Massive performance issues on some websites



  • I'm in the process of migrating away from our current UTM (Endian) to pfSense but am having a number of issues in the process, the biggest one being extremely slow page loads, but only on some websites.  When I switch back to Endian from pfSense the websites load quickly as expected.  I've tried disabling snort on the WAN interface to no avail.
    Both UTMs are running on ESXi 5.5, Endian with 1gb RAM and 2vCPU and pfSense with 2gb/2vCPU.  Both UTMs use the same DNS, physical NICs, and 10mb WAN connection.  Endian is running VMXNET3 NICs and pfSense running E1000 as per the virtualisation guidelines.
    During the page loads for these sites I have esxtop open monitoring the network and vSphere performance monitor open showing realtime overview.
    During the page loads the CPU usage remains low (About 150mHz) and memory remains mostly consumed (I'm guessing like SQL boxes it just uses the maximum amount of memory available to it?).

    As a comparison Youtube over HTTPs takes about 2 seconds to fully load the page on Endian compared to about 15 seconds on pfSense.
    Some sites fail to load at all (Firewall shows no blocks relating to these sites) or sometimes after multiple refreshes may load but can take 30 seconds or more to load a page that would normally load in <5.

    Also not sure if it is related but the auto update in pfSense fails, but if I copy the URL to my browser it loads quite fine.

    Downloading new version information…done
    Unable to check for updates.
    Could not contact pfSense update server https://updates.pfsense.org/_updaters/amd64

    If anyone could give some pointers on why these issues might be occurring it would be greatly appreciated as being unable to migrate to pfSense means we're unable to complete some other planned projects as well (Due to Endian's 4 interface limits).



  • Seems you have DNS issues.
    I will recommend you edit your /etc/resolv.conf and add your DNS server in the first line:

    nameserver 10.0.0.1
    

    Do not use unbound for DNS.
    If you don't have a local DNS server, use one that's near you, or google's 8.8.4.4



  • @jfranco:

    Seems you have DNS issues.
    I will recommend you edit your /etc/resolv.conf and add your DNS server in the first line:

    nameserver 10.0.0.1
    

    Do not use unbound for DNS.
    If you don't have a local DNS server, use one that's near you, or google's 8.8.4.4

    Definitely not a DNS issue.  Our internal network references an internal DNS which is setup with forwarders to our ISP and OpenDNS so that wouldn’t stop machines internally from connecting.  Because of the auto update issue I double checked the DNS settings in pfSense and they are configured correctly (To OpenDNS via WAN gateway), just in case pfSense didn’t update its host OS I checked the resolv.conf and it’s applied correctly there too (127.0.0.1 followed by the 2 OpenDNS servers).


  • LAYER 8 Netgate

    I'm out of my lane but those who know will want to know what packages you're running (snort, squid, squidguard, havp, etc.)



  • @Derelict:

    I'm out of my lane but those who know will want to know what packages you're running (snort, squid, squidguard, havp, etc.)

    Only Snort and Open VM Tools



  • Only snort huh?


  • Banned

    Disable Snort and report back



  • @kejianshi:

    Only snort huh?

    And Open VM tools.



  • Banned

    Leave it on one at a time….



  • @Supermule:

    Disable Snort and report back

    That was one of the first things I tried.  Mentioned that in my OP

    @Supermule:

    Leave it on one at a time….

    I'm not sure what you mean by that?



  • I agree with super mule - Turning of snort has occasionally been known to help performance - From time to time.
    The same way not being DDOSed helps with performance….

    You said you are running two packages.
    I think supermule meant try disabling one, and then the other separately to see which is causing the problem.



  • @kejianshi:

    I agree with super mule - Turning of snort has occasionally been known to help performance - From time to time.
    The same way not being DDOSed helps with performance….

    I've tried with Snort enabled (When I first tried to switch over to pfSense) and then with it disabled to try and narrow down the cause of the issues I'm having.
    Considering it's a fresh install with minimal packages added I'm a bit stumped as to why these issues are occurring, and even more stumped that I can't see anything being blocked or high use in any resources >:(



  • Pfsense works well and works fast.  Its either a package, a misconfiguration, your DNS or something like that that is causing your problems.

    What are you using for DNS?  Can we see the list that appears on the main page to the left?



  • @kejianshi:

    Pfsense works well and works fast.  Its either a package, a misconfiguration, your DNS or something like that that is causing your problems.

    What are you using for DNS?  Can we see the list that appears on the main page to the left?

    As mentioned previously, it is 127.0.0.1 followed by the two OpenDNS servers.
    Here is a screenshot that shows details I have already given.




  • Try changing DNS to 8.8.8.8 and 8.8.4.4 just for a little while and reboot.

    See if it helps.

    If thats not the issue, can we see your lan and wan firewall rules?

    "unable to check for updates" seems like something very basic is broken.


  • Banned

    Why are you unable to check for updates??



  • @kejianshi:

    Try changing DNS to 8.8.8.8 and 8.8.4.4 just for a little while and reboot.

    See if it helps.

    If thats not the issue, can we see your lan and wan firewall rules?

    "unable to check for updates" seems like something very basic is broken.

    100% sure that won't help.  We've used OpenDNS for years without an issue and it works fine in Endian.
    Not to mention that internally the DNS saved in the firewall isn't even used as we use our own internal DNS server.



  • @Supermule:

    Why are you unable to check for updates??

    I'm not sure.  If I copy and paste the update link from the failure message it loads on my PC fine and the package list updates on pfSense fine so I'm still really dumbfounded.

    Offtopic:  Slightly jealous of your speed there  :-\  Management won't spend more on a faster link (Currently 10mb) and home internet is worse :(



  • Please just try google DNS just to placate my silly whims.


  • Banned

    Pls. try Google DNS to see if the issue persits…

    @justin.j:

    @Supermule:

    Why are you unable to check for updates??

    I'm not sure.  If I copy and paste the update link from the failure message it loads on my PC fine and the package list updates on pfSense fine so I'm still really dumbfounded.

    Offtopic:  Slightly jealous of your speed there  :-\  Management won't spend more on a faster link (Currently 10mb) and home internet is worse :(



  • Same issue with Google DNS.




  • What is your wan IP? Is it public or private?


  • Banned

    We need access to that box because something is wrong.

    And I bet thats why its slow. Are you using any specified GW's on any other interface than WAN??



  • Yep - But I hate to ask.  People are paranoid you know…



  • @kejianshi:

    What is your wan IP? Is it public or private?

    WAN IPs are public (Only 1 IP currently in use in our IP range).

    @Supermule:

    We need access to that box because something is wrong.

    And I bet thats why its slow. Are you using any specified GW's on any other interface than WAN??

    Only 1 gateway specified and that's the WAN IF.  Remote access won't be possible, IT manager would lose his &#@&.

    I'm in the process of setting up a 2nd pfSense VM (With only Open VM Tools installed) from the 2.1.5 install image and I'll manually setup rules and config again so no bad config comes across.  If I can get it working like that then I'll add snort back in and hope that it all works.



  • That sounds like a reasonable action.


  • Netgate Administrator

    Ipv4/v6 issue can cause update check failure.

    https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_Preference

    Could it be ipv6 enabled sites that are loading slowly?

    Steve


Log in to reply