Odd DNS Issue Causes SMB Transfer Slowness



  • I have an internal DNS server running for local servers. I just started using Unbound for a backup DNS on PFSense. When I have 127.0.0.1 in the General Setup for entry 1, SMB speeds are pretty good. If I remove or change the order in General Setup so 127.0.0.1 is not first or not in the list SMB speeds slow to a crawl. Why is this?


  • LAYER 8 Global Moderator

    Yeah that makes no sense, and smb speeds to from what?  Once you resolve the fqdn of where your trying to access dns has nothing to do with the actual smb transfer.



  • When they slowed after changing 127 to spot 2 in general speed was 137KB. After putting it back to spot 1 they were 5MB+ over wifi to the server connected via wired.

    EDIT: SMB and DNS are on the same network/LAN



  • Mucking with that is doing nothing to SMB at all. Whether or not the firewall itself uses localhost for DNS resolution has no impact on clients. DNS also has no impact on transfer speed once it's running - client does a DNS lookup, starts transfer to resulting IP, never does anything with DNS again for the duration of the transfer. There is something else going on, and it's almost certainly not related to the firewall at all given that traffic isn't touching it.



  • I am able to reproduce the slowness. I left 127 in spot 2 for an hour and transferred small files over. After an hour I switched 127 to spot 1 and waited a couple min and transferred over wifi it jumped up to 5+MB. Did that for an hour and then switched back and it dropped down to 140KB when I put 127 to another spot.  Where can I look to see why this is getting affected.



  • packet capture from the affected client machine and see what it's doing or not doing.


  • LAYER 8 Global Moderator

    Yeah some sort of information is missing here because dns just has nothing to do with this at all..  And as mentioned your not even moving packets through pfsense..  Do a sniff of your fast transfer, then do a sniff when you say its slow and we can see what is going on.



  • 14:26:41.306997 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:26:41.307097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:26:46.307053 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:26:46.307060 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:26:51.307012 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:26:51.307030 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:26:56.307065 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:26:56.307082 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:01.307023 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:01.307037 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:06.306978 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:06.307077 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:11.307035 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:11.307051 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:16.306990 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:16.307089 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:21.307047 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:21.307063 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:26.307002 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:26.307018 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:28.812373 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 245)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:27:28.812409 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 238)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:27:31.307059 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:31.307073 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:36.307015 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:36.307032 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:41.307071 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:41.307086 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:46.307026 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:46.307041 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:51.307082 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:51.307097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:27:56.307038 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:27:56.307055 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:01.307094 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:01.307108 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:06.307055 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:06.307079 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:11.307006 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:11.307024 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:16.307062 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:16.307074 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:21.307019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:21.307037 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:26.306974 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:26.307074 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:31.307031 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:31.307046 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:36.306989 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:36.307087 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:41.307046 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:41.307062 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:46.307004 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:46.307021 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:51.307062 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:51.307078 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:56.307019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:28:56.307034 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:28:58.148079 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 245)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:28:58.148103 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 245)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:29:01.168783 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:01.168799 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:01.168805 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:01.168810 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:01.168813 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:01.168982 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 245)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:29:01.168987 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 78)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    14:29:01.307077 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:29:01.307083 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:29:03.510897 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.510903 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.510907 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.510911 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.510997 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.511001 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 78)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    14:29:03.511005 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.511009 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.511012 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.511016 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.511019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:03.511023 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 78)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    14:29:05.275271 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:05.275281 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:05.275286 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:05.275290 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:05.275293 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:05.275297 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 78)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
    14:29:06.307035 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:29:06.307134 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:29:08.279010 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 220)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:29:10.281121 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 220)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:29:11.306993 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:29:11.307093 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21
    14:29:12.283245 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 220)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:29:14.285360 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 220)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:29:16.287579 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 220)
        192.168.1.30.138 > 192.168.1.255.138: NBT UDP PACKET(138)
    14:29:16.287592 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 96)
        192.168.1.30.137 > 192.168.1.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
    14:29:16.307050 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:29:16.307056 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21



  • There's not even an attempt to transfer a file there. Though I'd expect that if you captured from the LAN of the firewall, given that internal SMB traffic doesn't touch it. What were you doing when capturing that, and from where was the capture taken?


  • LAYER 8 Global Moderator

    Capture on the machine your wanting to transfer from, ie the pc your using.. Be it your pulling a file down from a share or putting a file on a share.  The PC your using will show us the transfer.  As already stated multiple times if your moving a file to or from a machine on the same network segment pfsense doesn't even see or touch that traffic.  So how would its dns settings slow anything down.

    Also is hard to view details in that sort of info - upload the the actual capture.  You can make it anon if you want with a tool such as https://www.tracewrangler.com/

    But if your just doing a file copy via smb, etc.  There really shouldn't be any data in there other than maybe the username and password you use to auth to the share - just create a test account before you do the sniff and use that, etc..



  • Cap Int: LAN
    Proto: UDP
    IP: storage server IP 1.30
    Action: Open Network Share and File Transfer


  • LAYER 8 Global Moderator

    that is just broadcast traffic - again as stated pfsense is not going to see transfer between 2 boxes on the same network segment..


  • LAYER 8 Netgate

    The only thing I can think of is we're really not talking about transfer rate but session start timeouts.  Maybe OP's transferring a lot of little files and each transfer is dependent on DNS for something and has to timeout every time with one specific order of nameservers.  Just guessing.


  • LAYER 8 Global Moderator

    I don't even see any dns queries in there.. What I do see is prob plex which I believe uses that 32414 and 12 ports..  And some netbios stuff to ports 137 and 138 broadcast which pfsense is never going to answer anyway since it doesn't do any sort of wins support, etc.  Even if that is what the traffic was - which I doubt since wins traffic is not broadcasted..

    OP how are you access the shares via fqdn or IP?  If your access shares like \1.2.3.4 then dns is never going to be invovled.  If your doing \hostname or \hostname.something.tld then you could do a dns query for that, hostname is not good way to expect dns to respond anyway.

    It can work with suffix search added by client, etc..

    If you post a sniff of your file transfer working how you want (fast) and then when its slow we can take a look and help you figure out what the slow down is - but it sure is not going to have anything to do with pfsense.



  • Found out res was through the FW and not through the local DNS server.



  • No plex


  • LAYER 8 Netgate

    It's on you to provide more info.  I have no idea what that means.


  • LAYER 8 Global Moderator

    @ghostshell:

    No plex

    I would beg to differ to be honest..

    14:26:41.306997 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
    14:26:41.307097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
        192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21

    Clearly 192.168.1.30 is broadcasting traffic on well known plex ports..

    https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-
    The following ports are also used for different services:

    UDP: 1900 (for access to the Plex DLNA Server)
        UDP: 5353 (for older Bonjour/Avahi network discovery)
        UDP: 32410, 32412, 32413, 32414 (for current network discovery)
        TCP: 32469 (for access to the Plex DLNA Server)

    While sure it could be something else - this is the only use of those ports that I am aware of.. Without seeing the actual sniff that can open in wireshark or something - that would be my guess to what the traffic is.

    And again - this traffic has nothing to do with file transfers between 2 boxes on the 192.168.1.0/24 network - since pfsense would never even see that traffic.  This is just typical broadcast noise..


Log in to reply