Strange internet slowness Alix pfsense router

dolomite792

Hello all I just started using Pfsense with an alix2d2 board and I must say that with absolutely no packages or any other tools running my home internet experience is much slower vs my wrt54gl running ddwrt. I have everything running on the default settings with basic rules to let traffic out to the internet. My internet speed is basically 3.5mbps and now since using the pfsense alix board more than two people aren't able to surf at the same time. I've plugged in the old router to test and it is the new pfsense router. Is there anything that I might be missing? Does anyone have any ideas as to things that might be running at the default settings that I probably wouldn't need? I find this very strange that a higher powered router would slow down the internet experience.

Here's the lan rules

IPv4 * LAN net * * * * none Default allow LAN to any rule
move selected rules before this rule edit
delete add
icon IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
move selected rules before this rule edit
delete add
icon IPv4+6 TCP/UDP LAN net 53 (DNS) * * * none
move selected rules before this rule edit
delete add
icon IPv4+6 TCP LAN net 80 (HTTP) * * * none
move selected rules before this rule edit
delete add
icon IPv4+6 TCP LAN net 443 (HTTPS) * * * none
move selected rules before this rule edit
delete add
icon IPv4+6 TCP/UDP LAN net 53 (DNS) LAN address 53 (DNS) *

Here's the wan rules:

* RFC 1918 networks * * * * * Block private networks
edit edit
add
block * Reserved/not assigned by IANA * *

Here is the Wireless lan interface rules:

IPv4+6 TCP LAN address 80 (HTTP) * * * none
move selected rules before this rule edit
delete add
icon IPv4+6 TCP/UDP LAN net * * 53 (DNS) * none
move selected rules before this rule edit
delete add
icon IPv4+6 TCP/UDP LAN net * LAN address 53 (DNS) * none
move selected rules before this rule edit
delete add
icon IPv4+6 TCP LAN net 443 (HTTPS) * * * none
move selected rules before this rule edit
delete add
icon IPv4 * WIRELESS1 net * * * * none

stephenw10

Almost all of those firewall rules are doing nothing.

On the LAN interface the first two rules allow all IPv4 and IPv6 traffic from the LAN subnet. The rules below that are doing nothing because the traffic is already allowed.

On the wireless interface all except the last rule have the LAN subnet as the source address. Since that is the wireless interface there will be no outgoing traffic from the LAN subnet.

That doesn't explain why you are seeing limited throughput. The Alix can pass ~85Mbps without any packages.

Check for a duplex mismatch. Look at the Status: Interfaces: page in the webgui at the error count for each interface. They should all be 0.

Steve

dolomite792

On my wireless interface I am getting 1 error out. That is rather strange…. Also what would you recommend for some basic rule sets for the firewall? I only used what was given on a tutorial in the pfsense tutorial page. I would love any suggestions or possible pointed in the right direction to a tutorial that shows a better setup? Also how do I figure out where the error is coming from?

WIRELESS1 interface (ath0)

RSSI 33.5
In/out packets 110/102 (9 KB/9 KB)
In/out packets (pass) 110/102 (9 KB/9 KB)
In/out packets (block) 0/0 (0 bytes/0 bytes)
In/out errors 0/1
Collisions 0

stephenw10

1 bad packet on an interface is no problem especially on a wifi interface where interference/signal strength etc can effect things. If you had had a duplex mismatch you would see thousands of errors, though not from only a few hundred packets through.

The rules you have put in place on LAN are designed to be a tight restriction on outgoing traffic, only allow DNS, http and https. However for those to have any effect you have to disable or remove the rules above it that allow out any traffic. The rules are implemented from the top of the table first working downwards.

I can't really recommend a rule set without knowing what you're trying to achieve in terms of filtering or isolating. The default 'allow any' rule on LAN is fine for most situations where you're not worried about traffic from inside your network going out. You may want a tighter rule set on the wifi interface. For example perhaps you don't want wireless clients to be able to access machines on the LAN interface?

That still doesn't explain why you're seeing a big reduction in speed.
What do you have connected to the WAN? DSL modem? Cable modem?
If you could copy and paste the entire Status: Interfaces: page that might show something. Feel free to obscure your public IP if you have that on WAN.

