pfSense & concurrent users
-
@esaenz thank u for ur reply.
as i relied to @SteveITS :
we can smoothly browse the website with 60 students\users, more than that, it stopped (as shown in the preious second graph), sometime with 90 user, and sometimes with 70 user....!
we had no prblem\error when browsing the website with one user up to 60+ , the browsing problem happens with 70-90 students and more...! -
@AMSUIT Are you using captive portal or any other packages? Open states are not normally a memory issue.
per https://docs.netgate.com/pfsense/en/latest/hardware/size.html#large-state-tables:
States - Connections - RAM Required
100,000 - 50,000 - ~97 MBHonestly I've never seen one of our or our clients' pfSense routers use more than about 3 GB of RAM and that's while using RAM disks. Most are under 1 GB.
-
@AMSUIT said in pfSense & concurrent users:
i had done a test with the same Moodle platform locally in our LAN (with no pfSense in the middle) and it works fine with concurrent 109 students
Not really a valid test to be honest.. Running something locally wouldn't have say the hosted site out on the public internet filtering that could be in place to prevent X number of sessions from the same IP.. Your students are not all using their own public IP are they? Are you natting to 1 public IP, or are you loading the nat across multiple public IPs?
I didn't see anything in what you posted that would suggest you have reached some pfsense limit.. 6k states is not very much.. Now if you were say 60k something ok - maybe your running into state exhaustion.. there is a limit to how many states can be created from any one IP to another IP.. The number of ports that can be used.
I would get with the company hosting and ask if they have any sort of limits to how many concurrent connections you can have from a single IP address.
edit:
And other browsing works when you run into the issue with the site right, the same student having issues with connecting to the testing site, can surf other stuff at the same time... Are other connections effected when this happens? Ie some other student surfing other stuff while some students are taking the test - they continue to function ok? -
@johnpoz said in pfSense & concurrent users:
get with the company hosting and ask if they have any sort of limits to how many concurrent connections you can have from a single IP address
Along these lines, is every web site a problem at that point? Or just this one you're complaining about?
-
@SteveITS said in pfSense & concurrent users:
@AMSUIT Are you using captive portal or any other packages? Open states are not normally a memory issue.
no at all, i'm not using captive portal.
@SteveITS said in pfSense & concurrent users:
Open states are not normally a memory issue.
-
@johnpoz said in pfSense & concurrent users:
Not really a valid test to be honest.. Running something locally wouldn't have say the hosted site out on the public internet filtering that could be in place to prevent X number of sessions from the same IP.. Your students are not all using their own public IP are they? Are you natting to 1 public IP, or are you loading the nat across multiple public IPs?
I didn't see anything in what you posted that would suggest you have reached some pfsense limit.. 6k states is not very much.. Now if you were say 60k something ok - maybe your running into state exhaustion.. there is a limit to how many states can be created from any one IP to another IP.. The number of ports that can be used.
I would get with the company hosting and ask if they have any sort of limits to how many concurrent connections you can have from a single IP address.
edit:
And other browsing works when you run into the issue with the site right, the same student having issues with connecting to the testing site, can surf other stuff at the same time... Are other connections effected when this happens? Ie some other student surfing other stuff while some students are taking the test - they continue to function ok?
yeah, u r right. and that's so confusing !
when the error occur, we can browse any other website normally...! even, i can ping the website it self !! but no DNS\ no browsing till i reboot Firewall.
its really so confusing, thats why i came here to get ur advices, guys... -
@johnpoz said in pfSense & concurrent users:
Are you natting to 1 public IP, or are you loading the nat across multiple public IPs?
yes, with one public IP for our school.
BUT, as i mention previously, i did a test with the local website using the Firewall as intermediate, and faced the same problem! -
@AMSUIT said in pfSense & concurrent users:
but no DNS\ no browsing till i reboot Firewall.
if there was no dns you wouldn't be able to go anywhere else, from any device that wasn't cached by the client or on pfsense.. You mean that site fqdn no longer resolves? Do other sites that are not in the cache resolve? Use the dns lookup tool under diagnostics.. If the answer to what your looking up is only couple ms then it was cached, if it more like 30ms or something that it was looked up, etc. Your saying no dns works at all?
Vs rebooting the firewall - just restart unbound, that will clear all dns caches, etc. Also when the problem happens vs being concerned with how many total states.. How many states exist to that site your trying to run the test on?
But in general 6k total states is nothing.. Here I just ran a scan across pfsense from my test box to another box on another network - did a full intense scan for all 65000 ports.. that could open.. My state table shot up through the roof
No issues I can still access that box I scanned web gui without any issues.. 6k states is nothing..
After the scan was over - states dropped back down to my normal sort of states.. A few hundred to like 2k..
Clearly you have something going on - but I doubt its states or cpu or memory issues..
-
@AMSUIT said in pfSense & concurrent users:
i did a test with the local website using the Firewall as intermediate, and faced the same problem!
How did you arrange that test? Was it also NATing traffic to one IP?
-
@AMSUIT said in pfSense & concurrent users:
i did a test with the local website using the Firewall as intermediate, and faced the same problem!
Where did you state that? You stated this
i had done a test with the same Moodle platform locally in our LAN (with no pfSense in the middle) and it works fine with concurrent 109 students
Ok I see now where you redirected it through pfsense.. How exactly did you do that? Locally pfsense would be involved in talking to some website on your own local network and if just routed to a different segment it wouldn't nat. You setup nat reflection?
