Does pfSense do any kind of resets every hour?

hansolo77

I have been trying to diagnose my slow internet connection for the past 3 weeks. I have an Unraid home server that runs a docker to check speeds (MySpeed). For a long time, I had it checking every hour, and the speed was consistent. Then I started noticing my connection was getting slow when using apps, streaming, gaming, etc. I checked my logs and sure enough, it showed my speed was constantly running at around 150mbps instead of the 1000mbps I'm supposed to be getting. I did the common troubleshooting tasks, reboot the modem, router, server, computers, devices, etc. It seemed ok for the first day then started being slow again. There didn't seem to be any reason for it. So I adjusted the frequency of the tests in MySpeed to 30 minutes then 15, now it's checking every 10 minutes. That's when I discovered that my connection speed is generally around 940mbps until the top of the hour. When that time comes, my speed drops down to like 200mpbs, then 10 minutes later it's back up in the 900+ range.

It's got me wondering now. Does pfSense do any kind of scheduled maintenance every hour that could be causing the slow down? It could be something else, like a task that runs in one of my other dockers or something. But I wanted to try to eliminate the the problem from the first connection from the modem, which is the router.

If it's not the router, I will go to the next step and troubleshoot the other connections. But if it's pfSense causing it, I'd like to fix it from here.

Thanks in advance. If you need more information, I can provide them.

SteveITS

@hansolo77 In general no but do you have say pfBlocker updating? There is a cron package you can install to view cron jobs.

hansolo77

@SteveITS I don't believe so. If pfBlocker is what I think it is (an addon similar to Pi-Hole), I never set it up. I actually installed a different addon called AdGuard. It raises an interesting point though. I might have to check AdGuard's logs and see if it's doing something.

You mentioned something about check cron jobs... How would I go about doing that?

SteveITS

@hansolo77 System > Packages and install the "cron" package. It then shows up under one of the menus...System, I think, but not sure.

If it was pfSense task related I'd think it would need to be maxing out CPU during that time so you could just watch "top" as well.

hansolo77

@SteveITS Installed and checked... I do see this:

*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot

So I think it's running a virus check, but I don't even remember installing a virus client..I'll keep looking.

Looked "virusprot" up and I see what it's used for. Interesting thing is, when I go to diagnostics->tables and look up the virusprot table, it's empty. So I wonder why it's lagging me..

SteveITS

@hansolo77 That's the only thing running? Is there a process using CPU at that time? maybe it's just not a cron job.

hansolo77

@SteveITS I'm sure there's other things running.. that's just what shows up in CRON. I'm looking through the logs again to see if I missed something but I don't think so. Maybe it's my ISP.. I'll keep digging.

stephenw10

That cronjob for the virusprot table is default and normally would never have anything in it anyway. It should use any measurable CPU.

Check the system logs.

Check the Status > Monitoring graphs. Do you see traffic spikes at that time or CPU usage spikes?

hansolo77

@stephenw10 I've looked through all the graphs but nothing is being thrown out as obvious to me. I even looked through AdGuard's logs. Maybe it's just my ISP.

stephenw10

It could be. Does the WAN monitoring graphs show any change in latency? What is it monitoring? Consider setting that to something external if it's still using the ISP gateway directly.

hansolo77

@stephenw10 I actually have it monitoring 1.1.1.1. I never saw anything spike on the WAN or any of the LAN connections either. I suppose it could be my modem too. It's an Arris and not an ISP supplied one. So, of course, it's not going to be accessible from the ISP to run tests, or update the firmware, etc. Kinda lame actually because even though they SAY you get a free modem with the service, if you read the fine print they start charging rent for it after the first year and I've already had it 2 years now.

stephenw10

Mmm, seems like it could be a real upstream issue then. What hardware are you running pfSense on?

Gertjan

@hansolo77

Checking what pfSense does every hours sharp - or some other regular moment, is a good start.
But don't stop there !
Check also : all devices connected to your pfSense LANs ! as these can all do something at that very moment.

ISP love to sell you numbers. Like 'a 1 Gbit/sec connection just for you'. If the country where you live has some enforced consumer rights movements, these ISPs add now at the bottom of the contract "... or whatever we have avaible for you".
After all, ISP tend to hookup up entire roads, cities, etc to one main equipment with, guess what, a limited, up front determined throughput. For example : you all share the same 100 Gbits very expensive router/switch.
If more then 100 clients are hookup up to this expense router, then ... you get it : what happens when every all these clients, all their devices, do 'something' at xx sharp ? So you have to check all of them (which you probably can't do) - or disconnect them all while you are testing.
You can even go one level higher, and check all the POP of your ISP ....

Inspecting the cron list is one thing.
You still have to use the console or better, the SSH access, and use menu option 8, and type 'top'.
Make sure the list is sorted at 'CPU usage'.

Use also this command :

ps aux

and look for the process that mention minicron, these are also timed processes.

On my pfSense :

[25.07-RC][root@pfSense.bhf.tld]/root: ps aux | grep 'minicron'
root    89370   0.0  0.1  13980   2484  -  Is   18Jul25     0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh
root    89826   0.0  0.1  13980   2480  -  Is   18Jul25     0:00.00 /usr/local/bin/minicron 300 /var/run/ipsec_keepalive.pid /usr/local/bin/ipsec_keepalive.php
root    90216   0.0  0.1  13980   2500  -  I    18Jul25     0:00.17 minicron: helper /usr/local/bin/ipsec_keepalive.php  (minicron)
root    90313   0.0  0.1  13980   2476  -  Is   18Jul25     0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts
root    90699   0.0  0.1  13980   2500  -  I    18Jul25     0:00.01 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts  (minicron)
root    90868   0.0  0.1  13980   2504  -  I    18Jul25     0:00.20 minicron: helper /usr/local/bin/ping_hosts.sh  (minicron)
root    91166   0.0  0.1  13980   2480  -  Is   18Jul25     0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data
root    91830   0.0  0.1  13980   2504  -  I    18Jul25     0:00.00 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data  (minicron)
root    84792   0.0  0.1  14076   2688  0  S+   08:49       0:00.00 grep minicron

The "/etc/rc.expireaccounts" is an hourly process, and afaik it doesn't communicate, and takes a split second to execute.

Normally, with a vanilla pfSense (no addons, no pfSense packages) there is no 'download every hours xx Mbytes' process.
pfSense will update some small files ones a month, will check up with the Netgate update servers to see if there are pfSense or package updates avaible, but this will not create big loads of traffic, and last probably for a second or two.