenw10 Yeah, it's a pretty unique setup that Comcast has. I have tested without anything connected to the 10.1.10.x subnet as that's how I usually operate. I really only connect a laptop for troubleshooting, etc. I have not tested the laptop on x.x.x.185 with another laptop also on 10.1.10.x. I should be able to try this out though. (Probably tomorrow.) This is a good idea that I didn't think of.
@mer Yes, the router and switch are part of the modem. Basically anything in the gray box are part of the modem. I just drew out the router and switch to show what I think is logically inside the modem box. The modem basically has 4 Ethernet ports on the back that are all equivalent. I can use my static IP or the 10.1.10.x network from any of them. (Note: I have tried using different ports as I wanted to rule out a bad port on the modem.)
@bPsdTZpW I can do this but there is no DHCP setup on the WAN of the pfSense. It's statically configured as the x.x.x.185 IP with a gateway of x.x.x.186. If I were to change the pfSense WAN to DHCP, then it would get the same IP range as the laptops do... 10.1.10.x with a gateway of 10.1.10.1. (Note: If you browse the internet from a host with a 10.1.10.x IP, an external server will see the source as coming from the x.x.x.186 IP.)
With the pfSense WAN being setup statically, the default gateway is actually different than the laptops that are DHCP. But, it is not different when I set up the laptop statically with the same IP and gateway as the pfSense. (Note: when I do this I do NOT also connect the pfSense.) The really weird thing to me is that in this case (the laptop having the static IP of x.x.x.185 with gateway of x.x.x.186) it works and I can get to the web page of the modem.
Good call on the possibility of my modem config being accessed remotely. I didn't think about that before, but good thing... I just checked and it is also not accessible remotely. If it's not the TTL, I'm not sure how the modem knows the difference and ignores the pfSense but not the laptop.
@Patch I do have all of my network behind the pfSense and the pfSense is directly connected to the modem. The image is just showing what the logical implementation of the modem is and what the IPs are. The modem is everything contained in the gray box including the built in 4-port switch. Hopefully that clears up what I was trying to show.
-
@steve1515 said in SG-2440 Upload Speed Limited After a Few Minuites:
If it's not the TTL, I'm not sure how the modem knows the difference and ignores the pfSense but not the laptop.
A pcap started just before connecting pfSense to the modem might give us clues on that. I wonder whether the modem is juggling MAC addresses in some weird way, such that it presents x.x.x.186 on MAC m0:m1:m2:m3:m4:m5 to the laptop, but MAC m6:m7:m8:m9:m10:m11 to pfSense; pfSense probably responds to some ARP packets to which the laptop does not.
-
@steve1515 said in SG-2440 Upload Speed Limited After a Few Minuites:
I do have all of my network behind the pfSense and the pfSense is directly connected to the modem. The image is just showing what the logical implementation of the modem is and what the IPs are. The modem is everything contained in the gray box including the built in 4-port switch.
-
I'm recommending you only connect pfsense to the internal switch in the Comcast modem/router (ie approximate as well as you can putting the Comcast modem/router in bridge mode).
-
Laptops currently with IP address 10.1.10.50 & 10.1.10.51 should be on the Lan not Wan side of pfsense.
-
Doing so simplifies network management.
-
-
@bPsdTZpW This is a great idea. I currently have a gigabit tap on order that I'd like to put inline to do some extended pcaps. (Why not use this as an excuse to buy a new tool... ) I'll post results when it comes in.
@patch said in SG-2440 Upload Speed Limited After a Few Minuites:
I'm recommending you only connect pfsense to the internal switch in the Comcast modem/router (ie approximate as well as you can putting the Comcast modem/router in bridge mode).
This is what I'm already doing and have always been set up with.
Laptops currently with IP address 10.1.10.50 & 10.1.10.51 should be on the Lan not Wan side of pfsense.
The laptops in my diagram are only there to show what the IPs are when plugged into the modem. I do not have laptops normally plugged in. I would only plug them in for testing or to get to the modem web config (which for some reason doesn't work from the pfSense LAN... see above.)
