NAT appears to be splitting my bandwidth in 3….
-
I have 2 firewalls set up with CARP and 2 ISP's so we have fail over and redundancy on the network. We route all web traffic over ISP1 and NAT all other traffic over ISP2. However the ISP we are routing our web traffic over has divided our download connection by 3 when I have Manual Outbound NAT enabled, as well it has significantly increased ping times when large file transfers occur (~900ms, should be somewhere around 250ms - 300ms), upload is unaffected, as soon as I go to Automatic Outbound NAT I get the full speeds back, I can not go to Automatic Outbound NAT due to the configuration of the firewalls will not route mail outbound properly. It seems like it is something to do with the ISP and how it interprets the packets but I am not positive.
I made sure that ISP1 was routing our IP addresses to the respective CARP address.
Without alot of reconfiguration I am unable to test if this same behavior would happen with ISP2
I have tested speeds on the WAN side of the firewall and I have full down speeds.
I have double checked that all the VHID's are unique with the CARP interfaces so their is no conflict (as noted in the pfsense book).
I have double check that all the VIP's are set up correctly with the correct networks.
I have the correct Manual Outbound NAT rule configured.
Any help would be appreciated.
I guess my question is has anyone seen and ISP do this with a similar set up and if so what is the direction I should try to go in?
-
This is definitely a firewall only issue as I have hooked up a computer on each end of the problematic firewall and transfered a file at ~10mb/s, I configured an identical set up on a fresh install of pfSense and was getting ~30mb/s. I would really appreciate any insight on something I may be doing wrong?
-
You have traffic shaping enabled? Sounds like it.
-
I thought that was the case as well but I checked and it is not enabled. I also double checked the configuration file just to make sure the gui wasn't telling me the whole story. Does anyone else have any other suggestions, I may have to move away from pfSense if I can not resolve this problem and I would hate to do that because of how nice the platform is.
-
Are you using 1:1 nat? or port forward?