PfSense - slow on boot up



  • Hello there,
    Ever since I started testing pfSense that I get the feeling that it is much slower booting up than m0n0wall.
    I know it is not fair to compare m0n0wall with pfSense since there are so many differences in both projects.
    But at the end of the day, both use BSD and both boot from a php config file.
    That means that under the same type of configuration, there shouldn't be a major difference in boot up times.
    Since my box has very limited resources I have always restrained myself and I have always setup very light configs on both m0n0wall and pfSense.
    Basically my setup is firewall, WoL and SNMP (for m0n0mon with 5 secs delay) on both m0n0wall and pfSense.
    Now the booting times are really different.
    m0n0 takes less than 1m15s booting up whereas pfSense takes around 3m00s booting up.
    And what really makes me compare both projects is that it takes so long booting up pfSense that M$ XP dhcp client looses hope from getting an IP from pfSense.
    If I want to get an IP from pfS after I reboot it I have to manually run "ipconfig /renew" after those 3 minutes.
    This is bad because if I was remotly trying to access a PC on my network after having to reboot pfS I'd be stuck.
    One other thing that catched my attention: when rebooting m0n0 winxp will alert me that there's a network connection failure twice; pfsense alerts me of network connection failure three times.
    Anything I could be doing wrong here?
    If that's the way it's supposed to work I'll rest my case ASAP but I keep getting the feeling that it isn't.
    Cheers



  • Yes, it is slower than m0n0wall on bootup.  This has many factors that add to this.

    We have designed pfSense from the start for processors over 500mhz.  IE: Todays computers, not yesterdays.

    For example, you could setup a second pfSense for failover and when you reboot the firewall, nothing goes down.  This is what I do in all of my work locations in addition to my house.  For example, I have a nexcom 1040 for my primary firewall and a soekris net 4501 as the backup device.  When a failover occurs, I don't even notice.  Sometimes I reboot the firewall and forget to check if it came back up when debugging multiple things at once, etc.  It just works.

    So there is a price for many new features.  For one FreeBSD 6 is quite a bit slower than 4.  This is widely known as 4 is just a really hard act to beat.  It is an incredible uni-processor OS.  Yes I know it has SMP support but FreeBSD 6's SMP support is miles ahead being reworked from the ground up.  In addition FreeBSD 6 has many new optimizations to bcopy() and friends which help speed up operations on modern processors.

    pfSense was designed for today and tomorrows computing platforms.  Dual Core technology, etc.

    Sorry for the rant but I really need to set the stage for why pfSense is more "bloated" than m0n0wall.  It has completely different goals and on modern hardware, I hardly notice any bloat at all.



  • @sullrich:

    Yes, it is slower than m0n0wall on bootup.  This has many factors that add to this.

    We have designed pfSense from the start for processors over 500mhz.  IE: Todays computers, not yesterdays.

    pfSense was designed for today and tomorrows computing platforms.  Dual Core technology, etc.

    Sorry for the rant but I really need to set the stage for why pfSense is more "bloated" than m0n0wall.  It has completely different goals and on modern hardware, I hardly notice any bloat at all.

    Hi Scott
    For starters, I just wanted to make sure that what is happening to me is indeed supposed to happen.
    For instance my computer running XP dhcp client giving up on pfS dhcp server since it takes so long to boot up.
    On the other hand I acknowledge that pfS was made to run on more muscles than m0n0.
    I also acknowledge that you guys state >=500Mhz CPU.
    But I also acknowledge that many people are still running pfS on slow 133Mhz such as net4501's, such as yourself.
    And I also acknowledge the recent talking about the future hardware requisites on the m0n0wall mailing list where Chris stated that FreeBSD 6 could be the way to go in orther to maintain compliancy with old/slow hardware such as Soekris SBCs.
    At the end of the day what you're (trying?) telling me is that pfS will run on a net4501 but with some hickups such as the one I've mentioned above, right?
    If that's the case, fine.
    But then I think we should try to find hardware that fits pfS requisits other than WRAP/Soekris.
    For instance someone here has told me to go into http://www.nexcom.com.tw/ to find appropriate hardware.
    But I can't.
    I want to find something similar to WRAP/Soekris SBCs, with:

    • low power consumption with external PSU
    • fanless
    • ~800Mhz
    • ~256MB
    • CFcard reader
    • = 1 x miniPCI slot for wifi or hardware encryptor

