pfSense & concurrent users
-
Hello All,
I'm newbie here & new with pfSense firewall,
I have a pfSense with 8GB of memory, which is, in the normal stat shows 50-60% memory reserved.
However, with 8GB, how much the pfSense firewall can serve a number of concurrent users to browse a website\https?In fact, I have a problem at our school, when a 95 students logged into a cloud website (Moodle), and start their quiz, the pfSense firewall blocks browsing this website.
note, we can browse any other website, also we can ping the the same Moodle website normally...!!I searched & did not find any issue related to concurrent users web-browsing settings\conf that limit or block tens or hundreds of concurrent users from browsing a site at the same time...!!
I hope to find some advice and solutions here
Thnx in advanced
-
@AMSUIT
i'm not aware of any limits ...
why do you think it's pfsense blocking? and not moodle?
do you have any packages installed?
any kernel log perhaps under status / system logs ?
maybe it's Firewall Maximum States
you can check with
pfctl -vvsi -
@kiokoman
@kiokoman
thank u for ur reply,-
i had done a test with the same Moodle platform locally in our LAN (with no pfSense in the middle) and it works fine with concurrent 109 students. also, i have redirect the local website through pfSense, and the same error showed up (this website cant be reached).
Thus, I confirmed that the problem lies in the pfSense firewall. -
i have tried to find any log related to this problem under "system logs" and couldn't find anything...!!
-
-
@AMSUIT Technically it is possible to limit connections if explicitly set up in a firewall rule, such as options on page
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#maximum-state-entries-this-rule-can-createOtherwise https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-maximum-states as mentioned is something to check. ISP routers can also have state limits, for instance some AT&T fiber connections have limits in the provided router as I recall.
Are you sure it's a block and not something else like a DNS failure? For instance, if DHCP is set to register leases in DNS, then DNS is restarted at each lease renewal...perhaps every (1 hour)/(109 PCs) in your example.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html -
@SteveITS Thnx for the valuable response.
it seems like a DNS failure, becoz the ping is working on the website....i got lost & i'm not sure..!
regarding to the ISP & modem, i don't think it cause the problem. becoz i had tested the same Moodle platform internally with no need to internet access, as shown in the graph (at time 10:53).
and here is the error that showed up for all students today at 10:53:
regarding to the Max Number of states, it is the default value from the firewall based on my 8GB memory, as show in next graph:
"For instance, if DHCP is set to register leases in DNS, then DNS is restarted at each lease renewal...perhaps every (1 hour)/(109 PCs) in your example."
my problem with troubleshooting is the time & timing, as students log into the website at that time to take their online exam(s)... -
@AMSUIT Well your graph shows 6k states which is less than 800k.
“Didn’t send any data” doesn’t sound like DNS. Did you go through the troubleshooting link I posted?
-
@AMSUIT If you think it’s DNS, and everything is DHCP, assign for example 8.8.8.8 as the primary DNS, leaving pfsense out. It happened to me, in the end I better use an external DNS and a public one.
-
@SteveITS
@SteveITS said in pfSense & concurrent users:@AMSUIT Well your graph shows 6k states which is less than 800k.
at that moment the website stopped!!
@SteveITS said in pfSense & concurrent users:
“Didn’t send any data” doesn’t sound like DNS.
Okay, i will@SteveITS said in pfSense & concurrent users:
Did you go through the troubleshooting link I posted?
yes, i just finished. seems all set fine.
we can smoothly browse the website with 60 students\users, more than that, it stopped (as shown in the preious second graph), sometime with 90 user, and sometimes with 70 user....!
while, browsing a test-website locally, it works fine with 109 students!i will increase the memory size to 16GB in the coming days, and will test the website again.
hope to solve this problem in out school online exams. -
@esaenz thank u for ur reply.
as i relied to @SteveITS :
we can smoothly browse the website with 60 students\users, more than that, it stopped (as shown in the preious second graph), sometime with 90 user, and sometimes with 70 user....!
we had no prblem\error when browsing the website with one user up to 60+ , the browsing problem happens with 70-90 students and more...! -
@AMSUIT Are you using captive portal or any other packages? Open states are not normally a memory issue.
per https://docs.netgate.com/pfsense/en/latest/hardware/size.html#large-state-tables:
States - Connections - RAM Required
100,000 - 50,000 - ~97 MBHonestly I've never seen one of our or our clients' pfSense routers use more than about 3 GB of RAM and that's while using RAM disks. Most are under 1 GB.
