Speed Issues (not sure if this is firewall or not)



  • Hi everyone,

    I'm not sure if this goes in the right forum.
    It appears i'm having significant speed issues and we have it narrowed down to the box running my firewall at my collo cabinet.
    Rough estimates from a verified speed testing server located on the network that is hosting my wan connection shows a rough speed of only 567kb downstream.  I've verified with the NOC at the collo center, i'm currently wide open for testing purposes.

    They did mention that I should check to see what my duplex settings were on my NIC for my wan connection.  I can't figure out how to change that in PFSENSE.  Is that an option?  Is it something available from the shell?



  • The output of "ifconfig" will tell you what the configuration is, for instance from mine:

    rl1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            <–-SNIP--->
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    rl2: flags=8802 <broadcast,simplex,multicast>mtu 1500
            <---SNIP--->
            media: Ethernet autoselect (10baseT/UTP)
            status: no carrier

    You can change the duplex settings by specifying the interface and the setting (though note that auto-detect is usually reliable and any manual configuration won't survive a reboot).  For example, to set rl0 to full-duplex you would do ifconfig rl0 full-duplex.

    It would be useful to know what version of pfSense you're running (really you should be on 1.2RC1) and what hardware you've got.</broadcast,simplex,multicast></full-duplex></up,broadcast,running,simplex,multicast>



  • Well testing from a laptop direct to the uplink connection proves it is a duplexing issue.  Hard setting to 100 full on the laptop gave me a 7Mb / sec connection.  The uplink connection is a Cisco 6509 with a switch module that works best when hard set, could be why auto was giving me trouble.

    I will hard set the duplex and retry.  Is there any way to write a script on boot that hard sets this?  I find it hard to believe that settings like this won't survive reboots in a commercially supported product.  If thats the case, how do all my rules and interface configurations survive reboots?  I have it installed to the hard drive.

    Version is Release 1.0.1.  When 1.2 is in release status, i'll upgrade.  I have mail servers and corporate resources behind this firewall now that I can't just arbitrarily take down for upgrades.

    Hardware is an older VA Linux machine with dual NIC, Intel Pro 10/100's.

    EDIT:  I just tried setting it:
    ifconfig fxp0 full-duplex
    ifconfig: full-duplex: bad value

    Am i doing something wrong?

    EDIT (again :) ) :
    I figured it out. The full command is:
    ifconfig fxp0 media 100baseTX mediaopt full-duplex
    fxp0 now shows:
    media: Ethernet 100baseTX <full-duplex>Time to do some testing :)</full-duplex>



  • Well, pfSense isn't (as far as I can tell) designed for you to hand-hack it - it's aimed for GUI management.  You could manually alter the config file (/cf/conf/config.xml) and put the required entry in the right section.  It might be that you'd put "full-duplex" in the mediaopt section of the WAN port.  I'm not sure how that would survive configuration changes though - it's unsupported as far as I can tell.

    Besides, strictly speaking the Cisco is broken by not correctly supporting auto-detection ;)

    As for the versions, support for 1.0 is pretty minimal and the developers are directing everybody to 1.2.  I (and many others) have been running the betas for some time now without any problems.

    Edit: I just noticed that under Status: Interfaces it lists the current media settings



  • Thanks for the heads up.
    I'll check into upgrading to 1.2.

    EDIT:
    I just saw the status portion relating to the media of the interfaces.  That is helpful but it would be nice if the gui let you hard set and apply the settings.

    Does anyone know if setting this via ifconfig requires a restart of anything?  I don't see any difference in tests behind the firewall, however I know this seems like the issue i'm facing because i replicated the interface configuration with my laptop and then hard set it, which corrected my problem.



  • Ok,

    I just upgraded, so far so good.  Still have the interface problem BUT:

    I just discovered the PFSense PHPShell:

    pfSense shell> print_r($config['interfaces']);
    
    Array
    (
        [lan] => Array
            (
                [if] => fxp0
                [ipaddr] => 216.222.54.241
                [subnet] => 28
                [media] => 
                [mediaopt] => 
                [bandwidth] => 100
                [bandwidthtype] => Mb
                [bridge] => 
            )
    
        [wan] => Array
            (
                [if] => fxp1
                [mtu] => 
                [blockpriv] => 
                [media] => 
                [mediaopt] => 
                [bandwidth] => 100
                [bandwidthtype] => Mb
                [spoofmac] => 
                [disableftpproxy] => 
                [ipaddr] => BLOCKED FOR PRIVACY
                [subnet] => 30
                [gateway] => BLOCKED FOR PRIVACY
                [use_rrd_gateway] => 
            )
    
    )
    

    Judging from other options using the help for the shell, it appears i may be able to hard set the interface.
    Does anyone know how to do this?  Should i move this to another forum?



  • Well I think i figure it out:

     $config['interfaces']['wan']['mediaopt'] = "full-duplex";
    
     $config['interfaces']['wan']['media'] = "100baseTX";
    

    Solved my problem so far.



  • It's highly unlikely that it's Cisco related. I'm sure your provider doesn't know better and hard codes all the interfaces 100/full. It's a common misconception that it's good to do that, in reality no networking vendor including Cisco recommends doing this. I'm sure if their side was set to auto it would work fine. 100/full connecting to auto == duplex mismatch.

    With the media and mediaopt in your config, you're set. It won't ever get overwritten or anything, it's a fully supported option, it's just that since so many people don't understand autonegotiation we hide it to prevent people creating performance problems by forcing when they should leave everything to auto in virtually every circumstance.


Log in to reply