[SOLVED] pfSense in VM extremly slow

[astrakid]

hi,
in my home-setup i was trying to set up pfSense in a virtual machine with two virtual network interfaces. on the proxmox host itself is only one network available.
all in all the routing is working, local network is working and wan as well, everything is routed well.
but: the performance is absolutely low. from another virtual machine i get less than 100kb/s.

the proxmos host is a intel g4560 on an msi board, nothing really fast, but it is absolutely sufficient for 3 VMs (freepbx (vm), nextcloud (lxc), pfsense(vm)) and soe docker container. the load is always below 10%.
16gb of ram are installed. everything runs really fine, my wan-connection is 25mbit/s (down, up 5mbit/s) and i can use the whole bandwidth from pcs, server, vms.

the network structure is:
router1 (dsl modem) <-1-> router2 <-2-> lan

i was trying to remove router2, because i don't need it anymore (was used for time conditions for children and wlan access). the substitue should be pfsense (some kind of security, nat and time based access profiles).

all components are connected through a switch, router1 and pfsense communicating with ip subnet 192.168.1.0/24 and pfsense communicating with lan with ip subnet 10.0.0.0/24.

that works as mentioned before, the pfsense load is always below 10%.
i tested all virtual nic driver proxmox is offering, but all behave bad.

in my local network is very low traffic, most wlan devices might do the usual internet traffic, but nothing really using much bandwidth.

any idea, why this scenario is so slow?

i know that this kind of architecture is not really secure, that is not part of this question. I am just curious why it is not working as expected.

kind regards,
andre

edit: i already disabled hardware checksum offloading as well as tso ald lro. webgui of pfsense is quite fast, so i guess it has to do with wan connection.

edit2: pfsense version 2.4.3-RELEASE-p1 (amd64), proxmox 5.2-1

 

[Dark26]

i was thinking hardware checksum offloading, but you did that already...

maybe test with an iperf if it 's possible to check .

 

[astrakid]

host -> iperf-server, pfsense iperf-client:

host:
root@server:~# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local 10.0.0.2 port 5001 connected with 10.0.0.4 port 23099
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 5.5 sec  9.16 GBytes  14.2 Gbits/sec
[  5] local 10.0.0.2 port 5001 connected with 10.0.0.4 port 44851
[  5]  0.0- 8.8 sec  14.4 GBytes  14.1 Gbits/sec

pfsense:

# iperf -c 10.0.0.2
------------------------------------------------------------
Client connecting to 10.0.0.2, TCP port 5001
TCP window size: 64.2 KByte (default)
------------------------------------------------------------
[  3] local 10.0.0.4 port 23099 connected with 10.0.0.2 port 5001
^C[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 5.5 sec  9.16 GBytes  14.2 Gbits/sec
# iperf -c 10.0.0.2
------------------------------------------------------------
Client connecting to 10.0.0.2, TCP port 5001
TCP window size: 64.2 KByte (default)
------------------------------------------------------------
[  3] local 10.0.0.4 port 44851 connected with 10.0.0.2 port 5001
^C[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 8.8 sec  14.4 GBytes  14.1 Gbits/sec

other direction:

# iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 63.7 KByte (default)
------------------------------------------------------------
[  4] local 10.0.0.4 port 5001 connected with 10.0.0.2 port 33908
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 8.4 sec   765 MBytes   765 Mbits/sec
[  5] local 10.0.0.4 port 5001 connected with 10.0.0.2 port 33914
[  5]  0.0- 6.9 sec   646 MBytes   785 Mbits/sec

=> quite slowlier, but nevertheless more than fast enough for me.

 

[micro]

Try to play with the following options: "Disable Firewall Scrub" and probably "IP Do-Not-Fragment compatibility"

 

[Dark26]

Do you have some QOS somewhere?

 

[astrakid]

Try to play with the following options: "Disable Firewall Scrub" and probably "IP Do-Not-Fragment compatibility"

on host or vm?
thanks for the hint
regards.

edit: i see, it is a pfsense option. i am sure i changed tht already without any effect.

 

[astrakid]

Do you have some QOS somewhere?

no. i am going to use traffic shaping on pfsense in the future, but currently nothing is limited.

 

[micro]

on host or vm?
thanks for the hint
regards.

edit: i see, it is a pfsense option. i am sure i changed tht already without any effect.

In pfsense. I've seen this option "Disable Firewall Scrub" enabled OR disabled to mess with the network speed (100KB/s). After enabling or disabling it you have to reboot.

 

[killmasta93]

go to advance----networking and at the bottom Hardware Checksum Offloading check that to disable it

 

[astrakid]

just to close this thread: After a nearly complete new configuration and handling some further configs on my routers in front of the chain the issue is solved. I have the feeling that not pfsense or proxmox was root cause of this issue, but a router beforehead.

thanks a lot for all the hints that i followed that might have optimised my configuration before i encounter any further performance gaps. ;-)

kind regards!

 

[hoggle]

I also had performance trouble with pfsense as a proxmox guest.
But my solution to this was neither related to proxmox nor to pfsense.

I needed to put my cable modem in BRIDGE-MODE to get full throttle
(even though Vodafone recommends on the settings page not to do so - they have no clue...)

 

[gdmax]

go to advance----networking and at the bottom Hardware Checksum Offloading check that to disable it

Thanks for the tip, it helped on my Dell T320 server, now speed at Max

 

[Vantage]

Same problem here, Thanks killmasta93 it worked ...

 

[killmasta93]

im glad this helped took me many hours to find that issue