Pfsense get "slow" my retail system



  • Hello pfsense admins:
    I've just configurated my pfsesne 2.2.4 as proxy server using squid3 + squidguard + WPAD configuration perfectly.

    Now is moment to take a real test: I've selected an PC group to test on it. so, the real problem is when the clients use a Retail system, It turns very slow. when i click on the invoice, quote button or send a query of database inventory the system delays so much (aprox 10 sec to open a window).In sales is a hell work with this inconvenient. Here is my network map:

    i think the system get slow because he query has to pass first on pfsense ,pass to the ISP router and finally pass to the server, but i applied the next firewall rules:
    WAN:
    3. Let pass the traffic from WAN Net to 192.168.0.0/24, 192.168.1.0/24… (my Company's network)
    4. Let pass the traffic from  Company's network to WAN Net

    Floating:
    3. It's a redundant rule (i'll quite)

    LAN Network:

    1. Let pass the traffic from LAN Net to 192.168.0.0/24, 192.168.1.0/24… (my Company's network)
    2. Let pass the traffic from  Company's network to LAN Net
    5. Let pass the traffic from the port 5432 (System port)

    Also i want to know if i can consolidate this two LANs on one Workgroup? Because in one Network test i can only see in my workgroup the pc with her interface, but i can communicate with the others computer.

    I'll really like to see your answers, if i'm doing something wrong or some to make it better.

    Thanks for sharing your knowledge.
    Hope you understandme



  • How does your Point of Sale system work?  HTTP/S or some custom protocol"



  • It's a system based on .NET + postgreSQL. Talking with the programmer, He says that system use the TCP protocol. But if you see my WAN Rules (3 and 4) and LAN rules (1 and 2) I've been allowing the TCP and UDP protocol, Even I created a rule on WAN and LAN that let pass from any to any destination in any port and nothing changed.

    I don't know if this is relevant but the dns suffix name aren't the same:


  • LAYER 8 Netgate

    Rules 1 and 2 on LAN make no sense.  Either one is required or the other.  Not both.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    What is the Microtik doing if it's 192.168.0.0/24 on both sides of it?

    You are forwarding both 80 and 443 to 3128.  3128 is either expecting SSL or it's not.  You should only forward the appropriate port.  I can see that as being very problematic.



  • Rules 1 and 2 on LAN make no sense.  Either one is required or the other.  Not both.

    You are forwarding both 80 and 443 to 3128.  3128 is either expecting SSL or it's not.  You should only forward the appropriate port.  I can see that as being very problematic.

    After read the links, attached is my new firewall configuration.

    What is the Microtik doing if it's 192.168.0.0/24 on both sides of it?

    Mikrotik is the ISP router, He gives us the internet access, He is connected to the fiber converter.



  • LAYER 8 Netgate

    After read the links, attached is my new firewall configuration.

    And what are you seeing?  Please be as exact as possible.



  • @Derelict:

    And what are you seeing?  Please be as exact as possible.

    Any change:

    • My internet is well, There's no reason to create a rule to redirect the 443 port. Wpad works well too; When i quite the proxy on the clients configuration, the internet doesn't run. It's enough with the 80 port redirector.
    • With my retail system the same too. I tried with a freshly-installed pfsense (any package or rule installed/configurated) with no change, even opening all my interfaces on firewall rules letting all access (my disable rules).

    If is this relevant. here is a piece of my firewall logs:

    192.168.10.95 -> My PC
    192.168.10.10 -> PFSENSE
    192.168.0.0/24 -> Company network (mikrotik)




  • Perhaps you should also be using the pfSense or the MikroTik router and both together building a router cascade
    why double SPI/NAT and firewall rules!

    If the MirkoTik router comes with WiFi you could also use him as a WiFi AP
    and you could also working with VLANs instead of two networks.




  • @BlueKobold:

    Perhaps you should also be using the pfSense or the MikroTik router and both together building a router cascade
    why double SPI/NAT and firewall rules!

    If the MirkoTik router comes with WiFi you could also use him as a WiFi AP
    and you could also working with VLANs instead of two networks.

