Vlans behind PFSense Slow
-
Hello,
We recently installed 2 PFSense firewalls and everything is up and running.
Now customers complain that everything is very slow in their networks (Every customer has it's own vlan).VLANS are configured on our Layer 3 Switches (HP).
Let's say we have a hosted exchange on VLAN 100 and Customer A on VLAN 200. In our previous setup (With GTA firewalls) everything was running fast. Now Browsing through mail is 10 times slower.
Someone any idea based on this? I can give more details…..
Tnx allready
-
If you are routing between VLAN 100 and VLAN 200 on a layer 3 switch, pfSense isn't involved at all.
-
There is no routing between VLANS. ACL's configured that no VLAN can access another vlan.
If a customer opens outlook than outlook does a lookup through internet (DNS)
-
There is no routing between VLANS. ACL's configured that no VLAN can access another vlan.
If a customer opens outlook than outlook does a lookup through internet (DNS)
so you are going vlan200 –> pfsense --> internet --> pfsense --> vlan 100 ??? why would you want todo that ???
-
Then don't call it a layer 3 switch. I'm trying to get my head around you configuring a layer 3 switch with ACLs preventing vlans from accessing each other. Need more info. This makes no sense.
-
Every Vlan is a customers domain (DC - RDS - SQL)
Our hosted Exchange infra is also a VLAN.
No customer needs to be aware of other customers on our IAAS
-
huh?? You have no need of layer 3 switch in this setup. vlans can not talk to each other without going through a layer3 device to route the traffic. In your case this would be pfsense.
Where exactly are you customers? This sounds like a hosted setup somewhere in a DC, and your customers are not really in the DC.. So where exactly are the customers, are they coming from the internet to their vlan via ?? Just to then go back out to pfsense to get to exchange?
You say 2 pfsense, so you have them in a carp setup? A bit more detail is going to be required to help you figure out where any sort of bottle neck might be.
-
I've added my layer 2 and 3 design as pictures.
Indeed this is a hosted setup in a datacenter. All customers make connections over internet to their network (VLAN)
Take a look at the pictures.Layer 2 picture is not correct…...eth 2 on A to eth 3 on B is PFSYNC in PFSENSE setup......forget to correct that.
Our problem is that with our GTA firewalls we had no complaining customers, but with the PFSense firewalls customers have 10 times slower browsing the internet or browse their mail is slow even apps in their VLANs are very slow.
For now i put back the GTA and evrything is fine again.
