What to expect with a 2100 Max?

fabnavigator

Hi,

I've been using the gateway for only about a month, so I likely don't know what I'm doing. Lol. Maybe even worse, I've gotten some AI help to get things setup.

I have about 40 devices, main LAN plus four VLANS, pfBLockerNG, Wireguard,.25 DNS resolver hosts, NAT port forwarding to route all DNS and NTP queries, and 48 firewall rules.

From a traffic standpoint, I think everything is fine, but screen changes in the GUI can take from 3 to 4 seconds, and updating a rule and applying it up to 13 seconds. Is this normal for this hardware, or did I maybe configure something that is slowing the GUI doan?

Mission-Ghost

@fabnavigator I used to use an 1100 and a friend had a 2100 and we both found them to be underpowered with respect to cpu, interactive gui and network throughout.

Even with my starlink, which is typically 2-400 mbps on a good day, and his cable at twice that, performance noticeably improved in all respects when we put 4200s into service.

tinfoilmatt

but screen changes in the GUI can take from 3 to 4 seconds, and updating a rule and applying it up to 13 seconds.

Nothing to do with routing performance.

SteveITS

@fabnavigator Do you have any large aliases?

One thing people often miss is that leaving the dashboard open uses CPU as each widget updates.

Mission-Ghost

@tinfoilmatt said in What to expect with a 2100 Max?:

but screen changes in the GUI can take from 3 to 4 seconds, and updating a rule and applying it up to 13 seconds.

Nothing to do with routing performance.

…And everything to do with cpu, memory and (emmc) storage performance, assuming you have the base model.

keyser

@fabnavigator That is generally the interactive UI performance level to expect from the 1100/2100. They have very little CPU to make that “fly”, but it routes/firewalls just fine up to between 300-500 Mbps depending on traffic patterns.

fabnavigator

@Mission-Ghost Thanks for that input. I based my choice on my network size and Internet speed. I never thought that the GUI would be so slow. I came from running Omada on a Rpi5 where everything was split-second response time.. I've tinkered with the thought that I don't have a backup for this device. If my wife ever drops a chunk of change on a new chair or something, maybe I'll pick up a 4200 and make the 2100 my spare. That is unless people recommend some other less expensive way to go that runs the GUI faster (i.e., some other hardware to run pfSense).

fabnavigator

@SteveITS I have a alias with 7 hosts and one with 6 networks. And a few others with one or two items. I don't leave the dashboard open.

Mission-Ghost

@fabnavigator said in What to expect with a 2100 Max?:

@Mission-Ghost Thanks for that input. I based my choice… That is unless people recommend some other less expensive way to go that runs the GUI faster (i.e., some other hardware to run pfSense).

I’ve been window shopping the Protectli boxes for maybe someday. They might be a pretty good value.

SteveITS

@fabnavigator You can always check diag > system activity or top and see if something's using CPU. As noted it's not a particularly fast CPU. Your times seem a little long to me but I didn't go back and time any of those. We typically enable RAM disk for tmp/var but that shouldn't have much impact on page loads, if any.

What version of pfSense are you on, 25.11.1?

fabnavigator

@SteveITS Thank you for your response. I'm running 25.11.1.

I keep thinking that something I configured is causing this, but I can't recall how fast it was out of the box. I certainly wouldn't have bought the 2100 knowing that every screen change was 3-4 seconds, and an update 10-15 seconds. Evey YouTube video I've seen for pfSense has sub-second screen changes. I will look into using the RAM disk. I attached the CPU activity but I'm not sure what it all means. I have received some responses indicating this is normal for a 2100. As a long time programmer, I find it hard to believe that folks thought that this sort of response time is acceptable.

SteveITS

@fabnavigator If I let one sit on system activity for 30-45s or so I see:

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
   11 root        199 ki31     0B    32K CPU0     0  39.0H  79.30% [idle{idle: cpu0}]
   11 root        199 ki31     0B    32K RUN      1  38.6H  78.52% [idle{idle: cpu1}]
29905 root         59    0   154M    59M accept   1   0:40   6.25% php-fpm: pool nginx (php-fpm)
28542 root         11    0   124M    54M piperd   1   0:32   3.12% php-fpm: pool nginx (php-fpm)
 1427 root         59    0   158M    61M accept   1   0:40   1.71% php-fpm: pool nginx (php-fpm){php-fpm}
   12 root        -55    -     0B   336K WAIT     1  58:09   1.46% [intr{gic0,s42: mvneta0}]
   12 root        -55    -     0B   336K WAIT     1  31:36   1.42% [intr{gic0,s45: mvneta1}]
   12 root        -54    -     0B   336K WAIT     1  39:56   0.63% [intr{swi1: netisr 1}]
  672 root         59    0   158M    62M accept   0   0:45   0.59% php-fpm: pool nginx (php-fpm)

nginx is the web server. Yours seems busier for some reason.

Another where I run top -aSH at the command line doesn't have the web activity of course, as I'm not even logged in to the web GUI:

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
   11 root        199 ki31     0B    32K RUN      0 376.2H  96.44% [idle{idle: cpu0}]
   11 root        199 ki31     0B    32K CPU1     1 381.1H  95.49% [idle{idle: cpu1}]
   12 root        -54    -     0B   336K WAIT     1  64:56   3.46% [intr{swi1: netisr 1}]
    2 root        -54    -     0B    32K WAIT     0 341:50   1.38% [clock{clock (0)}]
   12 root        -55    -     0B   336K WAIT     0 108:14   1.13% [intr{gic0,s42: mvneta0}]
19591 root          0    0    14M  4608K CPU0     0   0:00   0.46% top -aSH
   12 root        -54    -     0B   336K WAIT     0  44:45   0.39% [intr{swi1: netisr 0}]
    7 root        -15    -     0B    16K pftm     0  37:46   0.37% [pf purge]
   12 root        -55    -     0B   336K WAIT     1  49:24   0.27% [intr{gic0,s45: mvneta1}]

I pulled up a rule to save it on the latter...~10s to log in, 2-3s to open the LAN rules page, 3-4s or so to apply. Just via counting.

I missed that it was a max in the subject line, that should eliminate any eMMC storage speed issues.

fabnavigator

I ran top -aSH from the command line and watched it for a while. Sometimes it looked like the top screenshot and sometimes like the bottom one. In the bottom one, the percentages don't seem to add up. Asusming it's sorted by WCPU. I wasn't logged in at all when I did this.

SteveITS

@fabnavigator
https://forum.netgate.com/topic/200216/1100-and-2100-webgui-performance-related-to-password-hash-strength-trick-to-improve-webgui-speed

fabnavigator

@SteveITS Thank you!