PfSense pretty slow GUI opening FW rule
-
I don't have to been in PfSense (2.6.0) very often but i forgot since the last time that my PfSense is very slow.
From what i have read, is this often a DNS issue.. right?
But where should look for this problem? For example opening a FW rule wil take about 30 seconds. PfSense is running on ESX machine. With 6GB and 2 vCPUs. Host machine runs on a Xeon E31260L. CPU usage is at around 2% and memory at 8%.
I use a PPPoE Fiber 1000/1000 connection.I use 1.1.1.1 and 9.9.9.9 under General Setup.
Under DNS resolver:
Network interfaces: i picked LAN and my vLANs and localhostOutgoing network interfaces:
ALLAny ideas? I have played around with TLS over DNS (port 853), it works but maybe that is the problem. Just trying to give you guys the whole picture :)
-
@operations Are you saying opening a specific firewall rule to edit is what is slow, or just logging into the main gui site with your widgets on it?
-
@johnpoz well everything is slow, i thought i would mention the editing and saving a rule as an example.
-
@operations the main gui can take a couple of seconds.. But once your in - opening a rule or saving a rule should be pretty instant..
The main page with all the widgets - it can take a bit to do all its doing for the widgets and which ones you have on the page, etc. But editing rules on an interface, or bouncing between fw interfaces should be pretty quick..
-
@johnpoz i can tell you a 100% sure it is not :p
Switching van Aliases/Ports to Rules takes me 42 seconds.
Just another example. -
@operations there shouldn't be any delay there..
switching between interfaces and or types of alias should really be instant..
-
@johnpoz said in PfSense pretty slow GUI opening FW rule:
@operations there shouldn't be any delay there..
switching between interfaces and or types of alias should really be instant..
Yes i sort of figured that. I have one more PfSense different location and that one is way faster.
So where do i find / troubleshoot this problem?
-
@operations well if me I would prob use the say like the web dev tools in firefox or whatever browser your using to see where the delay is exactly
Have you tried different browsers - browser in safe mode. Are you accessing these 2 different pfsense via the same browser and machine? Both local, one remote, both remote?
Are you running any say major different package in one vs the other? like IPS or ntop or proxy on one vs the other?
-
@operations said in PfSense pretty slow GUI opening FW rule:
Switching van Aliases/Ports to Rules takes me 42 seconds.
I’ve seen this if
- It’s a relatively slow CPU (2100)
- the rules use some very large aliases (all US IPs)
- multiple rules use the large alias
pfSense has to generate the HTML for every row. A slow connection doesn’t help.
Sometimes it can be worked around, for instance unlink the NAT rules from their firewall rule and create one firewall rule using aliases for the NAT target. Or similar for firewall rules.
-
@steveits said in PfSense pretty slow GUI opening FW rule:
the rules use some very large aliases (all US IPs)
haha - ok.. But I have this, even more than this actually.. And its only a 4860.. My pfblocker allow alias has 97,917 records. Which is currently US, Morocco and Ireland IPs and some specific ones from statuscake and uptime robot and plex remotecheck lists, etc..
Maybe IPv6 aliases - which I don't have?
Not seeing any slowdown in loading that rule or any rules or moving between alias types or pages..
Now the main gui page has a bit of hesitation in it, a few seconds. But if you remove the firewall widget it does load faster, etc.
But yeah this is something to look at, especially is the one pfsense you have that is not slow using such large aliases in your rules?
-
@johnpoz said in PfSense pretty slow GUI opening FW rule:
its only a 4860
I humbly suggest a 4860 is faster than a 2100. :) If one uses a slower CPU and create say 20 NAT rules using Geo_US as the source it needs to load them all in 20 times in order to display the hover hint on the page HTML (so, the page code is huge). We have a couple specific cases at clients, and removing the linked NAT rule, setting the NAT source to Any, and creating our own firewall rule to allow only from source Geo_US to the target IPs made a huge difference on both the NAT and Rules pages.
-
@steveits said in PfSense pretty slow GUI opening FW rule:
as the source it needs to load them all in 20 times in order to display the hover hint on the page HTML
So for example..
I have this alias in 5 different rules... Your saying that when I load up this interface that table of 97k records has to be loaded 5 times.. Loaded where - in the browser? What is actually loading what when I just look at the interface page?
I am not a web developer or developer of any kind but I can tell you for sure that loading that alias 5 different times to "maybe" display the popup listing of whats in doesn't seem any way efficient.. I could see if they were different.. But why wouldn't the popup list not need to be populated until I actually hover over it?
-
@johnpoz said in PfSense pretty slow GUI opening FW rule:
doesn't seem any way efficient
Exactly. :) Presumably they were assuming aliases would be a short list. It uses jQuery to show the popup but the data is on the page:
<a href="/firewall_aliases_edit.php?id=3" data-toggle="popover" data-trigger="hover focus" title="Alias details" data-content="<h5>https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_GeoIPUSv4_v4 <br />[ US_v4, US_rep_v4 ]</h5><ul><li> 2.16.33.76</li><li> 2.19.128.0/20</li><li> 2.20.32.0/22</li><li> 2.56.6.0/24</li><li> 2.56.8.0/24</li><li> 2.56.9.0/25</li><li> 2.56.9.128/26</li><li> 2.56.9.192/27</li><li> 2.56.9.224/28</li><li> 2.56.9.240/29</li><li> 2.56.9.248/30</li><li> 2.56.9.252/30</li><li> 2.56.11.0/24</li><li> 2.56.20.0/22</li><li> 2.56.32.0/22</li><li> 2.56.114.0/23</li><li> 2.56.116.0/22</li><li> 2.56.120.0/21</li><li> 2.56.137.0/24</li><li> 2.56.139.0/24</li><li> ...
That also means it is worse if one "blocks the world" rather than "allows my country."
-
@johnpoz said in PfSense pretty slow GUI opening FW rule:
@operations well if me I would prob use the say like the web dev tools in firefox or whatever browser your using to see where the delay is exactly
Have you tried different browsers - browser in safe mode. Are you accessing these 2 different pfsense via the same browser and machine? Both local, one remote, both remote?
Are you running any say major different package in one vs the other? like IPS or ntop or proxy on one vs the other?
I don't even use PfBlocker (no added package except speedtest). I use Adguard. I have tried chrome and Firefox on different machine. I will try use the dev tools idea.
My machines are Windows 11 with an AMD 3900x with 64GB on a 1TB WD 850x. Other one is and 8th gen i7 32GB on a 1TB 980 Samsung Pro.
-
@operations said in PfSense pretty slow GUI opening FW rule:
I don't even use PfBlocker
So you don't have any large aliases setup like with all of the internet IP ranges in them?
-
@johnpoz said in PfSense pretty slow GUI opening FW rule:
@operations said in PfSense pretty slow GUI opening FW rule:
I don't even use PfBlocker
So you don't have any large aliases setup like with all of the internet IP ranges in them?
Nope, couple of aliasses with one to max 6 or 7 IP's.