Need help with throughput on new setup
-
Hello once again,
I created a new setup involving a filtered bridge. It has 4 NICs: one to manage the firewall, LAN and WAN interfaces are bridged, and another which is connected via crossover to another firewall (a sort fake-failover setup). Anyways, I seem to be having issues with regards to getting good throughput. For example, when trying to download a big file from a machine on the LAN portion, the download always stalls right away. Wget seems to start the dl, get to 66,608 bytes and then just stop.
Has anyone ever experienced this? Traffic shaping is off (and even when on, doesn't help) and putting in a blanket 'allow all' rule on the WAN doesn't seem to help. Any ideas on how i can further debug this?
I'm using the newest beta release.
Thanks,
–james -
I wasn't really sure where to put this, but it's not traffic shaping related, so it ended up here. :)
What you're describing is generally caused by MTU issues on one or more of your systems. Does the transfer ever complete?
Your description of your setup isn't very clear, can you provide a diagram?
-
Sure! This is pretty bad but a better one can be provided if need be
[ client 1 ] –--|
... |--- LAN --- [ pfsense ] –-- WAN --- [ switch] –-> interweb
[ client x ] –-The 'pfsync' interface is not diagrammed as it is out of the picture (just a crossover to another box); same for the management port. So yea, the transfer sometimes dies out, some people tell me that the transfer will happen just fine. It almost seems intermittent, but doing a tcpdump on LAN, WAN and the local machine showed me (atleast i think so) that sometimes packets don't seem to get traversed from LAN to the WAN interface (which are bridged).
There is a possibility something is setup incorrectly, I just can't seem to pinpoint where to look next.
Couple of quick questions: 1) researching the forums, I remember reading that the bridge needs ip addresses on both ends, but they need to be on different subnets in order for FreeBSD not to get confused. Is there any way to have only one end of the bridge have an ip? What is considered that 'standard' way in pfSense?
- How do I check for MTU consistency on the interfaces and switches?
Thanks as always!
james -
Well it turns out it was something silly on the switch end of things. Sorry for the forum noise :-(
But I would still like the above questions figured out as I play with pfsense and getting optimal performance on it (device polling really helped shrink the interrupt % of the cpu :-) ).
A third question, if I may: 3) If one wanted to make custom config changes to the ruleset that wasn't possible via the GUI, is there a standard way of doing that?
Thanks once again!
james -
Couple of quick questions: 1) researching the forums, I remember reading that the bridge needs ip addresses on both ends, but they need to be on different subnets in order for FreeBSD not to get confused. Is there any way to have only one end of the bridge have an ip? What is considered that 'standard' way in pfSense?
What I recommend is only bridging OPT interfaces, as then the bridged interface doesn't need an IP.
- How do I check for MTU consistency on the interfaces and switches?
Unless you manually changed things, everything should be at 1500 by default and should be left that way. There's no sure-fire easy way to check everything in one fell swoop. If you think things have been messed with, what I would do is either manually check things if it's a small network, or write a script to automatically check things if it isn't (I'd probably use Perl for switches and routers, maybe a shell script for *nix boxes, and PowerShell or VBS for Windows).
But I would still like the above questions figured out as I play with pfsense and getting optimal performance on it (device polling really helped shrink the interrupt % of the cpu :-) ).
That's deceiving, it's actually broken in FreeBSD 6.x and greatly reduces throughput.
http://pfsense.blogspot.com/2007/06/polling-and-freebsd.html- If one wanted to make custom config changes to the ruleset that wasn't possible via the GUI, is there a standard way of doing that?
That should never be necessary for any purpose, hence there is no supported facility for making manual ruleset changes.
-
@cmb:
What I recommend is only bridging OPT interfaces, as then the bridged interface doesn't need an IP.
I was thinking about that, but then LAN and WAN would be my manage / pfsync interfaces, which would be confusing name wise.
@cmb:
That's deceiving, it's actually broken in FreeBSD 6.x and greatly reduces throughput. http://pfsense.blogspot.com/2007/06/polling-and-freebsd.html
I read this link before I enabled it and the idea seemed sound: http://taosecurity.blogspot.com/2006/09/freebsd-device-polling.html .
@cmb:
That should never be necessary for any purpose, hence there is no supported facility for making manual ruleset changes.
True, it shouldnt be needed, just thinking that it would be nice to have just in case