Firewall states vs NAT port mappings?



  • I work for a small school district, and we're having a problem of the Internet occasionally being really slow, but the bandwidth is not maxed out. This mainly started since moving to Google Apps but there may be other causes. I moved from a NetGear VPN router to pfSense to try to resolve this but we are still getting the slowness.

    Does the firewall state table also count NAT port mappings, or are they two separate tables of data?

    If they are separate, how do I know when NAT mappings are exhausted? Is there a way to monitor the number of NAT port mappings in use?

    The state table graphs in RRD don't exceed more than about 5000



  • Few things to ask…. what hardware you using for pfsense? And do you have anything in front of it?



  • I don't think it's a server hardware problem.

    Dell PowerEdge 2900, Xeon 5335 @ 2 ghz (1 socket, 4 cores, Core 2), 8 gig RAM

    • It never exceeds 50% for any core on the Windows Task Manager

    Windows Server 2008 R2

    • domain controller
    • VMWare Server 2.02
      • VM, 256 meg RAM, pfSense 2.02 Release, AMD64
      • VM, 2 gig RAM, Ubuntu, CMSMS
      • VM, 512 meg RAM, Ubuntu, Cacti SNMP grapher
      • VM, 1.5 gig RAM, Windows Server 2003 64-bit
        • Scholastic Achievement Manager

    Most of these host VM's don't use much CPU, mostly idle, so the system is not taxed for processing power. It used to run Exchange under the root 2008 R2 OS, but that has been removed.

    There's a 1 gig LAN port on the Dell server that is a dedicated uplink to the ISP demarcation box. They monitor their side of the link, and are telling me they are finding nothing wrong.

    This summer I plan to move the domain controller to another machine, and make this one a straight VMWare vSphere 5.



  • States include NAT mappings.

    My guess, given you've changed firewalls and have one fast enough now to handle orders of magnitude more load than a Netgear, is you have a general problem with your Internet connection. Though it could be something on the internal network or potentially many other causes. Some general network troubleshooting is the next step, even just running pings from somewhere internally to your LAN IP of the firewall, WAN IP of the firewall, WAN gateway of the firewall, and something out on the Internet, could be telling. In many cases similar to what you describe you'll have packet loss somewhere, and narrowing down where that's happening is critical to narrowing down and fixing the problem.



  • Yesterday while the Internet was running really slow for everyone…

    I was watching the realtime traffic log, seeing huge intermittent spikes for individual student machines. These spikes last only a few seconds but each spike nails the connection to the wall at or near 100% bandwidth (23 megabit).

    None of this is picked up by my Cacti SNMP even with it set to 1 minute polling, or the ISP SNMP logger with 5 minute polling.

    Turns out nearly all of these student machines were running some music service I've never heard of called Spotify, plus also the Apple Mobile Device service running at full tilt.

    So, as a test, today I have enabled the Packet Shaper in pfSense. Any p2p and unclassified traffic will be throttled to 5% of our total bandwidth. That is still rather generous I think… 5% of 23 meg is 1.15 meg.

    Oh, and we also declared that no student may use headphones in class that does not require them, or listen to streaming music or watch streaming music videos in any class. Doing so will result in disciplinary action.

    Today's bandwidth has been... a bit less... though this needs more time to see what happens.

    (Night of April 2nd I was downloading a service pack on 20 machines at once. I had no problems maxing it out, and the Internet still worked, but slow..)


Locked