Netgate SG-1000 microFirewall

Author Topic: Bribing pfSense  (Read 3941 times)

0 Members and 1 Guest are viewing this topic.

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
Bribing pfSense
« on: July 20, 2015, 10:45:10 am »
(marketing  ;D ).

Are there any plans to make the GUI faster? Bribe?

GUI was never fast to begin with, but with every version it gets slower. Waiting up to 10 seconds to move to the next screen is quite, well, sorry, absurd and ridiculous.

I'm not alone in this matter, as others, like for/ex Supermule I think, also confirmed this (edit: this thread https://forum.pfsense.org/index.php?topic=95769.0;topicseen).

This is running on a full install, in a SOHO environment (6 people on the box, doing nothing but the usual accounting stuff).

Btw: pic1: CPU doesn't update in 10 seconds; it never updates.

This was once again a fresh install, please don't tell me I have to again waste a full day reinstalling from scratch and customizing everything by hand (config restore has never worked for me in the first place, so that is no option).

For those wondering: Snort runs on WAN2, Suricata on WAN1 (testing). Bill said this is no problem.

Thank you.
« Last Edit: July 22, 2015, 02:30:38 am by Mr. Jingles »
6 and a half billion people know that they are stupid, agressive, lower life forms.

Offline mhab12

  • Hero Member
  • *****
  • Posts: 694
  • Karma: +7/-0
    • View Profile
Re: Bribing pfSense
« Reply #1 on: July 20, 2015, 10:58:03 am »
I had similar problems (horrid GUI lag) and the issue turned out to be related to DNS lookups from the firewall itself.  I had disabled the DNS Forwarded/DNS Resolver but failed to tick the box 'Do not use the DNS Forwarder as a DNS server for the firewall ' in the General setup.  The GUI was waiting for DNS time out on every single page load, no matter if the page needed outside content or not.

Perhaps the underlying issue is that DNS queries are being run when every GUI page loads?

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
Re: Bribing pfSense
« Reply #2 on: July 20, 2015, 11:01:26 am »
I had similar problems (horrid GUI lag) and the issue turned out to be related to DNS lookups from the firewall itself.  I had disabled the DNS Forwarded/DNS Resolver but failed to tick the box 'Do not use the DNS Forwarder as a DNS server for the firewall ' in the General setup.  The GUI was waiting for DNS time out on every single page load, no matter if the page needed outside content or not.

Perhaps the underlying issue is that DNS queries are being run when every GUI page loads?

Thanks  :-*

I, however, did tick that box 'Do not use DNS-forwarder' because my OpenVPN-client otherwise is leaking DNS (appears a feature, not a bug, so I've read).

Could I ask, what do you mean with this:

Quote
I had disabled the DNS Forwarded/DNS Resolver

You need the DNS server to service your LAN, no (?). Why did you disable that? LAN doesn't work without a DNS service(?)
6 and a half billion people know that they are stupid, agressive, lower life forms.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5602
  • Karma: +688/-23
    • View Profile
Re: Bribing pfSense
« Reply #3 on: July 20, 2015, 11:58:27 am »
Quote
You need the DNS server to service your LAN, no (?).

If they're in an AD environment, for instance, then they would be using MS DNS on some other server.

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
Re: Bribing pfSense
« Reply #4 on: July 20, 2015, 12:09:11 pm »
Quote
You need the DNS server to service your LAN, no (?).

If they're in an AD environment, for instance, then they would be using MS DNS on some other server.

'This why you know these things; I didn't think about other servers doing these things. But, of course, in corporate environments it makes sense to not bother the firewall with these other tasks.

My setting basically is SOHO Ltd. GmbH AG NV Sarl SPRL Inc.( ;D ).

So I don't have different servers for different roles (whereas I completely understand the need for them in big companies). I have a box with 6 users, me and 5 women doing accounting stuff.
6 and a half billion people know that they are stupid, agressive, lower life forms.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +962/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Bribing pfSense
« Reply #5 on: July 20, 2015, 12:19:45 pm »
Btw: pic1: CPU doesn't update in 10 seconds; it never updates.

Well this is normally fixed by wiping your browser cache. (And no, no idea why, don't ask me...)
Do NOT PM for help!

Offline KOM

  • Hero Member
  • *****
  • Posts: 5602
  • Karma: +688/-23
    • View Profile
Re: Bribing pfSense
« Reply #6 on: July 20, 2015, 01:38:22 pm »
Quote
I have a box with 6 users, me and 5 women doing accounting stuff.

Heh, "accounting stuff"...

