Pfsense get "slow" my retail system

chavarriaa

Hello pfsense admins:
I've just configurated my pfsesne 2.2.4 as proxy server using squid3 + squidguard + WPAD configuration perfectly.

Now is moment to take a real test: I've selected an PC group to test on it. so, the real problem is when the clients use a Retail system, It turns very slow. when i click on the invoice, quote button or send a query of database inventory the system delays so much (aprox 10 sec to open a window).In sales is a hell work with this inconvenient. Here is my network map:

i think the system get slow because he query has to pass first on pfsense ,pass to the ISP router and finally pass to the server, but i applied the next firewall rules:
WAN:
3. Let pass the traffic from WAN Net to 192.168.0.0/24, 192.168.1.0/24… (my Company's network)
4. Let pass the traffic from Company's network to WAN Net

Floating:
3. It's a redundant rule (i'll quite)

LAN Network:

1. Let pass the traffic from LAN Net to 192.168.0.0/24, 192.168.1.0/24… (my Company's network)
2. Let pass the traffic from Company's network to LAN Net
5. Let pass the traffic from the port 5432 (System port)

Also i want to know if i can consolidate this two LANs on one Workgroup? Because in one Network test i can only see in my workgroup the pc with her interface, but i can communicate with the others computer.

I'll really like to see your answers, if i'm doing something wrong or some to make it better.

Thanks for sharing your knowledge.
Hope you understandme

KOM

How does your Point of Sale system work? HTTP/S or some custom protocol"

chavarriaa

It's a system based on .NET + postgreSQL. Talking with the programmer, He says that system use the TCP protocol. But if you see my WAN Rules (3 and 4) and LAN rules (1 and 2) I've been allowing the TCP and UDP protocol, Even I created a rule on WAN and LAN that let pass from any to any destination in any port and nothing changed.

I don't know if this is relevant but the dns suffix name aren't the same:

Derelict

Rules 1 and 2 on LAN make no sense. Either one is required or the other. Not both.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

What is the Microtik doing if it's 192.168.0.0/24 on both sides of it?

You are forwarding both 80 and 443 to 3128. 3128 is either expecting SSL or it's not. You should only forward the appropriate port. I can see that as being very problematic.

chavarriaa

Rules 1 and 2 on LAN make no sense. Either one is required or the other. Not both.
…
You are forwarding both 80 and 443 to 3128. 3128 is either expecting SSL or it's not. You should only forward the appropriate port. I can see that as being very problematic.

After read the links, attached is my new firewall configuration.

What is the Microtik doing if it's 192.168.0.0/24 on both sides of it?

Mikrotik is the ISP router, He gives us the internet access, He is connected to the fiber converter.

firewallrules.png_thumb

Derelict

After read the links, attached is my new firewall configuration.

And what are you seeing? Please be as exact as possible.

chavarriaa

@Derelict:

And what are you seeing? Please be as exact as possible.

Any change:

My internet is well, There's no reason to create a rule to redirect the 443 port. Wpad works well too; When i quite the proxy on the clients configuration, the internet doesn't run. It's enough with the 80 port redirector.
With my retail system the same too. I tried with a freshly-installed pfsense (any package or rule installed/configurated) with no change, even opening all my interfaces on firewall rules letting all access (my disable rules).

If is this relevant. here is a piece of my firewall logs:

192.168.10.95 -> My PC
192.168.10.10 -> PFSENSE
192.168.0.0/24 -> Company network (mikrotik)

firewall.png_thumb

Guest

Perhaps you should also be using the pfSense or the MikroTik router and both together building a router cascade
why double SPI/NAT and firewall rules!

If the MirkoTik router comes with WiFi you could also use him as a WiFi AP
and you could also working with VLANs instead of two networks.

chavarriaa.jpg_thumb

chavarriaa

@BlueKobold:

Perhaps you should also be using the pfSense or the MikroTik router and both together building a router cascade
why double SPI/NAT and firewall rules!

