{"id":14181,"date":"2018-01-26T16:04:57","date_gmt":"2018-01-26T16:04:57","guid":{"rendered":"https:\/\/www.firewallhardware.it\/pfsenseproblemi-di-throughput-hardware-e-troubleshooting-del-sistema\/"},"modified":"2023-06-05T17:32:46","modified_gmt":"2023-06-05T15:32:46","slug":"pfsense-hardware-throughput-problems-and-system-troubleshooting","status":"publish","type":"post","link":"https:\/\/blog.miniserver.it\/en\/pfsense\/pfsense-hardware-throughput-problems-and-system-troubleshooting\/","title":{"rendered":"pfSense: Hardware Throughput Problems and System Troubleshooting"},"content":{"rendered":"<div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1123.2px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:0px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-1\"><p>There are some situations where the system performances are not the desired ones.<br \/>\nIf you think you have performance problems, we recommend that you follow one of the guides<br \/>\nlisted below.<br \/>\nPossible causes of low performance:<\/p>\n<ul>\n<li>Insufficient hardware<\/li>\n<li>Hardware \/ Driver Thuning Required (NIC driver optimization)<\/li>\n<li>Duplex Mismatch<\/li>\n<li>Traffic Shaping<\/li>\n<li>MTU problems<\/li>\n<li>WAN connection<\/li>\n<li>Client\/Test methods<\/li>\n<li>ISP problems<\/li>\n<\/ul>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Insufficient hardware<\/h3>\n<p>This is the most frequent cause of perfermances problems. It is essential to understand if the hardware we have available is able to withstand the workload for which it was installed.<br \/>\nFirst <a href=\"https:\/\/blog.miniserver.it\/en\/firewall\/how-to-size-a-firewall\/\">check this link<\/a> if the sizing was done correctly or the ardware is obviously undersized.<br \/>\nIf the sizing is adequate, it will be necessary to switch to more refined verification tools to identify the problem.<\/p>\n<p>The most obvious thing to do is to check the vital parameters of the machine, such as: CPU load, RAM load and any swapping during the traffic peaks.<br \/>\nTo do this you can proceed in 3 ways:<\/p>\n<ol>\n<li>Check on the Dashboard &#8211; System Information: check the CPU usage, Memory usage, SWAP usage parameters<\/li>\n<li>We can then check the details of the CPU load during load peaks to see which process the CPU is saturating. The path to follow is: Diagnostics&gt; System Activity<\/li>\n<li>Enter the console (also via ssh) and execute the command: top -aSH<\/li>\n<\/ol>\n<p>If you observe an IRQ (<strong>interrupts<\/strong>) process for the network card, then the hardware you are using may be almost or completely saturated, or the NIC driver may need to be optimized. If the system is not under stress during data transfer, the problem probably lies elsewhere.<br \/>\nIf the CPU load is high and the amount of interrupt is low, the problem may be in the amount of processing of the packages processed by pf or used for cryptography.<br \/>\nIf one of the CPUs is saturated, then the bottleneck will be the processing of the pf packets. We recommend using a CPU with a higher clocked core, as one of the pfSense\u00ae CE 2.1 files is just that some demons like pf use only one CPU.<br \/>\nIn version 2.2 and later, pf is able to use multiple cores.<br \/>\nIf the limits on the CPU are found due to encryption you can always choose a system with cryptographic processor.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Hardware\/Driver Thuning Required (NIC driver optimization)<\/h3>\n<p>If, when viewing the job list with the TOP command, you notice that one of the CPUs is entirely occupied by interupt (<strong>IRQ<\/strong>) then it may be necessary to optimize the driver.<br \/>\nTo do this follow the guide: <a href=\"https:\/\/blog.miniserver.it\/en\/firewall\/tuning-and-troubleshooting-network-cards\/\">Optimizing and troubleshooting network cards<\/a>.<br \/>\nSome network adapters such as IGBs (<strong>Intel Chipset<\/strong>) are able to use multiple queues and distribute traffic across multiple cores, thus achieving greater throughput.<br \/>\nAnother element to check is in System&gt; Advanced and finally Networking tab. Make sure the boxes to disable TSO and LRO are fleggate. If they are already flegged, try turning on the checksum offloading option. If no differences are observed, set everything as before.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Duplex Mismatch<\/h3>\n<p>On 100Mbit \/ s networks or less, a duplex mismatch is possible. Some producers are stuck in the stone age and still insist on hard-coding ports on CPE, such as full-duplex 100Mbit \/ s fiber converters.<br \/>\nIf the CPE is hard-coded, but the firewall is not, you will need to check the duplex on Status&gt; Interfaces. The duplex mismatch will lead to interface errors, collisions, and low speed. The NIC speed and duplex setting is described in this guide: <a href=\"https:\/\/blog.miniserver.it\/en\/firewall\/forcing-interface-speed-or-duplex-settings\/\">Force Interface Speed or DupleX Settings<\/a>.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Traffic Shaping<\/h3>\n<p>If the traffic shaping wizard was performed before an increase in bandwidth, the bandwidth limits set previously may still be in effect. Visit: Firewall&gt; Traffic Shaper and check the rules set are still valid.<br \/>\nAlso check the Limiters tab under the traffic shaper settings, check that any limiters are set for the appropriate speeds.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">MTU problems<\/h3>\n<p>Problems relating to upload speed often end up being MTU-related problems. If the MTU on the pfSense\u00ae CE device (<strong>default 1500<\/strong>), is higher than the MTU of the uplink, it can result in packets that are fragmented or lost. Setting MSS clamping on WANs or changing the MTU of the interface can help.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">WAN connection<\/h3>\n<p>There may also be problems between the WAN and the modem\/CPE. It could be a cable, or &#8220;an anomaly&#8221; in the way the two interfaces talk to each other. Put a small switch between the firewall and the modem\/CPE as a test.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">Client\/Test methods<\/h3>\n<p>Slowness can not always depend on the device hosting pfSense. It could be the client himself or the way he connects.<br \/>\nAlways make sure that the devices with which and from which you carry out the tests are not the cause of the problem.<br \/>\nEnsure that the client is connected to the firewall via a fast connection, at least like the WAN.<\/p>\n<h3 style=\"color: #00a0df; font-size: 20px; text-align: left;\">ISP problems<\/h3>\n<p>If any other factor has been deleted, try the modem without the firewall. If the speed is still low, the provider may be the cause of slowness, or the modem \/ CPE.<\/p>\n<p>The original document is <a href=\"https:\/\/docs.netgate.com\/pfsense\/en\/latest\/\" target=\"_blank\" rel=\"noopener\">here.<\/a><\/p>\n<\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>There are some situations where the system performances are not the desired ones. There are some situations where the system performances <\/p>\n","protected":false},"author":11,"featured_media":25400,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[124],"tags":[138],"class_list":["post-14181","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pfsense","tag-pfsense-en"],"_links":{"self":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/14181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/comments?post=14181"}],"version-history":[{"count":8,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/14181\/revisions"}],"predecessor-version":[{"id":28702,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/posts\/14181\/revisions\/28702"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media\/25400"}],"wp:attachment":[{"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/media?parent=14181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/categories?post=14181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.miniserver.it\/en\/wp-json\/wp\/v2\/tags?post=14181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}