Webgui access from WAN is too slow

sbyoon · Jul 22, 2008, 6:11 AM

I tested it again in public ip envirenment. Wan interface has been connected to public IP. But there is no diffrent from private network. The Webgui from Wan is too slow and I cannot open any configuration pages.
I think it is depending on the network card. This problem is more serious in Intel gigabit NIC than realtek NIC.

Is there really no one who has experienced this same problem???

I tested with 1.2.1 0721 version.
I just added the firewall rule for allowing tcp 443 and 80 accessing to Wan address and turn off "block private network". There is no any other changes from the default setting, no traffic shaper.

Thank you.

sbyoon · Jul 23, 2008, 3:23 PM

I don't know why. But I can connect to Webgui from Wan after omitting "TSO" option from em0 interface.

ifconfig em0 -tso

sbyoon · Jul 24, 2008, 2:20 PM

After omitting tso from em interface I can access to Webgui from Wan but it is still too slow. Some pages like firewall rule page cannot be opened completely.
I tested with pfSense-Full-Update-1.2.1-TESTING-SNAPSHOT-20080724-0426.tgz.

Thank you.

sullrich · Jul 24, 2008, 4:30 PM

Try disable checksums in System -> Advanced

sbyoon · Jul 25, 2008, 3:11 AM

1. First, I found that the "disable hardware checksum offloading" in system -> advanced deos not work. I did it and rebooted the box but rxcsum, txcsum and tso have not been disappeared from em interface option. I think some code change is needed in pfsense-utils.inc. I can disable hardware checksum offloading with some changes in this file like as```
function enable_hardware_offloading($interface) {
global $g, $config;

if(stristr($interface,"lnc"))
return;
if(isset($config['system']['do_not_use_nic_microcode']))
return;

if($g['booting']) {
/* translate wan, lan, opt -> real interface if needed */
$int = filter_translate_type_to_real_interface($interface);
if($int <> "") $interface = $int;
$int_family = preg_split("/[0-9]+/", $int);
$options = strtolower(/sbin/ifconfig {$interface} | grep options);
$supported_ints = array('fxp');
if (in_array($int_family, $supported_ints))
mwexec("/sbin/ifconfig {$interface} link0");

if($config['system']['disablechecksumoffloading']) {
if(stristr($options, "rxcsum") == true)
mwexec("/sbin/ifconfig {$interface} -rxcsum 2>/dev/null");
if(stristr($options, "tso") == true)
mwexec("/sbin/ifconfig {$interface} -tso 2>/dev/null");
} else {
if(stristr($options, "txcsum") == true)
mwexec("/sbin/ifconfig {$interface} txcsum 2>/dev/null");
if(stristr($options, "rxcsum") == true)
mwexec("/sbin/ifconfig {$interface} rxcsum 2>/dev/null");
if(stristr($options, "polling") == true) {
mwexec("/sbin/ifconfig {$interface} polling 2>/dev/null");
} else {
mwexec("sysctl kern.polling.enable=0");
}
}
}
}


2\. After disable hardware checksum offloading, there is no change. The opening webgui pages from Wan is still slower than from Lan. For testing, you can open any firewall rule edit page from Wan and Lan. Then you can see the difference of opening speed. I tested it with em, re and dc NIC.

I used pfSense-Full-Update-1.2.1-TESTING-SNAPSHOT-20080724-2313.tgz.

Thank you.

eri-- · Jul 25, 2008, 8:04 AM

Are you in the same subnet as WAN?

sbyoon · Jul 25, 2008, 9:58 AM

Yes, my pc is in the same subnet as Wan.

eri-- · Jul 25, 2008, 12:00 PM

Well with a fix that went in 1.2.1 you will not be able to do that.
Place a router in-between and you can go full speed.

cmb · Jul 25, 2008, 8:31 PM

Ooh, fallout from the reply-to changes. we'll need to accommodate same-subnet traffic differently on each WAN.

ipv2 · Sep 7, 2008, 5:08 PM

Same problem here with the snapshot of 31-08-2008 via the LAN all is working fine. But via the WAN it's very slow (almost not working) no traffic shaper issue the traffic shaper is off. Also working with Intel Gigabit Ethernet (onboard on a super micro server). When I connect via a ssh tunnel from a directly attached machine through the WAN it's working just as good as the LAN. Have done some test to make shore that this is not a resolving issue. Know that almost for shore now. Looks like this problem has something to do with MTU of MSS (know my mtu is 1500 from client to the WAN even with the don't fragment bit) somebody knows a solution for this?

Thanks in Advance.

steveh · Sep 26, 2008, 12:32 AM

yep confirmed its tso thats causing the issue on 1.2.1-RC1 built on Thu Sep 25 11:47:42 EDT 2008
Whats really odd is even though there are pass rules for the packets some are still hitting the default deny when tso is enabled so theres something really quite low level breaking badly.

eri-- · Sep 26, 2008, 9:58 AM

The issue reported was not a tso problem but it i fixed it and should not be a problem anymore.

The tso/rxsum/txsum or later offloadings that will come in later 10Gbps drivers even work or don't so there is no middle way with them.
I guess FreeBSD-release 7.1 has some more corrections on this side but for now recommended is that:
if you face problems disable it.

ipv2 · Sep 26, 2008, 1:17 PM

When is issue is fixed? I've tested last week with the daily snapshot but still have the same problems.

Thanks

TheT · Sep 28, 2008, 8:11 AM

Hello,

I have the same problem with slowness in accessing webgui @ WAN. I created proxy connection into a server on the same switch as pfsense in order to be able to manage pfsense remotely.

Can we have this issue fixed soon? I applied snapshot on 092708 and still the same problem.

Regards,

TheT

eri-- · Sep 28, 2008, 10:23 AM

Can you please describe the problems you have more throughly.

What type of WAN connection do you have, etc…?

TheT · Sep 29, 2008, 8:27 AM

Here is my setup:

All ports are Intel Nic: 1gig

ISP <-> Switch / Foundry <-> WAN PFsense (Dell server with 2 intel nics) (LAN) <-> Switch <-> Servers1…N
|
ServerA

From ServerA I can access Pfsense webgui w/o any problem. The connection at ISP is 1Gig

From a computer at home using comcast and/or att - (DSL) - Connection to web gui at pfsense is very slow and not usable.

Regards,

TheT

eri-- · Sep 29, 2008, 9:01 AM

This seems like a tcp mss problem probably it is at your end unless you have some kind of pppoe/pptp connection on the pfSense at work.
Another test would be to move the gui of pfSense to another port and try.

ipv2 · Sep 29, 2008, 9:27 AM

Hi, My config is the same as the one of THeT, ISP -> pfsense wan, switch, server. from our office to the wan it's just to slow (more than a minute just to load one page) when I connect to the LAN (via a ssh tunnel from a server on the LAN it's fast as normal.
I've already tried another port for the WAN (from the onboard Intel to a port on the quad GE Intel card. problem just moves to the new port.

I was also thinking of some mss issue (see my earlier posts) but not able to figure out what the problem is exactly.

If you like to login to our system for some testing this is fine, it's not in production just in test (because of the slow WAN).

Juve · Oct 28, 2008, 1:14 PM

I did a ifconfig em0 -tso and everything is working as it should now.

TheT · Dec 9, 2008, 5:07 PM

Is the WAN interface slowness fixed in the lastest build?