Having trouble with a site using a pfsense…
-
i have a client who has a pfsense firewall. there is about 30-35 computers at this site. the firewall is a dell computer with a p4 2.8 and 512 ram.
*** Welcome to pfSense 1.2-RC1-pfSense on rsi-fw1 ***
CPU: Intel(R) Pentium(R) 4 CPU 2.80GHz (2793.02-MHz 686-class CPU)
real memory = 526942208 (502 MB)
avail memory = 506007552 (482 MB)HT is on… (i know a lot of ppl love to hate HT...)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1interfaces are:
xl0: <3Com 3c905C-TX Fast Etherlink XL>
xl1: <3Com 3c905C-TX Fast Etherlink XL>(WAN is xl0)
their business DSL line is 7100k/768k, and during the day, the connection grinds to a halt with pfsense showing a mere 2.5-3 mbit in use. ive been studying their traffic during their workday, and i really dont see anything that just screams "abusive" (such as torrents, or other things that dont belong in the workplace).
i just logged in to their site this time of nite, and ran a download, and hit 750K without a problem (i also was on the line with Verizon earlier today, to verify there were no problems or errors on the line). i am trying to figure out where i can start looking to determine the nature of the problem. is 30 people really too may for a 7mbit DSL line? states table says only 400-450 of 10,000 in use, and the box really doesnt look like is choking.
any hints or ideas of where i might look to solve this problem would be greatly appreciated. i think the client says that the internet has been poor about 3 weeks, about coinciding with when i made the upgrade to 1.2-RC1. is RC1 having any problems?
i have several pfsence firewalls in production with other clients, but all my other clients have 10 or less computers on their network, this one client im troubleshooting is the only one with 30+ computers. and finally, this installation has been in place for about 10 months, and has been flawless thru a release upgrade or 2, until the last couple of weeks.
stumped! :)
-
I cant advise on anything technical, but the line using nigh on an 8mb connection is perfectly fine. No more than 5 years ago i was working at companies with that many users running of a 64k ISDN2e line… 3 years ago , a 2mb leased line serving 100+ people.
Can you not either swap out the pfsence box and rely upon the router firewall (assuming it has one) as a test, or even switch in another pfsence box? At least you can then rule our either the connection or the pfsense installation.
I know that if i max out my connection on uploads (its an 8000/800 ) then downloads grind to a halt, so i just limit all outbound traffic to 50k/s.
-
imwondering if i can use the traffic prioritizer to set priority based on IP range. then i could set the DHCP scope to be less priority, and the servers and SAP workstatsions to have higher priority (and well, the bosses laptop too).
i was playing with the traffic shaper, and even tho it wasnt listed, when i turn on the catch-all-p2p, ftp is limited as well. the penalty box feature is kinda cool… is there a way to add more than one computer (or, is just copying the rule and putting in another IP the way to do it) ?