pfSense Support Subscription

Author Topic: pfsense is not making sense  (Read 1010 times)

0 Members and 1 Guest are viewing this topic.

Offline scottdam

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: pfsense is not making sense
« Reply #30 on: November 10, 2017, 08:31:56 am »
It sounds like you have a bad Network Card, maybe not necessarily bad, but not a good supported driver.  HAVP and Squid will kill your network speeds if you have a bad or unsupported driver.

Offline Stewart

  • Full Member
  • ***
  • Posts: 252
  • Karma: +16/-2
    • View Profile
Re: pfsense is not making sense
« Reply #31 on: November 10, 2017, 01:01:13 pm »
I noticed you said that Windows shows a 1Gb connection but what does the speed show as connected in pfSense?  Also, anything in the logs?  I've seen where it flaps so that every couple of seconds the link goes down for a couple of milliseconds and comes back causing issues like this.  Doubtful since it is a VM but just an idea.  Since it is a VM, how about just building a second VM and swapping over for a few minutes to test?

Offline raffi30

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: pfsense is not making sense
« Reply #32 on: November 13, 2017, 08:26:32 am »
Thanks for the replies.

scottdam, a bad NIC/driver could also be a possible reason. I will only know for sure if I do a fresh install. I may also have to try going back to a fresh install of 2.3.x if it is a driver issue with 2.4.0. I did disable all the packages such as squid, snort and pfblocker. That didn't help.

Stewart, both the interfaces are 1 Gb. pfSense only shows the WAN as "Media 1000baseT <full-duplex,master>" under Status > Interfaces. It doesn't show that same line for the LAN, but I do know it's gigabit. Plus, if they weren't I wouldn't have gotten 120 Mbps when connecting a non-native PC to the network on the same exact cabling. What should I look for in the logs specifically? I don't see anything indicating a dropped connection on the system tab. Would it be there or elsewhere? Do I have to change the verbose mode of the logging to see it maybe? Right now it's set to the default.

I'm not running a VM, I have it running on actual hardware.

Offline raffi30

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: pfsense is not making sense
« Reply #33 on: November 14, 2017, 09:54:50 am »
Alright... so I spent several hours on this again last night while the office was quiet.

Here is what I'm 100% sure of now... it is the pfsense box. How did I come to that conclusion? In addition to everything else, my last resort was to disconnect the WAN/LAN cable from pfsense and plug it into my old Netgear which it replaced. With the same exact network topology/IP's, I was getting the full 120 Mbps down. I plugged the pfsense box back in and was getting over 100 Mbps, but still not a solid and consistent 120 Mbps I should be getting.

What did I do before plugging in the Netgear? I did a fresh install of 2.4.1. I was still not getting full down speeds. I then decided to do a fresh install of 2.3.5, but still not luck. I then swapped out the one NIC I was a little weary of, my USB 3.0 to GBE adapter. I plugged in a brand new one, but still no solution. I know... not the best NIC to be using, but I have no real choice on this box I'm running. Besides, that NIC was giving me my full download speed at one point, so I don't believe that is the issue.

During all these trials mentioned above, I was using factory default settings with no additional packages installed. The only thing I did was configure the WAN and LAN IP's. The same IP's I've been using forever.

I have one last idea which I will try hopefully tonight. I have hardware checksum offloading enabled. I'm almost certain my USB 3.0 NIC is not up to par for that feature, and according to the pfsense book that feature is broken in some NICs and will cause problems with corrupted packets and throughput. I'm suspecting I have both problems. So I'm gonna try to disable that, cross my fingers, and then reboot the box.

Offline w0w

  • Sr. Member
  • ****
  • Posts: 522
  • Karma: +29/-6
  • kernel panic attack
    • View Profile
Re: pfsense is not making sense
« Reply #34 on: November 14, 2017, 01:51:36 pm »
Generally it's a bad idea to use the usb NICs, I see no one have luck with this crap. If it's impossible to install pci-e intel card, but you have one embedded then use VLANs and VLANs capable switch, otherwise you will need different hardware setup to make things work as desired.

