Bandwidth Question
-
If I have a computer on the LAN interface that connects to a computer on an OPT interface it appears that the pfSense box treats this scenario as though the computer on the OPT interface is being access from the WAN interface, meaning that the bandwidth is limited by my internet connection's max upload speed. Should this be the case?
If that is suppose to be how it works, then how do I fix it so that I can make pfSense think they're on the same network and thus would only be limited by hardware?
Thanks in advance!
-
Have you tried with a "Floating" rule ? ( just an idea ;) )
-
If I have a computer on the LAN interface that connects to a computer on an OPT interface it appears that the pfSense box treats this scenario as though the computer on the OPT interface is being access from the WAN interface, meaning that the bandwidth is limited by my internet connection's max upload speed. Should this be the case?
No, unless there is something you haven't mentioned (e.g. you have enabled traffic shaping or the path to the computer on the OPTx interface actually goes through the WAN interface.)
If that is suppose to be how it works, then how do I fix it so that I can make pfSense think they're on the same network and thus would only be limited by hardware?
As long as the LAN computers access the OPTx computer through pfSense the access will be limited by both the hardware and how fast the pfSense software can forward the packets. Thus access speed will drop if the pfSense CPU is busy doing other things (for example, running snort or squid).
If you really want speeds limited only by the hardware the closest you will get is to put them on the same LAN.
-
So you're saying that as long as I allow the LAN to initiate to the OPT and vice versa, then I should only be limited by hardware?
Is there some package or command line program or something to where I can test max bandwidth between devices?
Thanks!
-
So you're saying that as long as I allow the LAN to initiate to the OPT and vice versa, then I should only be limited by hardware?
No.
Consider two computers connected by a good quality LAN cable running a test that shows throughput just under communication channel speed. This is best case. Every piece of equipment you put between the computers will some effect on the throughput. The effect will range from negligible to significant. Switches running at line rate will have least effect. The hardware is optimised for forwarding packets. Routers will have an effect ranging from negligible to significant depending on the I/O capacity of the router and the instruction speed of the computer in the router. Router CPUs and I/O architecture are generally not optimised for forwarding packets. An Alix (500MHx AMD x86 CPU) will have lower forwarding capacity than an Atom based system (1.xGHz CPU) which, in turn, will have lower forwarding capacity than a 3.xGHz i7 system).
Without more specific information about the configuration under discussion its impossible to say if throughput between two computers is limited only by the hardware.
-
I think to help me test my theory I would use traceroute and State logs.
If I traceroute the IP of the device on the OPT network I would expect to see what given the following set up:
LAN PC <–-> Wireless LAN AP <--hardwired--> pfSense NIC <--hardwired--> Wireless OPT AP <---> OPT device
In my estimation wouldn't see
0 LAN PC
1 LAN AP
2 OPT AP
3 OPT device
??Also, if I were to read the state table should I see a connection directly between the LAN PC and the OPT device?
Thanks!
-
Here's the output of a traceroute between a system on my (wired) LAN and a system on my wired DMZ:
$ traceroute -n 192.168.37.200
traceroute to 192.168.37.200 (192.168.37.200), 30 hops max, 60 byte packets
1 192.168.211.173 0.409 ms 0.366 ms 0.337 ms
2 192.168.37.200 0.848 ms 0.762 ms 0.743 ms
$1. is the IP of my pfSense LAN interface. 2. is the IP of the NIC on the computer on the DMZ.
-
If you have those wifi APs setup just as access points you won't see them since they are layer 2 devices (like a switch).
Is it possible that the restriction you are seeing is due to the wifi connection and just happens to be around the same speed as your WAN? Remember that the actual throughput across a wifi link is far slower than the claimed connection speed.
Steve
