PFsense https connections unusably slow

httpskvm-virtualizationnetworkingpfsense

I have a very strange issue with PFsense as router running in KVM with CentOS 7. https connections are incredibly slow (10KB/s or less), and uploads over https simply don't work; for example using https://imgur.com over https loads, but uploading an image will take minutes, after which it says it failed.

I have a dual-wan setup with a 192.168.178.x/24 subnet between the PFsense VM and the 2 ADSL router/modems. The router/modem's NAT functionality can not be turned off, so I've simply put them in the same subnet and connected them to eachother with only 1 DHCP server active, the first router sitting on .1 and the second on .2. The PFsense box sits on .5. The private network behind pfsense is 172.16.x.x/16.
The PFsense virtual machine runs on a CentOS 7 KVM hypervisor with 2 intel Gbe NICs, bridged using a linux bridge with the VM network cards, using virtIO drivers, if it makes any difference.

I do have a Squidproxy, however it is not enabled for https connections, and https accesses do not appear in Squid's logs, and turning off or removing Squid does not make a difference. Moving myself into the 192.168.178.x/24 subnet before PFsense DOES make a difference however, as suddenly everything runs smoothly again, and any https content loads instantly.

Does anyone have a clue what could be going on? Anything I could try to diagnose? I've tried wireshark and aside for the slowness I don't see anything unusual.. Any suggestions are welcome!

edit:
I'm currently running memtest86+ inside a VM (those shouldn't give errors either right?), and I have 1 error so far, although it seems to be outside the range of memory I've granted the VM so I'm a bit confused.. I will update once I have more info. Might run a full memtest on the host later if I can clear users off the host for a moment.

Best Answer

It's entirely possible that if you're using pfSense 2.2 or later, you're being affected by this. Symptoms would include:

Slowness for other VMs hosted on the KVM platform if they need to access a network resource which is on the other side of one of the router interfaces on the pfSense router
Physical machines which need to access something across the router are perfectly fast

I am no expert, but my current understanding is that checksums are not correctly calculated for packets that move from one VM to another VM, so either the pfSense router discards them, or the recipient on the other end of the connection discards them, because they believe the packets were mangled in transport (which, I guess, they technically were). There's lots of discussion about it in the thread I linked above, and also in this thread.

To resolve, you'll need to probably disable at least TX checksum offloading on the virtual NICs of the pfSense VM. I'm not sure of the procedure to do that in KVM, since I'm a Xen man, myself. Happy hunting!

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Related Topic