Offline raffi30

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: pfsense is not making sense
« Reply #35 on: November 14, 2017, 02:17:15 pm »
Yea, the USB NIC is not intended to be used the way I'm using it on a firewall. I was hoping I could get away with it. I thought I did for a while, but maybe I was wrong. I'm not giving up on it just yet though. Call me stubborn, but I really want to be able to make use of this tiny PC that was collecting dust, especially since it has the same footprint as my old Netgear so it fits right in. The VLAN approach might be a good solution if it does turn out to be a bad NIC. That could also be a good excuse to justify purchasing a managed switch. I do have another PC laying around with actual PCIe slots. It a has MUCH bigger desktop footprint. If this becomes a real big issue, I may end up switching over to that.

Offline pdrass

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +1/-0
    • View Profile
Re: pfsense is not making sense
« Reply #36 on: November 15, 2017, 12:03:57 pm »

After all this you're using USB NICS LULZ.  You can't compare a Netgear (with no USB NIC) to a PFSense with a USB NIC.  That's like tying one hand behind the back of the PFSense.

The USB NIC is your problem.  Even IF it worked well on a prior version there's no way I'd put my life in the hands of a USB anything (besides a keyboard and mouse or my phone chargers LOL).

You're getting 100 Mb/s so who cares about the 20 Mb/s...?  Sure it's annoying BUT are you ever hitting all 100 Mb/s being consumed on your network?  Is Internet "slow" because you're missing 20 Mb/s...?  It seems like you're missing 20% of your bandwidth but if you're only consuming say... 50 Mb/s you actually have 50% utilization you're not even using so you're not even missing the 20 Mb/s / 20%.

I'd stop the madness and so something more productive like drink beer :P

Offline raffi30

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: pfsense is not making sense
« Reply #37 on: November 15, 2017, 02:07:54 pm »
The 20 Mbps is what raised the red flag. I'm not losing sleep over the 20 Mbps because like you said, I'm not even using close to full bandwidth. At this point I want to understand why I'm losing it, not because I actually need it. This issue has helped me learn a lot about pfsense (I'm a newbie). The education is well worth the cost of 20 (unused) Mbps and a few forum posts.

By the way, disabling the hardware check sum offloading didn't help either. I know everyone on these forums hates the USB NICs, but hatred alone wouldn't hold up in court. I'm still trying to understand how to definitively diagnose if it is a NIC issue. There must be dropped/corrupted packets if that's the case. The attached packet graphs are not clear to me. Is the WAN inpass supposed to be close to LAN outpass? The WAN to LAN would be my downstream. It looks like some packets are not making it out onto the LAN. For example, in the average, I have 983.73 pps coming into the WAN but only 915.54 pps making it out of the LAN. That's roughly 7% loss? Are there other factors such as packets not allowed due to filtering? Or would those go under the in/out block category and have nothing to do with it?

Thanks all for the help.


Offline tim.mcmanus

  • Sr. Member
  • ****
  • Posts: 585
  • Karma: +25/-7
    • View Profile
Re: pfsense is not making sense
« Reply #38 on: November 15, 2017, 03:00:55 pm »
During all these trials mentioned above, I was using factory default settings with no additional packages installed. The only thing I did was configure the WAN and LAN IP's. The same IP's I've been using forever.


Did you restore your settings as part of the factory default?  Or did you go into the UI and manually create default settings for this test?

I am very paranoid because of issues I've had in the past doing pfSense upgrades (since 1.2.3).  I input my settings from scratch after each upgrade.  Why?  Paranoia, and I don't have issues after upgrades.

So I'd be keen to understand if you did minimal settings manually to run the tests or upload your previous settings prior to testing.
Intel Core i3-2100 Sandy Bridge dual core - Intel BOXDQ77MK LGA 1155 Intel Q77 - 4GB RAM - 320 GB 7200RM HD - 2 x Intel EXPI9301CTBLK 10/ 100/ 1000Mbps PCI-Express Network Adapter

Offline raffi30

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: pfsense is not making sense
« Reply #39 on: November 15, 2017, 03:15:57 pm »
Hi tim.mcmanus,
Sorry for not being clear on my post. The settings were factory default because I did a fresh install of 2.4.1. All I did after the fresh install was configure WAN and LAN IP's. I then ran my test again and found no difference. So I then repeated the same process of fresh install with 2.3.5, configured IP's, and ran the test. Neither made any difference.

After all the tests not making any difference, I decided I might as well upgrade to 2.4.1 again and restore all my settings. I haven't had any new issues with it. I did have to reconfigure my WPAD file (as expected) and also my snort disable.conf SID management file (unexpected).

Raffi