    The only problem if I change my mikrotik by pfsense the ISP will not bring us support. Want to take the risk, but I wanna know if this will be work. Can i have access to the other stores (connected by fiber) Attached is my complete network

    This is my connection with my server (in the other LAN). When i send large query to the server, The system overloads the server. I've been doing some operations that the seller does to imitate the daily work

    
    C:\Users\usuario>ping 192.168.0.100 -t
    
    Haciendo ping a 192.168.0.100 con 32 bytes de datos:
    Respuesta desde 192.168.0.100: bytes=32 tiempo=3ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=29ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=43ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Tiempo de espera agotado para esta solicitud.
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=25ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=28ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=38ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Tiempo de espera agotado para esta solicitud.
    Respuesta desde 192.168.0.100: bytes=32 tiempo=4ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=41ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=61ms TTL=127
    Tiempo de espera agotado para esta solicitud.
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Tiempo de espera agotado para esta solicitud.
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=104ms TTL=12
    Respuesta desde 192.168.0.100: bytes=32 tiempo=27ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Tiempo de espera agotado para esta solicitud.
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=6ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=7ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=47ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=4ms TTL=127
    Tiempo de espera agotado para esta solicitud.
    Respuesta desde 192.168.0.100: bytes=32 tiempo=174ms TTL=12
    Tiempo de espera agotado para esta solicitud.
    Tiempo de espera agotado para esta solicitud.
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
    Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
    
    Estadísticas de ping para 192.168.0.100:
        Paquetes: enviados = 72, recibidos = 64, perdidos = 8
        (11% perdidos),
    Tiempos aproximados de ida y vuelta en milisegundos:
        Mínimo = 1ms, Máximo = 174ms, Media = 11ms
    
    

    Now, try to imagine aprox 10 sellers overloading the server. I wonder if using my network configuration i can pass directly to router mikrotik, and vice versa.



  • Banned

    Here's an idea - simplify the damned mess.



  • Here's an idea - simplify the damned mess.

    I consoder this would be an urgent goal of this network because it really lokks like an historical grown one.

    Now, try to imagine aprox 10 sellers overloading the server. I wonder if using my network configuration i can pass directly to router mikrotik, and vice versa.

    In the network schematic shown here in the last post, it would be really a big problem to work with three (3)
    NAT points! This could mostly not work well in all directions! You should over think this that the entire network
    will be more or less complicated! On both sides you can have one times a NAT doing device but please not more.
    And then please inform your self about working with VLANs this could be then a more easy to administer network
    and working likes you will expect it.



  • Buekobold:
    I know that my network isn't correct , and this is the main idea after all (I've purchased a Switch layer 3 for this). Like i said before; This is only a test network. 
    By curiosity, I just wanted to know if there is any way to solved this with my aforementioned "network". But you said: There's no way to use this.

    I will do my vlans and if i have some questions hope you help me like you did now.
    Thanks for the paitence to all.



  • @chavarriaa
    Many things can be done in various ways! If you don´t want to set up and work with VLANs
    you could either go by plain routing! As an example:

    If the switches are not capable to handle and support VLANs:
    You could connect each switch on the left side of the network diagram to one LAN Port
    of the MikroTik router and give each Port another IP address range, likes 192.168.1.0/24
    and 192.168.2.0/24 thats it, so no need of a pfSense box is there.

    If the switches are capable to handle and support VLANs

    On the left side you will be able to set up VLANs on both switches and then it is more a
    problem where these switches are staying more and what kind of switches you have then
    build a VLANs.

    This can be done with the Mikrotik router on the left side of the diagram
    and vice versa with the pfSense firewall.

    A so called double NAT will work fine but a tripple NAT solution is not the real
    thing you will be happy with.



  • I found another way how to implement Pfsense, using a single NIC with VLANs , so I remove the double natting (i hope so).
    My idea is to apply to the four stores we have in the previous maps .
    In my sketch it looks like this:

    Now I wonder:

    • Is a correct way to implement pfsense?
    • If i have pfsense applied like the last image, should i have to move all the clients and the server to the VLAN?
    • Can I use Pfsense as DHCP server? i Have proxy non transparent with WPAD, and as you know, DHCP is required
    • Can i use Firewall Rules to manage the LANs?