If the MirkoTik router comes with WiFi you could also use him as a WiFi AP
and you could also working with VLANs instead of two networks.

The only problem if I change my mikrotik by pfsense the ISP will not bring us support. Want to take the risk, but I wanna know if this will be work. Can i have access to the other stores (connected by fiber) Attached is my complete network

This is my connection with my server (in the other LAN). When i send large query to the server, The system overloads the server. I've been doing some operations that the seller does to imitate the daily work


C:\Users\usuario>ping 192.168.0.100 -t

Haciendo ping a 192.168.0.100 con 32 bytes de datos:
Respuesta desde 192.168.0.100: bytes=32 tiempo=3ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=29ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=43ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Tiempo de espera agotado para esta solicitud.
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=25ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=28ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=38ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Tiempo de espera agotado para esta solicitud.
Respuesta desde 192.168.0.100: bytes=32 tiempo=4ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=41ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=61ms TTL=127
Tiempo de espera agotado para esta solicitud.
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Tiempo de espera agotado para esta solicitud.
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=104ms TTL=12
Respuesta desde 192.168.0.100: bytes=32 tiempo=27ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Tiempo de espera agotado para esta solicitud.
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=6ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=7ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=47ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=4ms TTL=127
Tiempo de espera agotado para esta solicitud.
Respuesta desde 192.168.0.100: bytes=32 tiempo=174ms TTL=12
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=1ms TTL=127
Respuesta desde 192.168.0.100: bytes=32 tiempo=2ms TTL=127

Estadísticas de ping para 192.168.0.100:
    Paquetes: enviados = 72, recibidos = 64, perdidos = 8
    (11% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 1ms, Máximo = 174ms, Media = 11ms

Now, try to imagine aprox 10 sellers overloading the server. I wonder if using my network configuration i can pass directly to router mikrotik, and vice versa.

MAP.png_thumb

doktornotor

Here's an idea - simplify the damned mess.

Guest

Here's an idea - simplify the damned mess.

I consoder this would be an urgent goal of this network because it really lokks like an historical grown one.

Now, try to imagine aprox 10 sellers overloading the server. I wonder if using my network configuration i can pass directly to router mikrotik, and vice versa.

In the network schematic shown here in the last post, it would be really a big problem to work with three (3)
NAT points! This could mostly not work well in all directions! You should over think this that the entire network
will be more or less complicated! On both sides you can have one times a NAT doing device but please not more.
And then please inform your self about working with VLANs this could be then a more easy to administer network
and working likes you will expect it.

chavarriaa

Buekobold:
I know that my network isn't correct , and this is the main idea after all (I've purchased a Switch layer 3 for this). Like i said before; This is only a test network.
By curiosity, I just wanted to know if there is any way to solved this with my aforementioned "network". But you said: There's no way to use this.

I will do my vlans and if i have some questions hope you help me like you did now.
Thanks for the paitence to all.

Guest

@chavarriaa
Many things can be done in various ways! If you don´t want to set up and work with VLANs
you could either go by plain routing! As an example:

If the switches are not capable to handle and support VLANs:
You could connect each switch on the left side of the network diagram to one LAN Port
of the MikroTik router and give each Port another IP address range, likes 192.168.1.0/24
and 192.168.2.0/24 thats it, so no need of a pfSense box is there.

If the switches are capable to handle and support VLANs

On the left side you will be able to set up VLANs on both switches and then it is more a
problem where these switches are staying more and what kind of switches you have then
build a VLANs.

This can be done with the Mikrotik router on the left side of the diagram
and vice versa with the pfSense firewall.

A so called double NAT will work fine but a tripple NAT solution is not the real
thing you will be happy with.

chavarriaa

I found another way how to implement Pfsense, using a single NIC with VLANs , so I remove the double natting (i hope so).
My idea is to apply to the four stores we have in the previous maps .
In my sketch it looks like this:

Now I wonder:

Is a correct way to implement pfsense?
If i have pfsense applied like the last image, should i have to move all the clients and the server to the VLAN?
Can I use Pfsense as DHCP server? i Have proxy non transparent with WPAD, and as you know, DHCP is required
Can i use Firewall Rules to manage the LANs?

