WAN RTT degraded over time
-
Hello!
The WAN RTT is continually degrading like clockwork without limit. The only solution is to reset the ISP router.
I have configured the router in bridge mode, and configured the WAN interface as DHCP (In the icg0 adapter configuring vlan 20), and everything works correctly. I tried configuring the WAN interface statically and it worked fine too.I've been having problems like this for a while:
routing logs
warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster
resuming normal operation
exiting, 1 sigterm(s) received
sending stop adverts
removing /var/run/radvd.pidgateway logs
send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 10.77.0.1 bind_addr 10.77.114.255 identifier "WAN_DHCP "
WAN_DHCP 10.77.0.1: Alarm latency 3353us stddev 12us loss 33%
WAN_DHCP 10.77.0.1: Clear latency 2939us stddev 347us loss 0%
WAN_DHCP 10.77.0.1: sendto error: 50
WAN_DHCP 10.77.0.1: sendto error: 65But they stopped appearing after configuring the WAN interface firewall in a more permissive way.
I tried to release WAN with Relinquish Lease, i tried restarting dpinger, but the only way to restart the count is by restarting the ISP router.
When I asked the ISP about the bridge mode, they told me that it uses PPPoE encapsulation, a user, a password, the VLAN ID, the VPI and the VCI, along with DNS servers. But I have not managed to configure PPPoE on the WAN interface of pfsense.
Any help is appreciated
More info:
Pfsense: 2.6.0-RELEASE (amd64)
Hardware: P09B Celeron N5105-4L
ISP: MasMovil
ISP Router: Sagemcom 5657
-
@rubensan112 said in WAN RTT degraded over time:
The WAN RTT is continually degrading like clockwork without limit.
Where are you seeing that? 4.2ms seems pretty good for a PPPoE link.
What does it degrade to?
Steve
-
@stephenw10 This is the beginning. It always growing causing latency problem. The upload speed degrate too.
-
What does it grow to?
Check the WAN Quality graph in Status > Monitoring. Is it rising linearly?
-
A solution might be : Access the WAN interface setting :
Activate the setting that make go away the issue :
Save and done.
Make a small post-it that says :
Only activate IPv6 on WAN when all the needed IPv6 info from the ISP has been received.
be ware that ISPs can have their "own" interpretation of what IPv6 is. Things are less well defined as is with the 40+ years old IPv4. Your ISP might have a working IPv6, but only the 'official' ISP router can use it. Your ISP doesn't care that you use something else, like pfSense.
"IPv6 and router" : you have to deal with delegations or prefixes, like a "/64" for every LAN, and a IPv6 /128 for the pfSense WAN. Placing pfSense behind a ISP (your) router : this router should be able to hand over an entire prefix, not just 'one' DHCPv6 lease.
Etc.Because you have no more IPv6 on WAN, remember to de activate any IPv6 on your LANs and stop DHCPD6 on your LAN's.
IPv4 has still some good years to go.Why your RTT goes up over time ?
If this look 'all quiet' :
so i know pfSense doesn't do the heavy lifting, and my ICMP packet return time start to raise, it's a 99,9 % case off : 'what happening on the up link' ?
Btw, you and me, we're monitoring :
The huge spike was me, as I was dumping my NAS into the Office 365 OneDrive Miscrosoft Cloud storage (6 TB outgoing traffic).
So, instead of :
@rubensan112 said in WAN RTT degraded over time:
The WAN RTT is continually degrading like clockwork without limit.
so where is the image ?
Like :
(it was me actually, as dpinger used the upstream gateway, my ISP router, 30 cm away, so I was testing a 30 cm Ethernet cable. Now I test against an IPv4 on my web/mail server, some 600 km away from here, which gives a better indication of 'Internet is ok') -
G Gertjan referenced this topic on
-
Re: WAN RTT degraded over time
@gertjan said in WAN RTT degraded over time:
Thanks for the responses!
I tried many options, including disabling everything related to IPv6 on the WAN and LAN, but it didn't work.
What has worked is not putting the router in bridge mode and put the pfsense behind the ISP router, and simply setting the LAN to 192.168.2.1/24.
This way I can choose to connect directly to the ISP router or pfsense.
Now the RTT is lower and constant. Now i dont see any downside for this option. My intencion is create a lot of VM with KVM, create a kubernetes cluster, and give a lot of access to multiple users with OpenVPN? ¿Do you know any issues with a pfsense behind ISP router in the environment? I will have to configure well the firewall and access in the ISP router to the pfsense to let him manage the firewall of VM. And maybe the OpenVPN give me any issue, but i guess i will figure it out.
I will try with another ISP provider in any case.
Thanks!
-
If you double NAT the connection you will need to forward traffic through both routers to reach the internal resouces.
The WAN monitoring in that situation is only pings the local router, hence it's very low. That doesn't really give you any useful information about the state of the int5erbet connection.
You should at least set an external IP to monitor.
https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html?highlight=monitor -
@stephenw10 You are right. Now looks better.
The new ISP router will come soon , and i will try then again with WAN in DHCP mode, or with PPPoE.
Thanks!
-
I'm pretty sure that IP, 192.168.1.1, is very close to you.
Like 3 foot away, the cable between pfSense and your ISP router.The idea is that you use another, public, IP, one that is further down "the road", a gateway IP of your ISP.
If that one is to hard to find, you could use some other "nearby" IP, like 8.8.8.8.I'm using the IP of one of my servers somewhere nearby the main 'ISP gateway' :
Now I see :
Which means :
192.168.10.1 is the IP of the LAN of my ISP router, just 30 away from me and pfSense.
188.165.5x.87 is my server IP, and that one is just to 'test' my uplink.
The whole ieda of all this is : If I (pfSense) can reach (receive answers to my pings) from 188.165.5x.87, I know (and pfSEse) that my connection is ok.Pinging your upstream router on your site/home makes no sense. That says nothing about the 'quality' of your uplink.
Test this yourself : remove the cable (phone/adsl/coax/satellite disk/fiber/whatever you use) from your ISP router : you will see no alerts in the pfSense GUI dashboard, as your 1921.168.1.1 is still answering, so pfSense thinks the connection is ok.
Well, it's not.
