PFSense with Squid Proxy = Slow Download on Comcast Only

  • We have four offices that each have a pfsense firewall setup (version 2.1.3 amd64) .
    Two offices have Comcast for internet connectivity, the other two have Windstream and CenturyLink DSL.
    What is strange is that I have every office setup with identical configurations for the basic (stable release) squid package. Using at the offices with Comcast, when bypassing the proxy I can get about 18Mb down and 2.5Mb up (full speed), using the Squid proxy I only get 2.8Mb down and 2.5Mb up.
    Now, at the sites using non-Comcast connections, there is only a small hit to upload speed when using the squid proxy.

    For squid, we are using default configurations, the only alteration I have made was from this guide:

    'Change kern.ipc.nmbclusters="0" to kern.ipc.nmbclusters="32768"'

    Thats it. I did try with the default setting 'kern.ipc.nmbclusters="0"' and can see no difference.

    I/O errors are 0/0

    Perhaps something needs to be tweaked for Comcast? If so I have no idea what would need to change, and thats why I am here.

    Every office is running pfSense in a VM on ESXi 5.1. Hardware is same across the board too: Dell 2950 w/3.0ghz, 32GB Ram, 6 x 146GB 15k in RAID 10.

    Any help would be much appreciated. Thanks!

  • OK, well now im getting speed tests that are 90%  of the time capped at 3Mb then sometimes jump to 18Mb or so. Same thing at both locations. Cant make any sense of it all. Only happening on Comcast internet connections.

  • Hello.
    I wonder if both our issues could be somehow connected…
    We're not on the same ISP, though.
    Do you feel slowlyness on vLAN to vLAN too?

  • Possibly. There seems to be a hard cap at 3Mb and about 2-2.5 on upload. I dont have vLans setup though, but I too cannot find anything in the logs that would give a clue as to where the restriction is. Its very odd… I am not running the proxy in transparent mode as I have a .pac file that points systems to the proxy. I have tried running in transparent mode by manually setting a client PC to pfsense as the gateway, and the problem goes away. Since I will eventually replace my original firewalls with the pfsense ones, this will be a non-issue soon.

Log in to reply