HELP troubleshooting an issue
-
I am having a problem with pfSense 2.3-release.
I have 64 static IP Addresses, and recently I had a customer that I moved his 3 servers from one side of my firewall to the other and now we are experiencing a serious slow down for his servers.
Initially I had his three servers plugged into a vlan on my managed switch where his IP Addresses were 100% open and unfirewalled. Earlier today I moved his server from that VLan to a second vlan (same managed switch), but this VLan is protected by pfsense.
In PF Sense I setup Virtual IP addresses for his three assigned IPs.
Then I setup NAT rules for HTTP/FTP to be forwarded from the Virtual IPs to his various boxes.Now response times have slowed noticably (literally doubled or more) in load times from outside the firewall.
When I use Status| Traffic Graph to monitor overall bandwidth I see an occassional 4-5 Mbps spike, but 99.9% of the time my bandwidth is measured in Kbps… I am on a 300mbps fiber network w/ managed gigabit switches.
My pfSense Firewall is managing 5 static IP addresses, and behind the firewal is 4 servers and my personal workstation. Load should be minimal on the network overall.
I am fairly new to using pfSense and definately new to troubleshooting problems like this. Can someone point me to some help...
-
SERIOUSLY No offers of help?
-
No telling from that. Packet capture traffic WAN-side to the destination public IPs in question, and internally on the VLAN where those systems reside.
Couple wild guesses. Maybe DNS is no longer functioning on the servers because their config wasn't changed correctly for the network move and the lack of DNS makes it wait for a timeout. Maybe not enough ports are opened and it starts trying one port, times out, and moves on to another.
-
I wasn't too clear…
The three machines that I moved were web servers. people from the web could access them with little issue.
When those three machines were moved behind pfSense the public access speeds slowed noticably...
I have a user that works with these machines all day from his office. Within minutes of moving them behind pfSense he called telling me how much slower they were for him...
Access outbound testing to bandwidth test sites is getting 260-280mbps from each of these machines.
The DNS's should not have an impact, but with that said I am using googles public DNS 8.8.8.8 for all of my servers behind pfSense and have DNS features in pfSense turned off
-
Need to narrow it down further. If you put speedtest mini on the server, or just a good sized file of random contents (assuming a Linux server, something like 'dd if=/dev/random of=/var/www/100mb.test bs=1M count=100' to create a 100mb.test file to download), have the user try to download that file to see what the speed's like there.
I'm guessing that will probably perform just fine. If it does, then you've ruled out anything to do with performance of the firewall.
It's likely something related to the IP changing. Maybe it's trying to talk to its own hostname or public IP and you don't have NAT reflection enabled.
-
I cannot get NAT Reflection to work at all. The only way I have been able to access actual URL's that are behind the firewall with my workstation, or any other machine behind the firewall is through the HOSTS file