I would like to see this box you keep your women in.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15168
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Bribing pfSense
« Reply #7 on: July 21, 2015, 03:46:15 pm »
Can you run any more services on this box?

You need both snort and suricata -- really?

Pages on my webgui doesn't even take 1001, going to the main dashboard page with lots of widgets on it from a say the service status page takes 1001, 1002
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
Re: Bribing pfSense
« Reply #8 on: July 22, 2015, 12:01:41 am »
Btw: pic1: CPU doesn't update in 10 seconds; it never updates.

Well this is normally fixed by wiping your browser cache. (And no, no idea why, don't ask me...)

It once again proves I'm not normal (tell me something new): doesn't solve it (cache gets deleted automatically on browser close). I did notice it is a little bit faster in Firefox, but not that much faster.
6 and a half billion people know that they are stupid, agressive, lower life forms.

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
Re: Bribing pfSense
« Reply #9 on: July 22, 2015, 12:02:59 am »
Quote
I have a box with 6 users, me and 5 women doing accounting stuff.

Heh, "accounting stuff"...

I would like to see this box you keep your women in.

Pic1: only when the IRS comes.
Pic2: the empire I'm secretly building.
6 and a half billion people know that they are stupid, agressive, lower life forms.

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
Re: Bribing pfSense
« Reply #10 on: July 22, 2015, 12:04:54 am »
Can you run any more services on this box?

Yes, look in system/packages/available -> there's many more there (don't tell me you didn't know this, John :o ).


You need both snort and suricata -- really?

Quote
For those wondering: Snort runs on WAN2, Suricata on WAN1 (testing). Bill said this is no problem.
6 and a half billion people know that they are stupid, agressive, lower life forms.

BlueKobold

  • Guest
Re: Bribing pfSense
« Reply #11 on: July 22, 2015, 12:05:36 am »
Quote
For those wondering: Snort runs on WAN2, Suricata on WAN1 (testing).
Not really,

Quote
Bill said this is no problem.
Hmm, from moin point of view I was seeing on an Alix board is was slow, on an Alix APU board it
was faster but not fast and on an C2758 it is really wicked fast. But mostly pending on what you
have all installed, running services, installed widgets and so on.

Double IDS/IPS should be narrowing down this also a really bit I think.

Quote
I did notice it is a little bit faster in Firefox, but not that much faster.
What kind of services you are running?
Squid, SuidGuard, HAVP, DNS, DPI, VLANs, heavy QoS,...........

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
Re: Bribing pfSense
« Reply #12 on: July 22, 2015, 02:22:12 am »
Quote
For those wondering: Snort runs on WAN2, Suricata on WAN1 (testing).
Not really,

Yes, really ( ;D ) (Meaning: what did you mean?)

Quote
Bill said this is no problem.
Hmm, from moin point of view I was seeing on an Alix board is was slow, on an Alix APU board it
was faster but not fast and on an C2758 it is really wicked fast. But mostly pending on what you
have all installed, running services, installed widgets and so on.

Isn't my CPU and my 16GB RAM slightly more powerful than Alix?

Double IDS/IPS should be narrowing down this also a really bit I think.

What do you mean? CPU = 28%, RAM = 1,8GB (13%). That's not shocking I think, and nothing that would prevent the GUI-subsystem from responding.
Quote
I did notice it is a little bit faster in Firefox, but not that much faster.
What kind of services you are running?
Squid, SuidGuard, HAVP, DNS, DPI, VLANs, heavy QoS,...........

Those in the screenshot + traffic shaping  ;D
6 and a half billion people know that they are stupid, agressive, lower life forms.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2432
  • Karma: +191/-9
    • View Profile
Re: Bribing pfSense
« Reply #13 on: July 24, 2015, 06:08:09 am »
Quote
For those wondering: Snort runs on WAN2, Suricata on WAN1 (testing).
Not really,

Yes, really ( ;D ) (Meaning: what did you mean?)


He means that even when each one deserves ONE NIC, not two, they are still running both at the same time on the box.
These two are cycle eaters.
Slow GUI could mean: you are running out of these cycles.

[ Or, other broken stuff like a brainless DNS would do even better ]

Btw: the "updating in 10 secondes" could be the result of a slow GUI problem - OR : you have a browser cache problem, some old Java scripts are still present: nuke browser cache to be sure.

