Found a bug/undocumented Feature with CP Mac-Passthrough & IP-Passthrough



  • Found a bug/undocumented Feature with CP Mac-Passthrough & IP-Passthrough

    OK - I found an issue which may effect everybody using Captive-Portal MAC-Passthrough & IP-Passthrough
    And I have a fix also.

    When configuring CP MAC-Passthrough, I have often use something like 9999999 (9,999,999)or greater for the speed down or up.  What I discovered is that if I use a number greater than 9999999 (999,999) is that the measured throughput speed actually drops way down to less than 100 meg.

    Using www.speedtest.net with a passthrough rate value greater than 999999 (999,999) I was only getting about 60 meg.  When I set it from 9,999,999 down to 999,999 then I instantly ran much faster and I can now run a www.speedtest.net speedtest and get to almost 900 meg both up and down to/from the Internet.  FYI - I have a 10-gig connection to the Internet.

    I am assuming (not tested yet) that the IP-passthrough section of CP may also have the same issue.

    Would somebody please check and verify my findings - please.  thank you

    I hope this information helps anybody who may be experiencing the same.

    My environment is this:
        VMware ESXi hosting PfSense
        32 Gig ram
        VMXNET 3 network interfaces
        8 CPUs
        2.2.5-RELEASE  (amd64)
    My Physical VMware server had a 10-Gig network card talking 10-gig to/from the Internet.

    EDIT - Note - I will also check to see if this is an issue with Radius Authentication - I have been having some strange problems there also…
    And I suppose I will also check my bandwidth Limiters also...



  • The dummynet pipes end up rolling to a negative number > 999999. Adding validation to prevent that.
    https://redmine.pfsense.org/issues/5655

    There is an underlying issue in dummynet there somewhere too, I believe would have to use diff units instead. 999999 is enough for the time being though.



  • Fixed in 2.2.6 and 2.3. That limits the max bandwidth to 999999 Kbps (just shy of 1 Gbps), but ensures only sane values are used at least.



  • CMB

    Thank you for your fast reply

    I was a little worried that I was posting something totally stupid.

    Question - what about PfSense servers with 10-Gig interfaces?  Is it a future option for PfSense to support an additional 9 so that we can work with speeds greater than a 1 gig interface?

    All of my PfSense servers run on VMware ESXi with multiple 10-gig network cards.  Using other tools, I have been able to have throughput as high as 18 gig between virtual machines running on the same VMware ESXi server.



  • Yeah we'll look at fixing whatever the underlying issue is there at some point in the future. Nearly everyone that wants to use limits there at this point is fine with 1 Gb or less per-IP/MAC.



  • FYI - In my case, the MACs are not servers or work stations.  They are WAN addresses to customer networks.  Where the customer client device is a Natting router providing DHCP/NAT services to remote customer LANs with one or many devices on the customer nat/router at their remote locations.

    FYI - I am tying to get almost 4000 customer networks turn up by next summer over fiber and microwave.  Our slowest account will be 24 meg - but we also offer accounts at 1 gig.  I estimate we may have up to 20,000 + devices behind all the customer nat/firewalls - where all the customer WANs go through a PfSense CP prior to actually going out to the Internet.  Thus some heavily loaded PfSense servers will easily sustain over 1 gig and may average up to 6 gig during peak hours of the day.



  • The limit's 1 Gb per pipe, which would be per-customer in that kind of scenario, so that shouldn't pose any issues for you unless/until you want to offer >1Gb per customer.


Log in to reply