2.6.0 & 23.01 netgate and custom HW. Web UI extremely slow when no WAN present.
@phlmike This is common - all pages are trying to load DNS information and update time...
@rcoleman-netgate said in 2.6.0 & 23.01 netgate and custom HW. Web UI extremely slow when no WAN present.:
This is common - all pages are trying to load DNS information and update time...
It being common isn't an excuse, it is either because you specifically want it to be unusable without WAN or it is a bug. Having it update the time and load DNS info can be done in the background, given low priority. Allowing users to go through the web-interface and configure the unit to be put into service. You either allow CLI configuration or you make the Web UI usable.
For a home lab firewall, that's fine behavior. However, I had to tell the owner of a company why we had to take them down during business hours. If I get a no confidence vote from my clients about Netgate, then I have to go back to something else and you guys lose that money and I lose all the money I spent on netgates (when they are in-stock). I know you guys dislike MSPs, but I have 700 firewalls.
Please, I need a workaround.
@phlmike said in 2.6.0 & 23.01 netgate and custom HW. Web UI extremely slow when no WAN present.:
Please, I need a workaround.
The issue at hand is not that it is calling home but it cannot look up the DNS information.
Give the devices a path to a DNS server and a (simple) route to the internet and the UI will become more responsive.
@rcoleman-netgate said in 2.6.0 & 23.01 netgate and custom HW. Web UI extremely slow when no WAN present.:
Give the devices a path to a DNS server and a (simple) route to the internet and the UI will become more responsive.
Then the tech can't set the WAN interface properly until it goes into place. What about shipping a firewall with a static WAN IP?
If you can't set the WAN properly, what about Virtual IPs and 1:1 NAT. All the sudden, 2 minutes of config becomes 20. And most of my techs aren't as fast as I am, so you can see outages of 40 minutes. When a tech is sitting onsite, sometimes where the Internet is from Verizon FIOS which ONLY gives you a single ethernet port. So to add a second firewall you need a dirty switch. If you have enough IPs. Or they double nat it, oh wait that depends if their switch isn't completely full. Oh yeah, we can unplug the CEO's PC right? These aren't perfect scenarios.
Saying, just give it DNS is arrogant and uninformed at best. It's a bug. Just give us CLI config or the ability to turn off the dashboard and have a blank front page. It would take an hour to program that in to the web interface.
Have you been sitting in a mezzanine of a warehouse at 100F trying to replace a firewall because the company needs to have it replaced right now but they also don't want ANY downtime. You don't have a lot of options and sometimes, NO you can't just give it DNS. It can be patient and wait for its darn DNS until I am ready. We don't have the luxury of ideal conditions.
What if I am in my DC, and I need to replace a hardware firewall. I only have wifi where I can sit without a 120db noise floor. With 70 vlans I need pre-built. I want to replace the config and verify it is all there, so then I can venture back into the screaming tundra, climb a ladder to get to the top of a 50U rack and install the new unit. And not have to do it at 2:30am on July 4th holiday.
I have used sonicwall, watchguard, barracuda, checkpoint, all of them. Every other one has a web-ui that has 0 issues when no wan is connected.
Here's another example. In my home, I want to change firewalls to get 2.5GbE since I got 1.6Gbps fiber but I want to do a clean config as I copied this config from 4 consecutive firewalls. I only have single DHCP IP for my internet. It's literally a single port ONT no modem. So I plug it into my network, it gets a local WAN ip in the range except that what I want to set the LAN.
In that case I would need to make a secondary vlan with an unused range like and have the firewall connect to that, then make all my lans and vlans.
Or I need to make the LAN like and then make another change yet again when I put it in place.
Give me more time and I'm sure I can come up with 100 more legitimate scenarios where you would want to config a firewall and not be able to have wan. That and the fact that literally every other comparable "firewall" on planet earth can be configured without internet access. No I am purposely not including Unifi's. They are glorified home routers.
$50 says that fancy new web UI for TNSR doesn't have any issue if the WAN is down.
@phlmike In the event your techs don't have a suitable spare port at the location why don't they plug in their laptops and feed a DNS that way, using a 3/4/5G signal if required?
I've yet to be at a site where a port cannot be freed and the company preferring a total WAN outage instead.
I've not used pfSense much but they seemed to install ok without WAN, from a clean reset condition.
Being seriously hot and uncomfortable, yeah that happens way too much!
You should be able to configure a clean install without WAN; however, it already had WAN, unplugging it to do configuration will make it slow to respond.
@nollipfsense said in 2.6.0 & 23.01 netgate and custom HW. Web UI extremely slow when no WAN present.:
You should be able to configure a clean install without WAN; however, it already had WAN, unplugging it to do configuration will make it slow to respond.
That is exactly the problem. Clean install, no WAN access. I can verify on VM's and hardware. Even switching direct from one menu to the next is 8-9 seconds. Going to the dashboard is like 90 seconds.
@robbiett said in 2.6.0 & 23.01 netgate and custom HW. Web UI extremely slow when no WAN present.:
@phlmike In the event your techs don't have a suitable spare port at the location why don't they plug in their laptops and feed a DNS that way, using a 3/4/5G signal if required?
I've yet to be at a site where a port cannot be freed and the company preferring a total WAN outage instead.
Being seriously hot and uncomfortable, yeah that happens way too much!
