Pfsense and Videoconference is not a perfect match!?

madah999

So Im new to Pfsense and have been running the firewall for some months now. I come from a Cisco ASA 5506X with Firepower and have been scanning for better priced alternatives. So someone at work recommended Pfsense and I thought I give it a try.

A very advanced firewall that can do a lot I am very impressed!!

I work a a lot from my home office and have several video meetings everyday via MS Teams, Webex, Skype and Zoom.

I have done several tests with my Cisco ASA connected in parallell with my Pfsense. Both FW are connected to the same ISP via its WAN interface and both have the LAN interface connected to the same ethernet network and ip network. DNS is also available on the LAN network. So from my laptop I can pick either the ASA as gateway or the Pfsense by changing gateway in the IPv4 settings.

If I use Cisco ASA as Internet gateway everything work as intended, no problems with surfing the web or to have video meetings via Teams, Webex, S4B or Zoom!

If I switch to Pfsense gateway to Internet Teams meetings are interrupted minutes after joining a meeting, my teams client connects to the meeting, drops out, reconnects, drops out continuously. Skype for business does not work at all. Webex has similar behavior as MS Teams.

When attending video meetings, Pfsense HW is using aprx CPU 19%, Memusage 17%, Swap 0%, Disk 4%. Internet cap is asymmetrical 250Mb DN /100Mb UP

If I change back to use my Cisco ASA I don't have any problems at all MS Teams, Webex or any other real time traffic client, traffic just flows through Cisco firewall.

What is going on, please assist???

KR
Madah

johnpoz

@madah999 All I can say is also work from home multiple times a week, and before I was work from home full time and have had zero issues with any video calls on any of the platforms, we use teams and webex all the time.. Zoom as well is very common - I don't recall a lot of skype.

Are you running any packages? That could cause problems - any IPS for example? Your not using proxy are you? How exactly are you setup where you can use either - you have 2 public, you have a natting device in front of both your pfsense and asa?

Could you have some sort of asymmetrical flow?

Recently my wife was doing zoom calls every week with lots of video with lots of people setting up a wedding shower with friends and family from all over in the planning of it - she was on multiple calls a week for a few weeks with zoom, these were normally long calls of an hour or more - and she never complained..

I have been on 2 team calls sofar today, very smooth on both of them.

keyser

@madah999 It's definitively not base pfSense that has any issues in this regard. So I'm guessing you have one of the following issues:

1: Autonegotiate issue between your pfSense WAN NIC and the gateway NIC
2: Autonegotiate issue between your pfSense LAN NIC and your Switch

Otherwise its likely some issue on you WAN side as I assume you have multiple public IPs to be able to do that parallel setup (on IP for pfSense and one for ASA).
Do you perhaps have the pfSense public IP loaded as a VIP on ASA as well? That constitutes an IP address conflict causing erratic ARP behaviour - the symptoms would very much be like what you are experiencing.

Try setting up a running ping for the pfSense LAN IP, the pfSense WAN IP, the ISP Gateway IP and Googles 8.8.8.8 IP (all using the pfSense af default Gateway).
Are they all equally stable, or which ones are seeing fallout/erratic behaviour?

SteveITS

@madah999 What is the hardware being used? pfSense can do traffic shaping but that’s usually only helpful if a connection is relatively busy.

19% seems a tad high at idle for a PC but if you’re looking on the dashboard pfSense is also busy updating all the widgets.

JKnott

@madah999

I often use video conferencing with Teams, Skype, Zoom, Jitsi, etc.. Works fine. In fact, last week I was on a Teams call for about 1.5 hours. No problem.

stephenw10

My guess would also be some sort of link asymmetry with two gateways on the LAN subnet. Like perhaps local DNS using a different WAN IP.

coxhaus

My videoconferencing is working. I am using a Cisco small business layer 3 switch with pfsense. I couple of things I did that seemed to help me is I used all upper case for my L3 defined switch gateway in pfsense and I defined the pfsense WAN interface as default. I have pfsense LAN IP setup with a static IPv4 address that exists in vlan 1 on the L3 switch. vlan 1 is defined on the L3 switch with the same network as what I used on the pfsense LAN IP. No vlans are defined on pfsense. And I setup a gateway on pfsense with the vlan IP I used for the L3 switch. And default routing for 0.0.0.0 0.0.0.0 on the L3 switch points to the pfsense LAN IP. pfsense LAN port plugs into an access port defined in vlan1 or whatever vlan you are using. I have used vlan 10 in the past. I am not sure how you have yours setup but this helped me using a Cisco L3 switch.

I think with this setup you could just change your routing statement and route to a different firewall. You would have to decide how you would handle DNS. DNS could be as simple as assigning something like QUAD9 in DHCP in the L3 switch. You could run a local DNS server like Microsoft DNS server forwarding to QUAD9. I guess you could change your DNS local IP when you change your routing statement. And tell everybody to reboot client devices.

madah999

Thanks for all responses.
The setup is straight forward. I have a Managed Netgear switch in which port 8 is on Untagged VL666 is connected to the ISP via fiber converter.
PFsense is connected to port 1 via Dot1Q in the same Netgear switch. PF is configured with two VLANs, VL1 and VL666 with a single NIC.