    I know a bit of networks, but i need experience and I will appreciate to share your knowledge with us.



    • Is a correct way to implement pfsense?

    Please be not angry, but where in the network schematic is the pfSense?


  • LAYER 8 Netgate

    Yeah everything is on 192.168.0.0/24.  What do you need a router for?



  • BlueKobold, I'm not angry. Sorry if the question is a bit aggressive.

    Derelict and BlueKobold:
    I need pfsense mainly as proxy server, then Firewall Rules.

    As PFsense only will have one NIC, I'll put it in one of the two switches. (in the sketch; below of the switch)
    After reading a lot of websites I found a solution in Spanish, this is from a website of one of the moderators from Spanish PFsense forum.
    I'll work pfsense with only VLANs:
    WAN -> vlan_10
    LAN  -> vlan_20

    On the switch:
    Port 1: Trunk (Here is where I put the pfsense ethernet)
    port 2: Acces vlan_10 (Here is where I put the router ethernet)
    port 3: Acces vlan_20 (This port will give me an out of LAN)

    Here is the link:
    http://www.bellera.cat/josep/pfsense2/VLANs_pfSense_y_switch_Cisco.pdf


  • LAYER 8 Netgate

    But to where?  Everything is on the same network segment  There will be nothing forcing the traffic through your (presumed) transparent proxy.  If the stations' default gateway is 192.168.0.1, pfSense will not be touched.  Even if you're WPAD and sending the web traffic to pfSense, I don't know if you can put a regular proxy on bridged interfaces or even if you'd want to.  And if not, having two interfaces on pfSense on the same subnet would be problematic.  You might consider putting your network behind pfSense with a transit network to the microtik or eliminating the microtik entirely and letting pfSense do it.

    I am feeling out of my lane.  I don't do much with squid.  Apologies if I'm hosing it up.

    Exactly what is "slow" again?  You do realize that ICMP (ping) doesn't go through the proxy at all so if you're seeing packet loss on your WAN you have to address it in the microtik or with your ISP.



  • @Derelict:

    But to where?  Everything is on the same network segment  There will be nothing forcing the traffic through your (presumed) transparent proxy.  If the stations' default gateway is 192.168.0.1, pfSense will not be touched.  Even if you're WPAD and sending the web traffic to pfSense,

    The latest days I've tried pfsense with one nic. And my map is like the next:

    My switch L3 configutaion is the next:
    FE1 = access mode (access for vlan 10)
    FE2 = trunked mode (allowed vlan 10, 20)
    FE3 to FE5 = access mode (access for vlan 20)

    So, the computer connected in FE3 to FE5 ports only will allow vlan 20. The switch redirect to the trunked port (where is connected pfsense) and Pfsense do a normal work, as if i had two NICS. Wpad and proxy server are good.

    I don't know if you can put a regular proxy on bridged interfaces or even if you'd want to.  And if not, having two interfaces on pfSense on the same subnet would be problematic.

    I know that double natting is so bad. For that reason my queries to the server with my retail system is so problematic.

    You might consider putting your network behind pfSense with a transit network to the microtik or eliminating the microtik entirely and letting pfSense do it.

    If this doesn't work. My last choice is:put pfsense instead of mikrotik

    Exactly what is "slow" again?  You do realize that ICMP (ping) doesn't go through the proxy at all so if you're seeing packet loss on your WAN you have to address it in the microtik or with your ISP.

    My problem is the double natting. The data travels via pfsense then to the server.
    When I ping to the server works well. When i send a query to the database (like a inventory, quotes or invoice) the system gets overloads and loses packages.

    But whit this configuration (pfsense with one NIC) my Retail system works better.
    There's no lost package neither overload. But I don't know if this configuration is correct (don't know if this is double natting too)

    If this configuration is correct. I will proceed to implement in the other stores.

    sorry if I’m a hard headed.


Log in to reply