-
@steve1515 said in SG-2440 Upload Speed Limited After a Few Minuites:
@bPsdTZpW This is a great idea. I currently have a gigabit tap on order that I'd like to put inline to do some extended pcaps. (Why not use this as an excuse to buy a new tool... ) I'll post results when it comes in.
I'm looking forward to this data.
-
@steve1515 I skimmed through the thread. At any point did you power off the Comcast router/modem? Apologies if I missed that. Another long shot is to ask Comcast if they have any security features on their device they can disable. I ask because a few years back we had a small flurry of issues over several months with specific inbound connections being blocked and (usually) restarting or (once) powering off the Comcast router let the IP connect again. I seem to recall being told the mysterious not-documented (as I recall?) security could be turned off, in lieu of rebooting the router.
Does it also happen if you give the pfSense a 10.1.10.x IP?
And yes for everyone else Comcast does also provide 10.1.10.x NAT when "bridged"...they have for at least the 10-15 years we've worked with them. Not necessary of course but is actually useful if you plug a PC into it to test, which is presumably for them to test "around" your router.
-
Just providing an quick update.
It seems that my inline tap has been lost in shipping. I'm hoping this is temporary and it will get here soon.
I did notice something strange though... It seems that the last couple of times that I've unplugged the pfSense WAN cable and plug it back in, the upload speed no longer gets reset to the full 20Mbps. I now seem to have to reboot the pfSense to get the speed back. I haven't made any changes since the previous messages, so I'm not sure why this could be. I guess this might be another clue in this puzzle.
-
I just did another test which showed an interesting result.
I had the SG-1100 plugged in with my usual pfSense config (static IP and all as above), but this time I only connected one device on the LAN side. Everything else was not connected. At 58 past the hour, the upload remained.
This is now looking more like I have some kind of device on my LAN that triggers something in pfSense to limit upload speed. Seems strange...
Any tips on finding this device other than unhooking things each hour?
-
@steve1515 said in SG-2440 Upload Speed Limited After a Few Minuites:
Any tips on finding this device other than unhooking things each hour?
Bisecting search.
- Unhook half of your devices & test
- Then unhook half the devices in the error half & test
- etc
-
Wanted to share an updated on this...
I've continued troubleshooting and I think I've narrowed down the cause although, I'm not sure of the fix. It seems to be caused by a raspberry pi that I use to upload an audio stream. It's a continuous police/fire scanner that ranges anywhere from 25 kbps to 500kbps. If I unplug the box and reboot pfSense, my upload stays at 20mbps.
In trying to prove that it wasn't pfSense, I added an alias IP to the WAN port in the 10.1.10.x network and setup outbound NAT for that network range to use that IP. This was so I could connect a laptop to the "Comcast NAT LAN" (See my image in the posts above.) and run an iperf speed test to a host on my pfSense LAN (by connecting to my WAN's static IP). Doing this shows 600-900 mpbs depending on direction of data flow. This had me thinking that it wasn't the pfSense that was limiting the speed.
Next, I had Comcast take a look and see what they saw... The issue is they don't see anything on their end. The biggest reason, is because when my pfSense LAN is limited to 10mbps upload, you can always plug a laptop in to the 10.1.10.x network on the modem and get 20mbps upload. This, to them, proves it's not Comcast.
I'm not really sure now what the fix would be or if there's anything I can do. Would a continuous upload stream audio stream break pfSense in some way at :58 past every hour? I'm still leaning towards this being a Comcast issue, but I don't really have a way to prove it.
-
Audio stream data like that can be unusual. For example it's not uncommon to see a lot of VoIP traffic swamp a firewall when the total bandwidth doesn't appear to be that high. That's because that sort of traffic is often very small packets and you end up hitting the PPS limits of the firewall at relatively low total bandwidth. Check the traffic graphs for PPS throughput.
Steve
-
@stephenw10 Where would I check on PPS throughput? Under Status->Traffic Graphs is only shows bandwidth in bits/sec.
-
Here: