Slow throughput on WAN through PFSense



  • I have a Dell PIII 1ghz machine w/ 384 MB RAM.  I have three NICs installed.  Two 3com NICs and one Linksys.  The Linksys will be for a VPN DSL connection, but for right now I have the opt1 interface disabled.

    My 7mbps/384kbps cable modem gets speedtests of about 6.5mbps when directly connected to a computer or through a Linksys router.  When I connect that same modem to my new PFSense install I get tests from 200k-600k.  Also, the Speedtest.net test jumps around as if there are bursts of packets coming in.  Its not just a Speedtest where the speed difference is noticeable either, the general internet is VERY slow.  My system is setup like this:

    LAN (26 comps) –--> Cisco 3500XL Switch -----> PFSense -----> WAN (7mbps Cable modem)
                                                                                ______> DSL modem for VPN

    All the NICs are on separate IRQs, and I have tried switching the WAN interface over to the Linksys NIC, but to no avail.  I have also tried bypassing the 3500 switch with a Linksys 4 port switch, but it seems to have the same results.  When I type vmstat -i in the shell, it shows an interrupt rate up over 1000, but with all the NICs having their own IRQ channel, should that affect anything?

    Thanks in advance!



  • Check for duplex issues / auto speed negotiation issues.



  • The modem is a 100mb full duplex, and that's what PFSense says it is.  Also, the LAN going to the Catalyst Switch is 100mb full duplex as it should be.



  • Do you see interface errors at status>interfaces on any of the interfaces? anything obvious in the systemlogs like links going up and down? Do you use the trafficshaper?



  • Don't use trafficshapper, and the status>interfaces shows no collisions or errors.  Nothing seems out of the ordinary in the system log.  Also, the MTU is set to 1500, but I've tried it at 1492 and auto to no avail.

    Thanks!



  • Are you running any packages on your system? Do you see high cpu load when doing the tests?



  • No packages.  I see the rdgraph for CPU run up to about 80 at some points but is generally lower.  The high CPU could be from changes I'm making in the GUI as well.

    Thank you again for your prompt replies!



  • You are welcome but I'm almost out of ideas. Did you try to change the cables already? Some pretty short cables can cause funny issues sometimes.



  • the general internet is VERY slow.

    When i looked at that i thought it "might" be the DNS resolving. (i just encoutered something like that).

    Are you sure you have ticked the "Allow DNS server list to be overridden by DHCP/PPP on WAN" box on "General Setup".

    Can you test if is faster if you enter 208.67.220.220 and 208.67.220.222 as DNS Servers on a Client statically?



  • I don't think its a DNS issue, because it seems to resolve DNS queries fairly quickly. Also, override is set to allow.  I just tried abandoning the old hardware in favor of a new machine.  The new machine has a Linksys NIC and an integrated Intel? NIC.  The same problems persist on the new machine.  Completely new hardware.  Even have tried bypassing the Cisco switch again, but no luck.  Speed tests are running 250ish if they run at all.  In Wireshark I'm getting a lot of incorrect checksum errors.  Could this be causing the speed issues due to retransmitting packets?

    The new machine is a older Dell Optiplex w/ 667mhz processor and 384 RAM.  I took out the opt1 NIC just to eliminate some variables.

    Update:  Moved it to a 933mhz machine with 384 of ram.  Fresh install of PFSense.



  • Another update:

    I disabled Hardware Checksum Offloading in the System > Advanced page.  This seemed to help out quite a bit because I can get speed tests at 6000k sometimes, but most of the time it runs around 500k.  When I run it through an elcheapo Linksys router, I can get stable 6000k.  The CPU (933mhz) shows around 20% utilization most of the time.  Seems like the only time the CPU pegs is when I change something from the GUI.  There are no firewall rules except the default pass all.

    Thanks again!



  • I would change your NICS out and use genuine Intel NICS.



  • I've tried 3Com, Linksys, and put the LAN on an old Intel NIC, but they all seem about the same.  My current config has three Linksys NICs.  Is that something that would really kill the bandwidth that much?  Also, do you think the problem persists across all three of the vendors I've tried?  If it is the NICs it won't be hard to go find a decent NIC on eBay.



  • I would use ALL intel Nics, not mixing and matching.  And yes, I would not personally trust linksys NICS under FreeBSD.



  • Are there any other ideas before I pull these NICs and order off ebay?  Also, any recommendation for specific NICs from Intel?  I'm not looking for huge throughput.  Just about 30 (not all on all the time) machines connecting to a 7mbps cable modem and a few VPN clients connecting to a DSL.



  • Intel(R) PRO/1000



  • Does the Intel Pro/100 S give significant gain for IPSec VPN encryption?  Also, would it be okay to run one Pro/100 S say for the VPN connection and a couple regular desktop NICs for the LAN and regular WAN?



  • I would use matched NICS, really.  And no, the nics will not add throughput to your VPN other than being a cleaner "nic" for FreeBSD.



  • The Server NIC has onboard IPSec encryption offloading.



  • @dhudson4god:

    The Server NIC has onboard IPSec encryption offloading.

    I don't think that is supported, sorry.



  • I appreciate all of your guy's help.  I had heard that the support forum for PFSense is one of its greatest features.  I heard right!  I'll try a few new cards and report back with the results.



  • I would still check your speed/duplex, try forcing it to 100/full or auto, or even 10/full.  It looks like your problem is just that.  If not, try and get your hand on some intel cards.  We use all netgear NICS in all our setups, with management being onboard/intel and they all work fine for us.  We use different Nortel switches with no problems.



  • Forgot about this thread.  I put in four Intel cards from ebay and haven't seen a problem since!

    Thanks for all of your help!


Log in to reply