I know a bit of networks, but i need experience and I will appreciate to share your knowledge with us.

Guest

Is a correct way to implement pfsense?

Please be not angry, but where in the network schematic is the pfSense?

Derelict

Yeah everything is on 192.168.0.0/24. What do you need a router for?

chavarriaa

BlueKobold, I'm not angry. Sorry if the question is a bit aggressive.

Derelict and BlueKobold:
I need pfsense mainly as proxy server, then Firewall Rules.

As PFsense only will have one NIC, I'll put it in one of the two switches. (in the sketch; below of the switch)
After reading a lot of websites I found a solution in Spanish, this is from a website of one of the moderators from Spanish PFsense forum.
I'll work pfsense with only VLANs:
WAN -> vlan_10
LAN -> vlan_20

On the switch:
Port 1: Trunk (Here is where I put the pfsense ethernet)
port 2: Acces vlan_10 (Here is where I put the router ethernet)
port 3: Acces vlan_20 (This port will give me an out of LAN)

Here is the link:
http://www.bellera.cat/josep/pfsense2/VLANs_pfSense_y_switch_Cisco.pdf

Derelict

But to where? Everything is on the same network segment There will be nothing forcing the traffic through your (presumed) transparent proxy. If the stations' default gateway is 192.168.0.1, pfSense will not be touched. Even if you're WPAD and sending the web traffic to pfSense, I don't know if you can put a regular proxy on bridged interfaces or even if you'd want to. And if not, having two interfaces on pfSense on the same subnet would be problematic. You might consider putting your network behind pfSense with a transit network to the microtik or eliminating the microtik entirely and letting pfSense do it.

I am feeling out of my lane. I don't do much with squid. Apologies if I'm hosing it up.

Exactly what is "slow" again? You do realize that ICMP (ping) doesn't go through the proxy at all so if you're seeing packet loss on your WAN you have to address it in the microtik or with your ISP.

chavarriaa

@Derelict:

But to where? Everything is on the same network segment There will be nothing forcing the traffic through your (presumed) transparent proxy. If the stations' default gateway is 192.168.0.1, pfSense will not be touched. Even if you're WPAD and sending the web traffic to pfSense,

The latest days I've tried pfsense with one nic. And my map is like the next:

My switch L3 configutaion is the next:
FE1 = access mode (access for vlan 10)
FE2 = trunked mode (allowed vlan 10, 20)
FE3 to FE5 = access mode (access for vlan 20)

So, the computer connected in FE3 to FE5 ports only will allow vlan 20. The switch redirect to the trunked port (where is connected pfsense) and Pfsense do a normal work, as if i had two NICS. Wpad and proxy server are good.

I don't know if you can put a regular proxy on bridged interfaces or even if you'd want to. And if not, having two interfaces on pfSense on the same subnet would be problematic.

I know that double natting is so bad. For that reason my queries to the server with my retail system is so problematic.

You might consider putting your network behind pfSense with a transit network to the microtik or eliminating the microtik entirely and letting pfSense do it.

If this doesn't work. My last choice is:put pfsense instead of mikrotik

Exactly what is "slow" again? You do realize that ICMP (ping) doesn't go through the proxy at all so if you're seeing packet loss on your WAN you have to address it in the microtik or with your ISP.

My problem is the double natting. The data travels via pfsense then to the server.
When I ping to the server works well. When i send a query to the database (like a inventory, quotes or invoice) the system gets overloads and loses packages.

But whit this configuration (pfsense with one NIC) my Retail system works better.
There's no lost package neither overload. But I don't know if this configuration is correct (don't know if this is double natting too)

If this configuration is correct. I will proceed to implement in the other stores.

sorry if I’m a hard headed.