Webgui access from WAN is too slow



  • Webgui access from WAN is too slow so that sometimes I failed to open the web pages. There is no problem in access from Lan.  I tested it with 1.2 as well at the same hardware but 1.2 has no problem.

    I think it may be another issue on 1.2.1 snapshot. I tested with 20080716 and 20080717 version.

    Thank you!!



  • You have the traffic shaper enabled, right?



  • No, the traffic shaper has not been enabled. I tested it right after fresh install from CD. The changes from the default setting is adding firewall rules for webgui access from WAN, TCP 443 and 80 for WAN address.



  • The wan interface is connected to private network and I turn off “Block private network” on Wan configuration.
    If you don’t have experienced this problem pls check it with private network on Wan again.

    Thank you.



  • I tested it again in public ip envirenment. Wan interface has been connected to public IP. But there is no diffrent from private network. The Webgui from Wan is too slow and I cannot open any configuration pages.
    I think it is depending on the network card. This problem is more serious in Intel gigabit NIC than realtek NIC.

    Is there really no one who has experienced this same problem???

    I tested with 1.2.1 0721 version.
    I just added the firewall rule for allowing tcp 443 and 80 accessing to Wan address and turn off “block private network”. There is no any other changes from the default setting, no traffic shaper.

    Thank you.



  • I don’t know why. But I can connect to Webgui from Wan after omitting “TSO” option from em0 interface.

    ifconfig em0 -tso



  • After omitting tso from em interface I can access to Webgui from Wan but it is still too slow. Some pages like firewall rule page cannot be opened completely.
    I tested with pfSense-Full-Update-1.2.1-TESTING-SNAPSHOT-20080724-0426.tgz.

    Thank you.



  • Try disable checksums in System -> Advanced



  • 1. First, I found that the “disable hardware checksum offloading” in system -> advanced deos not work. I did it and rebooted the box but rxcsum, txcsum and tso have not been disappeared from em interface option. I think some code change is needed in pfsense-utils.inc. I can disable hardware checksum offloading with some changes in this file like as```
    function enable_hardware_offloading($interface) {
            global $g, $config;

    if(stristr($interface,“lnc”))
                    return;
            if(isset($config[‘system’][‘do_not_use_nic_microcode’]))
                    return;

    if($g[‘booting’]) {
            /* translate wan, lan, opt -> real interface if needed */
            $int = filter_translate_type_to_real_interface($interface);
            if($int <> “”) $interface = $int;
            $int_family = preg_split("/[0-9]+/", $int);
            $options = strtolower(/sbin/ifconfig {$interface} | grep options);
            $supported_ints = array(‘fxp’);
            if (in_array($int_family, $supported_ints))
                    mwexec("/sbin/ifconfig {$interface} link0");

    if($config[‘system’][‘disablechecksumoffloading’]) {
            if(stristr($options, “rxcsum”) == true)
                mwexec("/sbin/ifconfig {$interface} -rxcsum 2>/dev/null");
            if(stristr($options, “tso”) == true)
                mwexec("/sbin/ifconfig {$interface} -tso 2>/dev/null");
    } else {
            if(stristr($options, “txcsum”) == true)
                mwexec("/sbin/ifconfig {$interface} txcsum 2>/dev/null");
            if(stristr($options, “rxcsum”) == true)
                mwexec("/sbin/ifconfig {$interface} rxcsum 2>/dev/null");
            if(stristr($options, “polling”) == true) {
                mwexec("/sbin/ifconfig {$interface} polling 2>/dev/null");
            } else {
                    mwexec(“sysctl kern.polling.enable=0”);
            }
    }
    }
    }

    
    2\. After disable hardware checksum offloading, there is no change. The opening webgui pages from Wan is still slower than from Lan. For testing, you can open any firewall rule edit page from Wan and Lan. Then you can see the difference of opening speed. I tested it with em, re and dc NIC.
    
    I used pfSense-Full-Update-1.2.1-TESTING-SNAPSHOT-20080724-2313.tgz.
    
    Thank you.


  • Are you in the same subnet as WAN?



  • Yes, my pc is in the same subnet as Wan.



  • Well with a fix that went in 1.2.1 you will not be able to do that.
    Place a router in-between and you can go full speed.



  • Ooh, fallout from the reply-to changes. we’ll need to accommodate same-subnet traffic differently on each WAN.



  • Same problem here with the snapshot of 31-08-2008 via the LAN all is working fine. But via the WAN it’s very slow (almost not working) no traffic shaper issue the traffic shaper is off. Also working with Intel Gigabit Ethernet (onboard on a super micro server). When I connect via a ssh tunnel from a directly attached machine through the WAN it’s working just as good as the LAN. Have done some test to make shore that this is not a resolving issue. Know that almost for shore now. Looks like this problem has something to do with MTU of MSS (know my mtu is 1500 from client to the WAN even with the don’t fragment bit) somebody knows a solution for this?

    Thanks in Advance.



  • yep confirmed its tso thats causing the issue on 1.2.1-RC1 built on Thu Sep 25 11:47:42 EDT 2008
    Whats really odd is even though there are pass rules for the packets some are still hitting the default deny when tso is enabled so theres something really quite low level breaking badly.



  • The issue reported was not a tso problem but it i fixed it and should not be a problem anymore.

    The tso/rxsum/txsum or later offloadings that will come in later 10Gbps drivers even work or don’t so there is no middle way with them.
    I guess FreeBSD-release 7.1 has some more corrections on this side but for now recommended is that:
    if you face problems disable it.



  • When is issue is fixed? I’ve tested last week with the daily snapshot but still have the same problems.

    Thanks



  • Hello,

    I have the same problem with slowness in accessing webgui @ WAN.  I created proxy connection into a server on the same switch as pfsense in order to be able to manage pfsense remotely.

    Can we have this issue fixed soon? I applied snapshot on 092708 and still the same problem.

    Regards,

    TheT



  • Can you please describe the problems you have more throughly.

    What type of WAN connection do you have, etc…?



  • Here is my setup:

    All ports are Intel Nic:  1gig

    ISP <-> Switch  / Foundry <-> WAN PFsense (Dell server with 2 intel nics) (LAN) <-> Switch <-> Servers1…N
                    |
                ServerA

    From ServerA I can access Pfsense webgui w/o any problem.  The connection at ISP is 1Gig

    From a computer at home using comcast and/or att - (DSL)  - Connection to web gui at pfsense is very slow and not usable.

    Regards,

    TheT



  • This seems like a tcp mss problem probably it is at your end unless you have some kind of pppoe/pptp connection on the pfSense at work.
    Another test would be to move the gui of pfSense to another port and try.



  • Hi, My config is the same as the one of THeT, ISP -> pfsense wan, switch, server. from our office to the wan it’s just to slow (more than a minute just to load one page) when I connect to the LAN (via a ssh tunnel from a server on the LAN it’s fast as normal.
    I’ve already tried another port for the WAN (from the onboard Intel to a port on the quad GE Intel card. problem just moves to the new port.

    I was also thinking of some mss issue (see my earlier posts) but not able to figure out what the problem is exactly.

    If you like to login to our system for some testing this is fine, it’s not in production just in test (because of the slow WAN).



  • I did a ifconfig em0 -tso and everything is working as it should now.



  • Is the WAN interface slowness fixed in the lastest build?


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy