DNS on DHCP slow first page loading
-
Good evening everyone,
I'm facing a strange matter.
I have my pfsense running last stable version 2.7.2.
I'm managing 3 lan.
2 of them in dhcp (2 different lan class)
1 of them no dhcp going to Ubiquiti dream machine for the wifi.
DNS resolver active following the manual and several tutorial.
Everything is working, but all the IPs assigned by the dhcp are facing a slow first page loading (browser, skype.. etc..). Just the first page. after loaded the first page all works super fast.
the lan who serve the wifi, not in dhcp, works instead fine and fast.
I tried to force on the other 2 lan an IP out of the dhcp range and in that case all works fine and fast.
It seems a problem related between dhcp and dns.
Any advice?
Thanks
D -
@Davide-gdl said in DNS on DHCP slow first page loading:
2 of them in dhcp (2 different lan class)
Like :
LAN = default = 192.168.1.1 (pfSense LAN NIC) and a DHCP pool for this LAN from 192.168.1.2 to 192.168.1.254
OPT2 (second LAN)
192.168.2.1 (pfSense OPT2 NIC) and a DHCP pool for this OPT2 interface from 192.168.2.2 to 192.168.2.254@Davide-gdl said in DNS on DHCP slow first page loading:
1 of them no dhcp going to Ubiquiti dream machine for the wifi.
That's less common. And breaks the KIS rule.
A DHCP server must be present on that LAN interface **, I call it OPT3.
My advise : even if you "Ubiquiti dream machine" offers a DHCP server service, disable it. Let pfSense handle it, and now everything is nicely administrated from one place.@Davide-gdl said in DNS on DHCP slow first page loading:
DNS resolver active following the manual and several tutorial.
The default DNS (unbound, the resolver) settings are perfect.
Following "several tutorial" has one guaranteed result : people will find this forum because they have DNS issues.@Davide-gdl said in DNS on DHCP slow first page loading:
but all the IPs assigned by the dhcp are facing a slow ....
Then tell your DHCP is slow ?
We will ask you : how slow ?This is where the console mode (or better : ssh) comes in handy. Beause that access mode has all te answers. The GUI is way to slow for real measurements.
Login, and use option 8
and type in this command :tail -f /var/log/dhcpd.logNow, get your phone, or device you test with.
Remove / disable the connection = shut down the wifi or remove the cable.
Count to 5.
Be ready to connect the connection again, and while doing so, keep an eye on the output of the command you've typed in.
Ready ?
Connect now !
What did you saw on the screen where you typed the command ?
How long did it took to show up ? 10 Milli seconds ? Less ? (can you even tell
?)Now you know that the issue isn't DHCP ..... can you confirm here ?
Or did it really took seconds before your device had an DHCP lease assigned ?
This is possible. If Wifi is play : you saw the quality of the radio waves ? The ether net cable is ok ? Bad LAN interface ? Bad ethernet cable plug ? Some AP are really .. well .. they are not all build equal.Anyway : the delays are explained mostly by the most famous issue : "DNS was f#ck#d up". So,
"def#ck it". I propose the DNS settings as chosen to be the default by Netgate - the ones who build the firewall, they know what they do - you should/can, imho, trust them and DNS will scream for you.
Promised.I'll brain storm a bit now.
Your third network doesn't use the pfSense DHCP.
So, clients that use the dream machine network, they got a lease from where ? From the dream guy ?
Ok ... and that lease contains what ?
It does contain, at least a IP but also the very important gateway, and a network and a ... DNS ( ! ).
What is this gateway IP ?
And even more important : what was the DNS IP ???
Its even possible that the issue isn't pfSense related at all, as pfSense isn't the DNS for the dream guy - and the devices attached to dream machine. -
@Gertjan thank so much for your prompt reply.
I'll try to explain bit better what I wanted to say and answer at your questions at same time. I will complete the answer tomorrow from the office where pfsense is. for now these:What you did guess for the 2 lan, yes it is, except the dhcp range is smaller
lan default 192.168.20.1 - range to 192.168.20.2 to 192.168.20.150opt2 192.168.11.200 - range 192.168.11.2 to 192.168.11.150
opt3 192.168.44.200 - no dhcp active. (dhcp managed by dream boy..).
except what you ask to do with the console ( I will do tomorrow morning), I want to precise a thing.
the network works fine, dhcp of pfsense deliver all the IPs to all the connected machines in all first 2 the lan in a while. All the machine are wired connected to the net and working fine.
what is slow is:
From the machines connected in any of the 2 lan when I open for example home page of edge browser, skype for desktop, online page of rentman online software, to connect and open the page it will take long. How much? 20 seconds . Just the first page and (except for google) just for the first time, till I will off that machine.
we are in UAE we have a WAN connection in static dedicated IP 900Mbps speed.
forgetting for a while the dream boy, what I find strange ? if I set manually, in both of the lan, machines with IP (let's say one with 192.168.20.160 and opt2 with 192.168.11.180) out of the dhcp range given by pf sense, using the same DNS given from the service provider, this problem disappear and the page load in a snap.Going back to the dream machine, yes u are right I should let pfsense manage the dhcp but in actual configuration is what u said and dhcp has been given by the wifi router.
the same machines of the 2 lan, disconnected by the wire, and connected to the wifi coming from the dream machine load the first page correctly and in a while. no delay
I will answer with more details tomorrow from the office. But I wanted to say to you that the dhcp works and Ips have been assigned in the 2 lan in fast way. what it's strange is when the connection to internet happen through a machine where the dhcp has been assigned by pfsense I face this slow first page load, out of the pfsense dhcp range or on the lan of the wifi where the dhcp is not active the connection works fine.Over this, because I found this strange, I already tried to activate the pfsense dhcp server at the opt3. (I switched off the dream machine...) and connected another laptop to this opt3 lan. result dhcp server worked in a while and Ip assigned. but I faced again the same problem. the first page of the above mentioned internet page took 20 seconds to be loaded.
I hope I explained myself in correct way.Thanks again for your reply and tomorrow morning I will follow the instructions with the console and I will update the post.
D -
Ok, thanks for the details.
On any device on your LAN and OPT2, if it's a windows PC, open 'cmd' and launch :
ipconfig /allYou should see :
Carte Ethernet Ethernet : Suffixe DNS propre à la connexion. . . : bhf.net Description. . . . . . . . . . . . . . : Intel(R) Ethernet Connection (11) I219-LM Adresse physique . . . . . . . . . . . : A4-BD-6D-AB-16-A1 DHCP activé. . . . . . . . . . . . . . : Oui Configuration automatique activée. . . : Oui Adresse IPv6. . . . . . . . . . . . . .: 2a01:cb19:dead:beef::c7(préféré) Bail obtenu. . . . . . . . . . . . . . : mercredi 3 juillet 2024 11:58:08 Bail expirant. . . . . . . . . . . . . : vendredi 5 juillet 2024 18:50:39 Adresse IPv6 de liaison locale. . . . .: fe80::daa9:bcf8:99cd:717e%11(préféré) Adresse IPv4. . . . . . . . . . . . . .: 192.168.1.6(préféré) Masque de sous-réseau. . . . . . . . . : 255.255.255.0 Bail obtenu. . . . . . . . . . . . . . : mercredi 3 juillet 2024 11:58:06 Bail expirant. . . . . . . . . . . . . : samedi 6 juillet 2024 07:20:02 Passerelle par défaut. . . . . . . . . : fe80::92ec:77ff:fe29:392c%11 192.168.1.1 Serveur DHCP . . . . . . . . . . . . . : 192.168.1.1 IAID DHCPv6 . . . . . . . . . . . : 346340205 DUID de client DHCPv6. . . . . . . . : 00-01-00-01-26-59-DF-8D-A4-BB-6D-BA-16-A1 Serveurs DNS. . . . . . . . . . . . . : 2a01:cb19:907:dead:beef:77ff:fe29:392c 192.168.1.1 NetBIOS sur Tcpip. . . . . . . . . . . : Activé Liste de recherche de suffixes DNS propres à la connexion : bhf.netThe important info here is :
The DNS : mine points 192.168.1.1 : that pfSense, not some Google, or ISP DNS.
pfSense has a DNS resolver and is doing the DNS for all my interfaces : LAN, OPT etc etcThe resolver should listen to all internal or LAN interfaces.
You can check this by checking your Resolver settings, or ask your pfSense :[24.03-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep 'unbound' unbound unbound 48609 3 udp6 *:53 *:* unbound unbound 48609 4 tcp6 *:53 *:* unbound unbound 48609 5 udp4 *:53 *:* unbound unbound 48609 6 tcp4 *:53 *:* unbound unbound 48609 7 tcp4 127.0.0.1:953 *:* .....This show me that unbound listens to all interfaces, using UDP and TCP ( !! ) on port 53, using IPv4 and IPv6.
On on of your devices : run :
C:\Users\Gauche>nslookup www.google.com Serveur : pfSense.bhf.tld Address: 2a01:cb19:907:dead:beef:77ff:fe29:392c Réponse ne faisant pas autorité : Nom : www.google.com Addresses: 2a00:1450:4007:81a::2004 142.250.179.100*This means that my PC uses the DNS offered by pfSense, which has the LAN IPv6 of 2a01:cb19:907:dead:beef:77ff:fe29:392c - if the PC was using IPv4, it would be 192.168.1.1
And there was an answer, probably from the local pfSense Resolver (unbound) cache, both for IPv4 and IPv6.
Can you show us what this shows you :
grep 'start' /var/log/resolver.log?
I use the good old IPv4 and IPv6 on my LAN networks, as my ISP is somewhat IPv6 compatible.
And here it comes : all your devices, except for the really old ones, use IPv6 by default, and if that utterly fails (after ... a delay) it will fall back to IPv4.
A failure might be : IPv6 is avaible on the LANs;, but not on the WAN side. pfSense can not 'translate' IPv6 to IPv4, or the other way around. -
@Gertjan good morning, I just noticed you replied me already, and thanks again, I will proceed with your instructions now.
in the meantine I made a flow to better explain what I have written yesterday.
I attach it now, and later I will answer again with the results of the actions you are asking me to do.Thanks for the moment.
-
@Davide-gdl good morning again here all the procedure you requested to see.
thanks again
D -
Ok, all that looks fine.
Unbound listens on all interface.For some reason, your pfSense LAN IP is 192.168.11.200, somewhere in the middle.
Why not 192.168.11.1 ? Or, 192.168.11.254 ?I presume your WAN, your ISP, doesn't support IPv6 ?
Do you have this option selected :
DHCP Registration ?
If so, be aware : on every incoming DHCP lease, or renewal, unbound gets restarted.
Example : if you use a Wifi device, and this is at the border of what is reachable by wifi, they will loose, and regain a Wifi connection very often. No a big deal, but now you know how to interpret this information : a DHCP request is send by the device and handled by pfSense ...
.... and unbound gets restarted on every DHCP transaction, for every interface.
Some more info : during unbound restart, which can take some seconds, or way more if you uses DNSBL like pfBlockerng, this can takes tens of seconds (are we getting close now ?). During this time, DNS is out. Not a big deal neither, but for some reason this gets interpreted as "Internet is slow or doesn't work", or, in reality, its just DNS (unbound on pfSense) that doesn't work for a moment.So : uncheck that option. Save, reload, and solved.
If you want to register devices in your DNS, you can still do so.
Give your printers, TV, NAS etc etc a "static MAC DHCP lease". Do this ones, and you'll be good.
Normally, I add a "static MAC DHCP lease" for every device I own, and every device that I know of (familly etc). -
@Gertjan hello,
no this option is not selected.
and also the option disappear once you pass at the suggested KeaDHP instead to use ISC DHCP.
I actually tried both of the option in the past days, with no results. I mean, no changes in the behaviour. in any server backend I place pfsense.
I just turned back to ISC DHCP (mentioned deprecated) but nothing change,
About adding MAC to every user it will result bit difficult due the amount of users.
I will try to play again to see if I can sort out.
Thanks -
@Davide-gdl said in DNS on DHCP slow first page loading:
no this option is not selected.
Then there is a problem.
Who or what is restarting unbound/the resolver that much ?
Another reason might be : one of your interfaces get a repeating down and up link event. That will rstart many of the pfSense process, unbound included.
A solution for this is : every pfSEnse interface (except WAN) connects to a switch. Your LAN devices connect to these switches, not pfSense directly.And just now I saw something else, something quiet uncommon and probably very wrong :
Are yo that expert that uses dnsmasq and unbound at the same time ?
This :
tells me that unbound grabs on on all the interfaces port number 53.
Now, a server - one server - can bind to 'a port', like only one person can pick up a phone. There can't be another server binding to the same interface same port same protocol.
Why is your dnsmasq (DNS Forwarder) active ? You can use the resolver, or the forwarder (dnsmasq), not both. -
@Gertjan good morning again,
Who or what is restarting unbound/the resolver that much ?
who..... here I am. In the sevices, I restarted several time (manual says clear the DNS cache) to unserstand if something was changing.. nothing.
I did swop several time from DNS resolver to DNS forwarder, but NEVER I left them work at same time.
In this moment I went back to the origin. DNS resolver and DNS forwrder off.Are yo that expert that uses dnsmasq and unbound at the same time ?
No I'm not, and I didn't understood this question. Can you explain me better? ot tell me which are the actions I need to take to verify or fix it?
Thanks again. -
@Davide-gdl said in DNS on DHCP slow first page loading:
Are yo that expert that uses dnsmasq and unbound at the same time ?
Noop.
It is possible thought. Its important to chose for example LAN and OPT2 as the interfaces to be served by unbound and OPT2 and OPT3 by dnsmasq.
But I never found a usage case where this was needed (for me).
