Few days after install, it's getting sloooow
when I installed it was great, but after a few days it became slow …
I have noticed these issues in various topics and today It happened to me.
Mailscanner testing was really nice until the first day in production, 100.000 valid emails later, I got very slow I/O on servers with two 15k SAS drives, 32GB of RAM and 16 CPUs. :o Unbelievable
After some time checking many configurations I noticed that pfSense's default installation does not separate / from / var or / usr and consequently no disk access performance because soft-updates are not enabled on root filesystem.
I tried to enable soft-updates in / many times without success. To resolve the situation, I had to reinstall pfSense in custom/Advanced mode and create /var and /usr with soft-updates enabled and apart of root filesystem.
So if you use disk cache ( squid ), antivirus ( havp ) on any other package that really makes disk access ( mailscanner ) you might need to reinstall your pfSense. ;)
Another solution would be to put more memory on the machine and move the cache to RAM, using package native options or mfs.
If someone can enable soft-updates in / , please post here.
To see if your filesystem has soft-update or not, use mount cmd, the output should look like this:
/dev/da0s1a on / (ufs, local)
devfs on / dev (devfs, local)
/dev/da0s1d on /usr (ufs, local, soft-updates)
/dev/da0s1a on /var (ufs, local, soft-updates)
read about soft-updates before any changes to your pfsense, there are good and bad points.
What about using SSD for high IO packages? Do you think that would help?
ssd is not ideal for a 24/7 servers.
You really don't want to enable softupdates on /
[…]Soft-updates drastically improves meta-data performance, mainly file creation and deletion. We recommend enabling softupdates on most file systems; however, there are two limitations to softupdates that you should be aware of when determining whether to use it on a file system. First, softupdates guarantees file system consistency in the case of a crash but could very easily be several seconds (even a minute!) behind on pending write to the physical disk. If you crash you may lose more work than otherwise. Secondly, softupdates delays the freeing of file system blocks. If you have a file system (such as the root file system) which is close to full, doing a major update of it, e.g. ``make installworld'', can run it out of space and cause the update to fail. For this reason, softupdates will not be enabled on the root file system during a typical install. There is no loss of performance since the root file system is rarely written to.
Making a separate /usr and such, as you did, is the proper thing to do there if you really want to use softupdates.
That said, if you insist on doing it, you can turn it on by booting to single user mode and running:
/sbin/tunefs -n enable /
If that fails, boot from cd/memstick and run:
/sbin/tunefs -n enable /dev/ad0s1a
(or whatever your hdd actually is)
Using tunefs isn't possible on an active filesystem and it requires a reboot to be fully active, so it must be done from single user mode or an unmounted drive.
marcelloc, have you considered running those components not related to the firewall (like squid and havp) in a separate VM, both for security and for performance reasons ?
Your hardware "with two 15k SAS drives, 32GB of RAM and 16 CPUs" seems more than enough …
Indeed, at some point you have to realize you are treating the firewall like a server, which takes a lot more thought in terms of filesystem layout, security, and so on. Isolating those functions in a separate VM would be ideal, especially on a box like that.
Let the firewall be a firewall and split off the things that are better suited for a dedicated box elsewhere. (or even use a pfSense install for those, but in appliance mode, where you wouldn't have to worry quite so much about compromising on security)
I'm doing this, I have two pfsense as firewall with carp as firewall and also load balancing smtp connections to both smt servers.
I really like pfsense gui, sync and backup. That's why I'm porting these packages to it.
On large systems like this I have each service on it's own server.
But when a client has only one machine(not so good for virtualization) to use as firewall, proxy, etc it's good to have package options to build UTM with pfSense.