Slowed Packet Handling



  • I have a quick question about the firewall and packet handling. I have an interface that feeds a switch connected to all wireless AP's to keep LAN machines separate from wireless access. The issue I am having is adding a single firewall rule to that interface slows the load time of pages significantly. Is there a common cause of this I should be looking to address with my system?

    Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz
    NIC's are crappy for the moment would this be causing the issue?

    Thanks!



  • What does the firewall rule in question do?

    Also, are you using vlans on that interface?

    Does the slowdown apply to all machines or only those on the wireless?



  • The firewall rule prevents the subnet from accessing another subnet, so essentially allow traffic to all but listed subnet.

    No VLANs, on the interface and the slowdown appears to only affect the wireless devices.

    Its a bit difficult to gauge as the other subnet has exclusively wired devices and moves fairly quickly but it appears to only affect the devices on subnet with the rule.

    What I've ended up doing is essentially creating a floating rule that does the same job and does it without the noticeable slowdown on any particular subnet. I think that may indicate an issue with that particular NIC specifically, am I right in my assumption?



  • @Streat:

    The firewall rule prevents the subnet from accessing another subnet, so essentially allow traffic to all but listed subnet.

    No VLANs, on the interface and the slowdown appears to only affect the wireless devices.

    Its a bit difficult to gauge as the other subnet has exclusively wired devices and moves fairly quickly but it appears to only affect the devices on subnet with the rule.

    What I've ended up doing is essentially creating a floating rule that does the same job and does it without the noticeable slowdown on any particular subnet. I think that may indicate an issue with that particular NIC specifically, am I right in my assumption?

    No, it doesn't indicate a hardware problem if a floating rule resolves the problem.
    Instead of adding a new rule, what you can actually do is simply to edit the default rule so that:

    Destination subnet is 'Not' 'LAN Subnet'.

    That is, the devices on wifi can access any IP address that isn't the main wired LAN subnet.



  • Wow, I could have sworn I had already tried that but I just gave that a shot and it works perfectly! If I needed to prevent it from accessing other subnets as well (its a guest network) should I be using Destination 'Not' and an alias for the other subnets?



  • @Streat:

    Wow, I could have sworn I had already tried that but I just gave that a shot and it works perfectly! If I needed to prevent it from accessing other subnets as well (its a guest network) should I be using Destination 'Not' and an alias for the other subnets?

    You can.  Just create an alias for all the subnets (networks) including the LAN and substitute the network in the rule with an alias instead.



  • I actually just gave that a shot and encountered the same issue, it crunches the speed. Ive only got a gig of RAM in this box could this be an issue? The system info says im only using about 75% of the avalible memory which is why i didnt initially suspect it


  • Netgate Administrator

    1G of RAM should fine for most situations. Are you running Squid or Snort? What's your WAN bandwidth?
    Which install type are you running? If you're running from a HD and your extra rule is somehow using just enough ram to push the system into using swap that would slow things down significantly. That seem unlikely though.

    Steve



  • I am running squid and squidguard but Squid is not activated on the interface I am referring to but on a separate subnet.
    I pay for 50mbps but the fastest I've seen yet is about 35mbps on the hardwired subnet, about 25mbps on the wireless subnet (the one with the slowed firewall rule handling).
    This is running from a HD in a dedicated box and it wouldn't surprise me if that is the issue, this was my first router build and it is mostly older hardware cobbled together, the HD is an WD Green 500 gig from a few years back.
    Thanks everyone for your continued help!


  • Netgate Administrator

    It would surprise me. Squid uses ram but not that much. Any indication in the RRD graphs of memory exhaustion?

    Steve



  • No :/
    The hardware seems to be right inside of the working values I would expect
    Memory Usage 35%
    CPU Usage 32%
    Swap Usage 1%
    Disk Usage 1%
    All statistics seem to be about where they should but the second I add a rule dictating a bit of specificity on that interface speed drops through the floor, this issue doesnt seem to affect any other interfaces. That being said I am still at maximum on my hardwired subnet getting about 32mbps when Cox says i'm paying for 50mbps but I suspect there are other issues at work with that particular problem,



  • Can you confirm that this only affects the 'wifi' subnet and not the main subnet?

    If so, you might have to screenshot the floating rules, outbound NAT and interface rules for us to look at.

    Seems like something isn't going right somewhere.