Steve

dolomite792

I have internet from a local wisp who are attached to a fiber optic connection. I believe its a motorola 5ghz wireless terminal on my roof with auto dhcp. Here's a screenshot of the full interface page.

As far as rulesets probably something basic for a home connection, there's nothing specific but probably the best security practice for the home. Let me know if there's any other places I could look to see as to why it would be slowing things down so much.

I plugged the wrt54gl in again and the speed was back to normal with enough bandwidth that we could all surf. I didn't inherit this alix board at all its just a fresh stock installation which is why I find this so weird. Thank you for all of your assistance so far as it is very much appreciated.

stephenw10

So the 3.5Mbps figure you gave earlier is that your normal speed or what it's reduced to? What is your WAN connection? DSL? Cable?

Steve

dolomite792

My ISP is neither of those, its wireless equipment on my roof connected via ethernet which ultimately connects up to fiberoptic connection. So yes I get roughly about 3.5 constantly and its burstable to higher speeds. Could it be possible that its not playing nice with the motorola 5ghz equipment from the ISP? I unchecked this option on the wan:

Block private networks
When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8). You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.

Since it uses these addresses I think this may have solved the issue. I will continue testing further with multiple devices running and see if it has an effect.

stephenw10

You should also check the system logs for any alerts from the apinger service. Since your WAN is a wireless setup it may have a higher latency than apinger is tuned for by default. It may be seeing it as a bad connection.
What do the RRD graphs of your WAN quality look like? What's the average ping time?

Steve

dolomite792

I've been experiencing something strange when I reboot the wan will go up and down repeatedly until it decides to finally stick and give me a local address.

Here's the WAN graph and as you can see the speed is terrible:

The apinger is having trouble just like you said it would:

What should I do from here? Where should I adjust the apinger latency? Also how would I figure out the proper latency to set it to?

Your assistance has been awesome so far!

Thank you!

stephenw10

Ok, so apinger is seeing excessive delay as we thought it might.
In the webgui go to System: Routing: Gateways: edit the WAN gateway (the 'e' button). Click 'advanced'. Now you can enter new latency values. To get suitable values try looking at the RRD graphs for WAN quality, that should show your typical ping times. You can also try disabling apinger completely on that page as a test.

Steve

dolomite792

So which graph shows the ping? I just cannot seem to make sense of which one that is. Disabling the apinger service still doesn't seem to have changed the crappy speed….. It has stopped logging it in the system logs though.

dolomite792

Ok so I'm looking at the quality graph in the RRD graphs and its showing:

Delay
min: 7.62ms
avg: 55.83ms
max: 934.11ms

So then I'm looking in the advanced section of the gateway:

Latency thresholds Low and high thresholds for latency in milliseconds. Default is 200/500.

I'm a little confused on what to do here as the default threshold looks to be within the parameters?

stephenw10

Hmm, well you clearly have a wide variation in latency and some very high values. It's not clear whether the connection is severed by apinger at those high peaks, the latency may have increased further for instance. You would probably just have to try some values and see how it goes adjusting them until you reach something you're happy with. I've never had to deal with a wireless WAN connection though, there are probably others here who could give you a better answer on that.

Not sure why the speed should be low. What speed do you expect to see?

Steve

dolomite792

Well it should at least be a decent and robust 3.5mb and now I'm looking at a fragile 0.85-1.5mb which really sucks. Weird thing is that the connection improves right after you restart the ISP radio and then the PFsense board. There's a small honeymoon period after the reboot before it degrades over time to a slower connection. So in your opinion what should I put in for latency values? 70-500? or 20-500?

Its weird with a standard router it will work fine and I will get 3.5mb and the internet will flow normally. The other day the wan connection was cycling on and off over and over as it was trying to resolve an address from the ISP radio.

stephenw10

With values like that I would choose, maybe, 500-1000.
It is still somewhat confusing to me what those values are but having read various docs and looked at the source as I understand it the first value will trigger a warning and the second value will mark the interface as down. Only after the value goes back below the first value will the interface be marked as back up. Thus with the default values the WAN interface will appear to go down if ping times go higher than 500ms for 10 seconds (the 'down' time).
Hmm I could have that wrong it's been a while since I read that code. ::)

Try downloading something on the pfSense box directly to see if it's a problem with the WAN or LAN interface. 0.85Mbps is woefully low! ???

fetch -o /dev/null test_file_URL

I use the test files at Thinkbroadband for this test but it completely depends where you are as to what you should use.