When I do Teams meetings it feels that traffic does not flow as freely as when connected via the Cisco ASA.

I have DNSBL+ Snort running + DHCP. I have 15 rules on the LAN interface

johnpoz

@madah999 said in Pfsense and Videoconference is not a perfect match!?:

Snort running

And if you turn that off?

coxhaus

Are you using router on a stick with untagged traffic? How do you know how to process the untagged traffic. Maybe I am looking at this wrong. You said 2 VLANs. I guess VL666 and VL1 on 1 interface. On your gateway WAN is default which is VL666. I guess you are using a trunk with 2 vlans. It took me a while to think about it.
Router on a stick is weird with a firewall. Why don't you use 2 interfaces defined with vlans. I guess the WAN since it is untagged it does not need to be defined as a vlan. LAN side needs a to be a vlan to be able to talk with DNS and the workstation.
PS
I have never used Netgear only Cisco.

johnpoz

@coxhaus said in Pfsense and Videoconference is not a perfect match!?:

Maybe I am looking at this wrong

Maybe not - might be a good catch - lists tagged with 802.1q but then his drawing shows untagged for vl666 and untagged fro vlan1? into pfsense - if that is one physical interface one of those has to be tagged..

so a bit confused as well with the L3 diagram

coxhaus

I would not want a Netgear switch software standing between my workstation and my DNS server. It seems very unsafe to me. I would rather be behind the firewall. But everybody gets to choose.
You are only logically behind the firewall not physically behind a firewall. There is a big difference in my mind.
His terminology may be Netgear.

stephenw10

I would prefer to use two tagged VLANs on the trunk rather than tagged (666) and untagged just because it's much easier to make mistakes with tagged and untagged. I'm assuming here that VLAN1 only exists inside the switch. You shouldn't ever use VLAN1 on a trunk directly if you can possibly avoid it.

I wouldn't have any real concerns with a setup like this. It should work fine.

However if there were some layer 2 issue here it would affect far more than just streaming video.

Steve

johnpoz

@stephenw10 said in Pfsense and Videoconference is not a perfect match!?:

ather than tagged (666) and untagged just because

But his L3 drawing shows 666 and 1 both untagged..

Which wouldn't be good setup that is for sure. If there is only 1 physical interface on pfsense.

What I assumed from his L2 drawing is 666 was tagged into pfsense, and 1 was untagged.. He labeled it 802.1q so assume that vlan 1 is the the default native and would be untagged across a trunk, But then on his L3 he shows both untagged.

edit: but yeah if he was running both untagged into pfsense you would assume he would be seeing much more than just issues with video calls. Not even sure how you could really set that up in pfsense? On the switch sure you could send both untagged, but then there would be no wan connectivity at all since how would pfsense see the wan if was looking for tag 666 and it was untagged?

stephenw10

Yeah I assumed the tagging was on the L3 diagram just for clarity (though I'm not sure it helps!) since the switch isn't marked on there.

What is not clear is whether the internal subnet is tagged between the switch and pfSense as VLAN1 or untagged. Either could work but I hate seeing VLAN1 tagged anywhere except inside a switch.

https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1

I also don't like seeing tagged and untagged traffic on the same link though if I can avoid it. I'd rather see two tagged VLANs (other than 1!) on the trunk to pfSense.

Steve

coxhaus

Yes, untagged traffic ends up on the default vlan which can be any vlan.

madah999

Hi

I have been traveling so I have not been able to respond.

I have made some changes and to my Pfsense which has fix many issues. Yes this is a simple setup with a single NIC computer running Pfsense.
Yes, It is a router on stick which I find is good for a small home office. You need to trust VLAN technology to be able to use router on stick designs.
I trust vlans and vlans is very practical in many ways. I will later on change from VL1 to something else as it is not recommended for security reasons
to use VL1. Pfsense, Netgear and Cisco talk vlan via Dot1q protocol, Cisco used to also do vlans via their proprietary protocol ISL but they have skipped that one
many years ago.

I have been using my own DNS for many years because of security and the low latency in DNS resolution. I like to keep my data in my log own files
rather having them at Google Datacenters :)

So I was running version 2.6 when I had "my" issues. I noticed in systems log that when I was loading the NIC with "more" traffic, NIC often
"decided" to restart which of course caused issues. I use a builtin Realtek Gigabit card in my Pfsense server and have found out that more people
than I have had issues with Realtek.

I have now upgraded the Pfsense to version 2.7, I have not started services like Snort, DNSBL for now.
I only run Ntopng 5.7.2 and the setup seem to work much better with my HW compared to when I was using 2.6 version of Pfsense.
No more odd NIC restarts when I load traffic on the network,

I am really happy right now and I love Pfsense. :)