-
@AMSUIT said in pfSense & concurrent users:
i had done a test with the same Moodle platform locally in our LAN (with no pfSense in the middle) and it works fine with concurrent 109 students
Not really a valid test to be honest.. Running something locally wouldn't have say the hosted site out on the public internet filtering that could be in place to prevent X number of sessions from the same IP.. Your students are not all using their own public IP are they? Are you natting to 1 public IP, or are you loading the nat across multiple public IPs?
I didn't see anything in what you posted that would suggest you have reached some pfsense limit.. 6k states is not very much.. Now if you were say 60k something ok - maybe your running into state exhaustion.. there is a limit to how many states can be created from any one IP to another IP.. The number of ports that can be used.
I would get with the company hosting and ask if they have any sort of limits to how many concurrent connections you can have from a single IP address.
edit:
And other browsing works when you run into the issue with the site right, the same student having issues with connecting to the testing site, can surf other stuff at the same time... Are other connections effected when this happens? Ie some other student surfing other stuff while some students are taking the test - they continue to function ok? -
@johnpoz said in pfSense & concurrent users:
get with the company hosting and ask if they have any sort of limits to how many concurrent connections you can have from a single IP address
Along these lines, is every web site a problem at that point? Or just this one you're complaining about?
-
@SteveITS said in pfSense & concurrent users:
@AMSUIT Are you using captive portal or any other packages? Open states are not normally a memory issue.
no at all, i'm not using captive portal.
@SteveITS said in pfSense & concurrent users:
Open states are not normally a memory issue.
-
@johnpoz said in pfSense & concurrent users:
Not really a valid test to be honest.. Running something locally wouldn't have say the hosted site out on the public internet filtering that could be in place to prevent X number of sessions from the same IP.. Your students are not all using their own public IP are they? Are you natting to 1 public IP, or are you loading the nat across multiple public IPs?
I didn't see anything in what you posted that would suggest you have reached some pfsense limit.. 6k states is not very much.. Now if you were say 60k something ok - maybe your running into state exhaustion.. there is a limit to how many states can be created from any one IP to another IP.. The number of ports that can be used.
I would get with the company hosting and ask if they have any sort of limits to how many concurrent connections you can have from a single IP address.
edit:
And other browsing works when you run into the issue with the site right, the same student having issues with connecting to the testing site, can surf other stuff at the same time... Are other connections effected when this happens? Ie some other student surfing other stuff while some students are taking the test - they continue to function ok?
yeah, u r right. and that's so confusing !
when the error occur, we can browse any other website normally...! even, i can ping the website it self !! but no DNS\ no browsing till i reboot Firewall.
its really so confusing, thats why i came here to get ur advices, guys... -
@johnpoz said in pfSense & concurrent users:
Are you natting to 1 public IP, or are you loading the nat across multiple public IPs?
yes, with one public IP for our school.
BUT, as i mention previously, i did a test with the local website using the Firewall as intermediate, and faced the same problem! -
@AMSUIT said in pfSense & concurrent users:
but no DNS\ no browsing till i reboot Firewall.
if there was no dns you wouldn't be able to go anywhere else, from any device that wasn't cached by the client or on pfsense.. You mean that site fqdn no longer resolves? Do other sites that are not in the cache resolve? Use the dns lookup tool under diagnostics.. If the answer to what your looking up is only couple ms then it was cached, if it more like 30ms or something that it was looked up, etc. Your saying no dns works at all?
Vs rebooting the firewall - just restart unbound, that will clear all dns caches, etc. Also when the problem happens vs being concerned with how many total states.. How many states exist to that site your trying to run the test on?
But in general 6k total states is nothing.. Here I just ran a scan across pfsense from my test box to another box on another network - did a full intense scan for all 65000 ports.. that could open.. My state table shot up through the roof
No issues I can still access that box I scanned web gui without any issues.. 6k states is nothing..
After the scan was over - states dropped back down to my normal sort of states.. A few hundred to like 2k..
Clearly you have something going on - but I doubt its states or cpu or memory issues..
-
@AMSUIT said in pfSense & concurrent users:
i did a test with the local website using the Firewall as intermediate, and faced the same problem!
How did you arrange that test? Was it also NATing traffic to one IP?
-
@AMSUIT said in pfSense & concurrent users:
i did a test with the local website using the Firewall as intermediate, and faced the same problem!
Where did you state that? You stated this
i had done a test with the same Moodle platform locally in our LAN (with no pfSense in the middle) and it works fine with concurrent 109 students
Ok I see now where you redirected it through pfsense.. How exactly did you do that? Locally pfsense would be involved in talking to some website on your own local network and if just routed to a different segment it wouldn't nat. You setup nat reflection?