[2.1.3-RELEASE][root@pfsense.fire.box]/root(1):  fetch -o /dev/null http://download.thinkbroadband.com/10MB.zip
/dev/null                                     100% of   10 MB 2067 kBps

Steve

dolomite792

Strange as I cannot even get that darn thing to download, no matter what I do. I cannot even download those files onto my own computer from any link that I try from thinkbroadband.com

So I went with another website with a californian server and its definetly slowness through the WAN interface

/dev/null 33% of 11 MB 32 kBps

It was averaging 32k to 45k all night and day.

Any other ideas for as to what we could do? The Motorola Radio that the pfsense router is connected to is using a direct wan auto dhcp connection I suppose to avoid issues with certain customers. I am just wondering what the heck it could be slowing things down so much, could there be DNS issues somewhere here?

stephenw10

A DNS issue would not slow down a download like that, it might introduce a delay before it started downloading.

My money is still on some problem between your Motorola device and the Alix NIC. Do you have a switch you could put in between them? That would change the link negatiation and flow control. It should show up any issues.

Hard to say otherwise. :-\ Is there a forum for users of your wireless service?

Steve

dolomite792

I had to hook up my old router to post this as it the pfsense router would absolutely not give me access to the internet. Check out the log as it could not get an ip address from the ISP radio it kept going up and down up and down. The speed was pitiful. The log says something in regards to not being able to bind to dhcp address and to make sure that its not already in use and I suppose that was in regards to my laptop being on the wifi? My isp is too small there are no forums for it, I would have to contact the upport people but they would probably tell me to not even bother with the advanced security feature of a pfsense router and to go back to using my old router and be done with it. This really sucks.