    • =3 x LAN ports (preferably INTEL or non-rtl based) with at least 1x 802.3af

    • 1 x RS323
    • 1 x USB
    • front led indicators
    • no ps/2 port or paralel port or vga port (useless for pfS)
    • small metalic case with antena holes
      If you know such a device, please let me know because I'm buying as long as all the above specs match up.
      Also C3 embedded encryption would be nice (I think that's the correct name for it).
      And my advise would be for the pfS devs to inform the users of the existance of such hardware and where it is sold.
      And then we can finally start saying goodbye to Geode CPUs and start saying hello to VIA CPUs.
      I didn't take your post as a rant.
      We (users) can't expect to make omelettes without eggs with pfS and your task is to alert us of that.
      Cheers


  • How often do you reboot?

    If often, why?  CARP would completely get rid of all the problems that you are experiencing.



  • In fact I reboot once or twice a week as my box seems to loose Internet connection.
    I reboot the cable modem and still no Internet.
    Then I reboot pfS and Internet comes back.
    BTW, the same happens with m0n0 but more like once in 2 or 3 weeks ;).
    And I'm not the only one suffering from these issues.
    Our user "kwag" has also seen this kind of problems with both m0n0 and pfS.
    On the other hand I'm affraid that CARP will not solve my problem, at least in the near future because I'm not buying another net4501/4801.
    And especially after what you just said about hw requisits.
    I would rather prefer finding the proper EPIA board and build a new box!
    And if you guys could help me find it I would be very much appreciated.
    If only Mikrotik's RouterBoard hardware http://www.routerboard.com/rb500.html was built with more RAM and would be able to boot from CF reader…
    Their hardware seems fantastic and prices also look good.
    If there are no other alternatives I'd go with EPIA but I don't want to buy a board with needless vga, audio, parallel port and ps/2 ports.
    So help is needed and would be very much appreciated.
    Cheers



  • If I where you I would focus my energies on getting your internet access stable.

    My connection pretty much NEVER goes down.



  • No way, Scott.
    My Internet access is working properly because when my pfS box freezes, I remove the cable from the back of my net4521 and connect it straight to the back of my PC (1st activating sygate soft fw) and my Internet is working fine.
    And if I connect it back again to my net4521 I still don't have internet connection.
    Fortunatly it hasn't been happening very often but that might be because I have been upgrading pfS a lot thus rebooting it also a lot.
    I'll upgrade to BETA1 and leave it like that for ~ a week.
    Then I'll let you know.
    BTW I'm currently running 0.97 and my WoL still shows up as stopped under Status > Services.
    Cheers



  • If you say it stops working with m0n0wall AND pfSense, doesn't that tell you something?



  • Well, on one hand yes but on the other hand it doesn't when connected directly to my PC running a software firewall…
    So, what would it tell me this way?
    Cheers



  • Well for starters I would start to check the hardware in question.  I've got many many m0n0walls in production and they never exhibit this behavior, and when they do we check the hardware over with a fine tooth comb and then check the internet connection.

    We also have some ISP's in this area that don't play well for devices that don't have their software loaded.  They do evil tricks like switching between PPPoE and DHCP and the software handles this on the fly.



  • I see, but on my end I don't need PPOE.
    I'm running a plain cable connection.
    One thing I'd like to test is my CF card.
    I'm really starting to have 2nd thoughts on it  :-[.
    Any good M$ software to check for CF read/write errors out there?
    Cheers



  • @rds_correia:

    Any good M$ software to check for CF read/write errors out there?

    That's a good question.  I've never run across anything such as this.



  • Cause you see the only thing I have is a 16MB CF.
    Not enough for pfS but enough for m0n0.
    And running m0n0 on the 16MB CF I really can't recall having those big lockups…
    Or maybe it's my mind playing tricks on me ;D.
    If anyone else knows a nice peace of software to test CF cards just let me know.
    Otherwise I'll see how much a new 256MB Sandisk will cost me  :(.
    Cheers



  • @sullrich:

    @rds_correia:

    Any good M$ software to check for CF read/write errors out there?

    That's a good question.  I've never run across anything such as this.

    Simply create a dump file the size of the CF, with a value of hex 0xAA ( 10101010 ), and write it to the flash card. Then verify that there are no errors when comparing against the dump file.
    Now write another dump file of hex 0x55 (01010101), and do the same.
    This will veryfy that all bits on each byte of memory are set/unset and written/verified correctly.

    -Karl


Locked