Slow/Unusable Internet Access Through NAT

  • Hello,

    I am attempting to setup a very basic outgoing Internet access configuration.

    My Internet connection seems to work at regular speed when I download files directly to the pfSense machine using fetch.  I can also download/install packages from the repository with no issue.

    However, no matter what source machine or network I use, I get 1KB/s downloads from behind the firewall (through NAT).

    I have looked at tcpdump while downloading with fetch on pfSense as opposed to a download through NAT.  The fetch command shows normal speed (over 200KB/s), but the NAT connection receives packets very slow (1KB/s).

    I saw someone mention MTU, but it has no effect on this issue.  I also figure that if it were MTU, then the downloads through fetch should be slow as well.

    I'd attach logs but I don't see anything out of the ordinary.  No collisions under interface statistics, nothing in the System Log… I do have all outgoing ports open during this testing phase, and I don't see any filtering issues in the log either.  No proxy server and NAT rules are set to the default (automatic).  Using different DNS servers has no effect.

    Does anyone have any clue what could be causing something like this?

    P.S. I bought the pfSense book a few weeks ago.  Nicely done.

  • Lots of people have configurations similar to what you describe but which function much more effectively than yours. So what's different about your configuration?

    What version are you running?

    What NIC is your WAN interface? LAN interface?

    The problem appears to be on the LAN side. Have you tried a different NIC as the LAN interface? What is downstream of your LAN NIC, a switch? a hub? another computer? Has your LAN NIC configured itself appropriately? (correct speed? correct duplex?)

  • Yeah, even I have a working configuration on 1.2 on our production box using a different Internet line.

    Let me give some more details on my environment.

    Version: 1.2.3 final

    Switches: I've tried two different sets of switches.  My LAN uses Dell gigabit switches, while one of my server networks uses ProCurves.

    Machines: I've tried from my personal computer on the LAN, as well as from a VM on the server network.

    NICs: The LAN interface on the system uses Broadcom gigabit (so does the WAN, it's a 4 port card), while the server network uses Intel server NICs.

    Internet: I thought this was the culprit.  I'm using a wireless connection through Covad.  It's a dish based setup, with 3mb/s max bi-directional throughput.  The "router" for it has a 10mb port.  However, pfSense detects that it is 10mb with no issue.  And downloading directly to pfSense is fine.

    The latency isn't an issue either.  No dropped packets, good return speed, etc, even from the LAN/server network.

    Only other thing I can think of that's maybe related?  I installed the OS on a USB stick using the full installer.  Since I'm not running a proxy I didn't think that the disk speed would be relevant, it should be passing packets directly through essentially, correct?  Also, data transfers between internal networks have no issue.

    Thanks for the help.

  • Rebel Alliance Developer Netgate

    You might try to disable checksum offloading on the network card, sometimes that can cause similar issues. It can't hurt to try. It's under System > Advanced.

  • Thanks for the suggestion.  Disabling checksum offloading seems to have no effect.

    I'm attaching two files:

    slow.txt - This is a tcpdump on the firewall when downloading a file from using a machine behind the firewall (through NAT).

    fast.txt - This is the same file being downloaded from the same site, but fast (directly to the pfSense box).  It may be hard to visualize the speed, but there are timestamps on the left to give an idea of how long it takes for packets to come in.

    Two notes:

    1. I've replaced my actual external IP in both files with

    2. The F/R flags on the bottom of the slow file are just me breaking the download in the client application.



  • In case anyone comes along later with a similar issue, I fixed this.

    I switched the WAN interface from the onboard Broadcom to one of the PCI Intel slots.

    I don't know why:

    1. I was able to get good speeds directly to the pfSense.

    2. Why otherwise good ethernet cards had a problem with my WAN router's interface.

    Regardless, it works, so I don't care.  If anyone has an issue like this: Try another brand of NIC.


Log in to reply