May 18 12:08:02 php: rc.linkup: HOTPLUG: Configuring interface wan
May 18 12:08:03 php: rc.linkup: Shutting down Router Advertisment daemon cleanly
May 18 12:08:03 check_reload_status: Linkup starting vr1
May 18 12:08:03 kernel: vr1: link state changed to UP
May 18 12:08:03 php: rc.linkup: Clearing states to old gateway 10.XX.XX.1.
May 18 12:08:05 check_reload_status: Linkup starting vr1
May 18 12:08:05 kernel: vr1: link state changed to DOWN
May 18 12:08:05 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf vr1 > /tmp/vr1_output 2> /tmp/vr1_error_output' returned exit code '1', the output was ''
May 18 12:08:06 check_reload_status: updating dyndns wan
May 18 12:08:07 php: rc.newwanip: rc.newwanip: Informational is starting vr1.
May 18 12:08:07 php: rc.newwanip: rc.newwanip: on (IP address: 0.0.0.0) (interface: WAN[wan]) (real interface: vr1).
May 18 12:08:07 php: rc.newwanip: rc.newwanip: Failed to update wan IP, restarting…
May 18 12:08:07 check_reload_status: Configuring interface wan
May 18 12:08:08 kernel: vr1: link state changed to UP
May 18 12:08:08 check_reload_status: Linkup starting vr1
May 18 12:08:09 php: rc.linkup: DEVD Ethernet detached event for wan
May 18 12:08:09 php: rc.interfaces_wan_configure: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf vr1 > /tmp/vr1_output 2> /tmp/vr1_error_output' returned exit code '15', the output was ''
May 18 12:08:11 php: rc.linkup: DEVD Ethernet attached event for wan
May 18 12:08:11 php: rc.linkup: HOTPLUG: Configuring interface wan
May 18 12:08:14 check_reload_status: Linkup starting vr1
May 18 12:08:14 kernel: vr1: link state changed to DOWN
May 18 12:08:14 php: rc.linkup: DEVD Ethernet detached event for wan
May 18 12:08:14 php: rc.linkup: Shutting down Router Advertisment daemon cleanly
May 18 12:08:16 check_reload_status: updating dyndns wan
May 18 12:08:16 check_reload_status: Linkup starting vr1
May 18 12:08:16 kernel: vr1: link state changed to UP
May 18 12:08:17 check_reload_status: Linkup starting vr1
May 18 12:08:17 kernel: vr1: link state changed to DOWN
May 18 12:08:17 php: rc.interfaces_wan_configure: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf vr1 > /tmp/vr1_output 2> /tmp/vr1_error_output' returned exit code '1', the output was ''
May 18 12:08:18 php: rc.linkup: DEVD Ethernet attached event for wan
May 18 12:08:18 php: rc.linkup: HOTPLUG: Configuring interface wan
May 18 12:08:18 php: rc.linkup: Shutting down Router Advertisment daemon cleanly
May 18 12:08:19 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf vr1 > /tmp/vr1_output 2> /tmp/vr1_error_output' returned exit code '1', the output was ''
May 18 12:08:21 php: rc.linkup: DEVD Ethernet detached event for wan
May 18 12:08:21 php: rc.linkup: The command '/sbin/dhclient -c /var/etc/dhclient_wan.conf vr1 > /tmp/vr1_output 2> /tmp/vr1_error_output' returned exit code '15', the output was ''
May 18 12:08:22 check_reload_status: Linkup starting vr1
May 18 12:08:22 kernel: vr1: link state changed to UP
May 18 12:08:23 php: rc.linkup: DEVD Ethernet attached event for wan
May 18 12:08:23 php: rc.linkup: HOTPLUG: Configuring interface wan
May 18 12:08:24 kernel: vr1: link state changed to DOWN
May 18 12:08:24 check_reload_status: Linkup starting vr1
May 18 12:08:25 php: rc.linkup: DEVD Ethernet detached event for wan
May 18 12:08:26 php: rc.linkup: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid vr0 ath0_wlan0' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.6 Copyright 2004-2014 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 14 leases to leases file. Listening on BPF/ath0_wlan0/00:0e:9b:99:db:f4/192.168.0.0/24 Sending on BPF/ath0_wlan0/00:0e:9b:99:db:f4/192.168.0.0/24 Listening on BPF/vr0/00:0d:b9:19:66:94/192.168.1.0/24 Sending on BPF/vr0/00:0d:b9:19:66:94/192.168.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before
May 18 12:08:27 check_reload_status: updating dyndns wan
May 18 12:08:27 check_reload_status: Linkup starting vr1
May 18 12:08:27 kernel: vr1: link state changed to UP
May 18 12:08:27 check_reload_status: updating dyndns wan
May 18 12:08:28 php: rc.linkup: Shutting down Router Advertisment daemon cleanly
May 18 12:08:28 php: rc.linkup: DEVD Ethernet attached event for wan
May 18 12:08:28 php: rc.linkup: HOTPLUG: Configuring interface wan

stephenw10

It's actually seeing the ethernet link go down. I strongly suggest adding a switch in between the wireless device and the pfSense WAN port.
What exactly is the Motorola equipment it's connected to?

Steve

dolomite792

What kind of switch should I use? I have this simple one TP-LINK TL-SF1008D, would this suffice? I'm thinking that you are meaning a managed switch? I have my ddwrt wrt54gl that I could setup to be a switch. So I'm looking for link negotiation and flow control. So now I've been reading some things about negotiation and flow control, I should be able to find evidence of one device receiving too much information and causing a major pause in the traffic? Even though they are both set to auto negotiate. I believe this to be the issue as if I watch the main pfsense splash page the wan link will go up and down, up and down constantly trying to negotiate the connection. Then when it does its slow as molasses. I suppose if I tell my ISP to set the link speed manually on the radio to a certain speed and I also do the same on the pfsense box that might be interesting to see. Although I'm kind of doubtful that anything would happen.

*** I just realized that the ethernet errors that you are seeing were probably caused when I unplugged the power to the Motorola unit to reboot it.*** I did that frequently or else it takes forever to negotiate a connection with the pfsense box.

There is a simple ethernet cable connected to the Motorola radio that comes down from the roof to my router. So it is a direct connection.

Also I did a search on pfsense and link negotiation issues and this topic in these forums came up and do you think this is useful?

https://forum.pfsense.org/index.php?topic=8440.0