The techs have surface pro 7's, only a single dongle with ethernet and no cellular. They would have to connect via wifi to their phones hot spot and then turn their Windows 11 pro machines into a router on the fly. That is IF they have service. Some of these steel buildings really kill cell reception.
My only thought if you really have some big sites then DNS should be local with forwarding to maybe QUAD9 You should never run a large network without local DNS. I would probably add a DHCP server as there is no reason to have that load on your router either. I would also throw in a layer 3 switch to reduce the load on your router plus L3 switches run at line speed which is much faster than using any router. When you scale you need to spread the load.
@coxhaus You would be correct in the perfect world. However think of it this way, diagnosing a pfSense when the internet is down. I don't want to sit around for 5 minutes waiting for the dashboard to come up.
@phlmike My guess is you would not have the issue you are talking about if you did what I said above. I have not actually tested pfsense on a large network but back when I did in the old days, I used Cisco PIX back in those days when I ran a large network with all the above that I said.
Think about what I said above. All your clients would be on the other side of the L3 switch on 1 connection maybe a big lagg. Just unplug them as you upgrade the router. There can be no load just your PC you are doing the work with. I am sure you would need to unplug them but you could.
@phlmike This is marked resolved in 2.7 and 22.05.
https://redmine.pfsense.org/issues/12141 -
@coxhaus I run a MSP managing 700+ sites, ranging from 1 user to 2,000 users. DNS resolving has no bearing because the unit isn't connected to the network. The issue today wasn't a large network. It was a single Unifi 48-port switch, handling maybe 20 people with wired computers and voip phones. Their DNS server was over an IPSEC tunnel with a backup of the local pfSense firewall. The Internet was a single SMB/Consumer grade Verizon FiOS ONT. Single internet port with single static IP address. The current firewall was a Netgate unit that was just replaced three days ago, but had its config backed up and restored to the newer unit from the older unit that died. Today that unit started crashing, so a tech brought over a brand new netgate unit, but instead of restoring the old config, needed to recreate it himself while onsite. Local DNS would have done nothing for him. So he tool the company down, plugged in the new firewall, set up WAN and then I logged into his Surface and did the config because I am the pfSense SME. I can make a pfSense run a cappuccino machine from a magic packet. This is a long standing known issue with pfSense and it gathers up over the years until I lose it and publish a bug.
I refuse to use Cisco or Meraki anything. I run UBNT or Microtik switches or APs. In a pinch I'll run Aruba/HPE. Yes, I have all fancy networks with all the fancy buzzwords the kids learn in Network+ class but in those networks I have numerous firewalls and internet lines and the firewalls are usually virtual anyway. Pointless to have a hardware firewall. I have a few vmware stacks running a few hundred VMs on hundres or so vlans.
@steveits 2.7.0 isn't out yet and I can absolutely confirm it is not resolved on 23.01 as I just did today about 10 minutes before making the ticket. I can even give you the PO number when I bought the TAC Lite to get PFSense plus.
10:44am EST. I can PM you the order number if you don't believe me. That was on the Xeon Silver with 128GB of RAM.
@steveits 22.05 seems to be better, but its an empty config. You still have to get rid of the warranty tile for it to really speed up. I don't have a production 22.05 to test on. But 23.01 still takes a bit.
It's no where near as bad as it used to be but I agree it can still be frustratingly slow if no WAN is available. I may be conflating a number of bug reports in my head but I thought there was something open other than 12141.
This might be better served as a new feature request for an off-line config mode or similar.Steve
@stephenw10 Once you nick the warranty tile on the Dashboard in 22.05 and 23.01 on a "lite" config. Things smooth up. What happened today was the unit my tech had still had CE 2.6.0 on it which is BRUTAL and caused him to complain and then the business owner to explode on the phone at me. Hence my frustration. Poo rolls down hill. There have been from what I recall, dozens of tickets. I remember one from 2.4.5. Because 2.4.3 and 2.4.4 were beyond brutal, literally minutes. On a well-used firewall with mileage on it, 10's of minutes, not joking. 23.01 seems noticeably slower than when I reverted to 22.05, but that is a test machine which was an old 45-drives CEPH service delivery node that I had laying around. For a firewall with no real config, its a little overkill (yes that IS an understatement).
I like your idea of an Offline Config mode. I'll make one on redmine, but for pfSense+ as it would be more likely to be addressed sooner as a "premium" option.
I'll notate this post on the ticket.
What would probably be a relatively easy solution would be a php shell script that disables whatever is needed from the cli before you reach the login. A slightly bigger ask might be console menu option directly. The issue would probably be making sure some of those things are re-enabled again at the appropriate time. I could imagine posting an alert perhaps.
I've been there in older versions when restoring a config resulted in pkg reinstalling having to timeout for each package. It was not fun!
@stephenw10 I added that in as well to Feature #14387. I also decided to make another feature to search in the timezone list - but I set that as low priority for the CE base. The Offline Config I set for pfSense+ because I want to see that sooner.
I haven't been a programmer in over 20 years, otherwise I would contribute code. Maybe I'll just ask ChatGPT. ;-) (I am just joking, I'm not going to submit AI generated code).
@phlmike said in 2.6.0 & 23.01 netgate and custom HW. Web UI extremely slow when no WAN present.:
Maybe I'll just ask ChatGPT. ;-)
Probably better than anything I could "write".