Access your pfSEnse box using the medic entrance : put on your gloves, and SSH in.
When you see  the menu, go for option 8, don't worry, it dark in there, that's ok.
Type this command
top

Show us a screen (text !!) copy using the "Code" bbcode.
Something like this
Code: [Select]
last pid: 19531;  load averages:  0.16,  0.17,  0.13                                up 9+00:53:58  13:05:15
71 processes:  1 running, 70 sleeping
CPU:  0.4% user,  0.0% nice,  0.2% system,  0.4% interrupt, 99.0% idle
Mem: 14M Active, 295M Inact, 153M Wired, 192K Cache, 204M Buf, 1489M Free
Swap: 4096M Total, 4096M Free

  PID USERNAME  THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU COMMAND
81667 root        1  20    0   223M 33072K nanslp  0   0:00   0.29% php-fpm
 5528 root        1  20    0 65132K 17360K kqread  1  28:15   0.00% lighttpd
20764 root        1  20    0 12456K  2168K select  1   5:18   0.00% apinger
 4879 root        1  20    0 52844K  6960K kqread  1   1:54   0.00% lighttpd
94541 nobody      1  20    0 30264K  4960K select  1   1:43   0.00% dnsmasq
57214 root        1  28    0 49820K 12296K select  1   0:52   0.00% perl
32771 root        1  52   20 17136K  2700K wait    1   0:34   0.00% sh
71546 root        1  20    0 18984K  2768K select  1   0:32   0.00% usbhid-ups
87976 root        1  20    0 50800K 10828K kqread  0   0:23   0.00% lighttpd
31143 root        1  20    0 14656K  2340K select  0   0:23   0.00% syslogd
29813 dhcpd       1  20    0 24844K 13708K select  0   0:23   0.00% dhcpd
  243 root        1  25    0   219M 21308K kqread  0   0:22   0.00% php-fpm
30581 dhcpd       1  20    0 24972K 11736K select  1   0:20   0.00% dhcpd
20996 root        1  20    0 28344K  3008K piperd  0   0:19   0.00% rrdtool
16790 root        1  20    0 16804K  2308K bpf     0   0:13   0.00% filterlog
 6307 root        1  20    0 43608K  6344K select  0   0:12   0.00% mpd5
80158 root        1  20    0 28168K 18052K select  1   0:09   0.00% ntpd
98277 root        1  20    0 14532K  2224K select  0   0:08   0.00% radvd
35631 root        1  23    0   227M 41308K accept  1   0:07   0.00% php
74158 root        1  20    0 18844K  2572K select  0   0:07   0.00% upsd
 3844 root        5  52    0 27568K  3128K uwait   0   0:06   0.00% filterdns
56128 root        1  20    0   223M 34980K accept  1   0:06   0.00% php
76711 uucp        1  20    0 18832K  2592K nanslp  1   0:05   0.00% upsmon
56214 root        1  21    0   223M 34976K accept  1   0:05   0.00% php
26234 root        1  20    0   223M 34980K accept  1   0:04   0.00% php
10743 root        1  21    0   223M 34976K accept  1   0:03   0.00% php
10397 root        1  20    0   227M 41796K accept  1   0:02   0.00% php
 6188 root        1  25    0 12404K  1916K nanslp  1   0:01   0.00% minicron
 8910 root        1  21    0   227M 41500K accept  0   0:01   0.00% php
34702 root        1  20    0 16664K  2296K nanslp  0   0:01   0.00% cron
 8161 root        1  20    0   227M 41788K accept  0   0:01   0.00% php
17633 root        1  20    0 18780K  2376K select  0   0:01   0.00% inetd
 7340 root        1  20    0   227M 41904K accept  1   0:01   0.00% php
 8855 root        1  20    0   219M 22360K wait    0   0:00   0.00% php
 9200 root        1  20    0   223M 34972K accept  1   0:00   0.00% php
42716 root        1  40    0 12404K  1916K nanslp  1   0:00   0.00% minicron
  272 root        1  20    0 13160K  4476K select  1   0:00   0.00% devd
  259 root        1  40   20 19024K  2588K kqread  1   0:00   0.00% check_reload_status
 6702 root        1  52    0   219M 22360K wait    1   0:00   0.00% php
 8598 root        1  26    0   219M 22360K wait    0   0:00   0.00% php
 7146 root        1  52    0   219M 22360K wait    0   0:00   0.00% php
 5022 root        1  52    0   219M 22360K wait    1   0:00   0.00% php


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21566
  • Karma: +1471/-26
    • View Profile
Re: Bribing pfSense
« Reply #14 on: July 24, 2015, 08:28:24 am »
2.3 will have a shiny new Bootstrap-based GUI, so that should at least be different, if not faster. :-)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!