Port forwarding website 1/6 the speed of pfSense

jmarmorato · July 31, 2022, 8:48pm

Hey all,

I’m working on moving from pfSense to VyOS as I want to use DMVPN between a few sites. I’m currently trying to add my port forwards to VyOS, and I’m having a problem with the performance of a couple of Wordpress sites.

When I’m using pfSense, the sites each take about 3.3 seconds to load. When I switch to the VyOS router, they both take over 20 seconds to load. I did a speedtest from behind the firewall and I get over 300mbps (limited by the vCPU of the machine I’m doing the test from).

Any suggestions?

Here’s my configuration:

root@colo:~# cat vyos.conf 
firewall {
    all-ping enable
    broadcast-ping enable
    name OUTSIDE-IN {
        default-action drop
        rule 15 {
            action accept
            destination {
//              address <wan-ip>
                port 53
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 16 {
	    action accept
            destination {
//              address <wan-ip>
                port 80
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 17 { 
            action accept
            destination { 
//              address <wan-ip>
                port 443
            }
            protocol tcp
            state { 
                new enable
            }
        }

//        rule 18 {
//            action drop
//              state {
//                  invalid enable
//            }
        }
        rule 20 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name OUTSIDE-LOCAL {
        default-action drop
        rule 19 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 20 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        address <wan-ip/cidr>
        description WAN
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
        }
    }
    ethernet eth1 {
        address 192.168.5.1/24
        description LAN
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 10 {
            description "Public DNS"
            destination {
                port 53
            }
            inbound-interface eth0
            protocol tcp_udp
            translation {
                address 192.168.5.10
            }
        }
        rule 11 {
            description "Traefik HTTP"
            destination {
                port 80
            }
            inbound-interface eth0
            protocol tcp_udp
            translation {
                address 192.168.5.11
            }
        }
        rule 12 {
            description "Traefik HTTPS"
            destination {
                port 443
            }
            inbound-interface eth0
            protocol tcp_udp
            translation {
                address 192.168.5.11
            }
        }
    }
    source {
        rule 100 {
            outbound-interface eth0
            source {
                address 192.168.5.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop <gateway> {
            }
        }
    }
}
service {
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password <password hash>
                plaintext-password ""
            }
        }
    }
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}


// Warning: Do not remove the following line.
// vyos-config-version: "bgp@2:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@7:flow-accounting@1:https@3:interfaces@26:ipoe-server@1:ipsec@9:isis@1:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@1:openconnect@2:ospf@1:policy@3:pppoe-server@5:pptp@2:qos@1:quagga@10:rpki@1:salt@1:snmp@2:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.4-rolling-202207301340

WebToor · July 31, 2022, 9:02pm

Can you send a tracert command test.

your WAN ip on VyOS address <wan-ip/cidr>, LAN HOME or behind Pfsense !

jmarmorato · July 31, 2022, 9:24pm

From home to Colo Public IP (Using VyOS)

traceroute to 142.202.222.195 (142.202.222.195), 30 hops max, 60 byte packets
 1  _gateway (192.168.7.1)  94.764 ms  94.681 ms  94.661 ms
 2  10.15.48.1 (10.15.48.1)  100.238 ms  100.592 ms  100.570 ms
 3  gateway-T4-1-KINBlocal1.hol.ptd.net (207.44.112.181)  101.133 ms  101.398 ms  101.374 ms
 4  172.16.103.213 (172.16.103.213)  408.053 ms  408.032 ms  408.011 ms
 5  * * *
 6  ae1.3509.edge2.Dallas2.level3.net (4.69.206.165)  408.014 ms  100.907 ms  100.854 ms
 7  te0-1-0-12.cr01.dal.nexril.net (192.34.100.74)  100.830 ms  325.961 ms  325.882 ms
 8  po1.tor03.dal.nexril.net (192.34.100.9)  325.840 ms  325.810 ms  325.787 ms
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

From home to Colo Public IP (Using pfSense)

traceroute to 142.202.222.195 (142.202.222.195), 30 hops max, 60 byte packets
 1  _gateway (192.168.7.1)  10.803 ms  10.727 ms  10.707 ms
 2  10.15.48.1 (10.15.48.1)  14.081 ms  14.209 ms  14.191 ms
 3  gateway-T4-1-KINBlocal1.hol.ptd.net (207.44.112.181)  14.628 ms  14.611 ms  19.033 ms
 4  172.16.103.209 (172.16.103.209)  50.878 ms  51.227 ms  51.955 ms
 5  * * *
 6  ae1.3509.edge2.Dallas2.level3.net (4.69.206.165)  68.404 ms  109.548 ms  109.493 ms
 7  te0-1-0-12.cr01.dal.nexril.net (192.34.100.74)  109.474 ms  203.765 ms te0-0-0-12.cr01.dal.nexril.net (192.34.100.66)  203.712 ms
 8  po1.tor03.dal.nexril.net (192.34.100.9)  203.684 ms  203.667 ms  203.647 ms
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

From behind Colo router (VyOS) to VPS

traceroute to 97.107.140.212 (97.107.140.212), 30 hops max, 60 byte packets
 1  192.168.5.1 (192.168.5.1)  0.196 ms  0.169 ms  0.159 ms
 2  142.202.222.193 (142.202.222.193)  0.757 ms  0.823 ms  0.998 ms
 3  192.34.100.8 (192.34.100.8)  0.868 ms  1.235 ms  1.354 ms
 4  192.34.100.70 (192.34.100.70)  1.326 ms  1.356 ms 192.34.100.68 (192.34.100.68)  1.050 ms
 5  154.54.87.6 (154.54.87.6)  1.747 ms 154.54.47.106 (154.54.47.106)  1.402 ms 154.54.87.6 (154.54.87.6)  1.854 ms
 6  154.54.44.229 (154.54.44.229)  6.440 ms  6.690 ms  6.647 ms
 7  154.54.28.129 (154.54.28.129)  19.941 ms 154.54.28.69 (154.54.28.69)  20.051 ms 154.54.28.129 (154.54.28.129)  20.021 ms
 8  154.54.24.221 (154.54.24.221)  36.098 ms 154.54.7.157 (154.54.7.157)  35.907 ms  36.071 ms
 9  154.54.40.109 (154.54.40.109)  41.755 ms  41.743 ms  41.753 ms
10  154.54.47.218 (154.54.47.218)  41.982 ms  41.972 ms 154.54.80.2 (154.54.80.2)  42.028 ms
11  38.104.75.138 (38.104.75.138)  42.384 ms  42.373 ms  42.548 ms
12  173.255.239.53 (173.255.239.53)  42.746 ms 173.255.239.51 (173.255.239.51)  42.816 ms 173.255.239.7 (173.255.239.7)  42.835 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

From behind Colo router (pfSense) to VPS

traceroute to 97.107.140.212 (97.107.140.212), 30 hops max, 60 byte packets
 1  192.168.5.1 (192.168.5.1)  0.249 ms  0.263 ms  0.315 ms
 2  142.202.222.193 (142.202.222.193)  1.005 ms  1.124 ms  1.262 ms
 3  be22.cr01.dal.nexril.net (192.34.100.8)  1.298 ms  1.408 ms  1.437 ms
 4  te0-3-1-12.rcr51.b059724-0.dfw01.atlas.cogentco.com (192.34.100.68)  1.618 ms  1.634 ms  1.637 ms
 5  be2362.ccr32.dfw01.atlas.cogentco.com (154.54.87.6)  2.273 ms be2356.ccr31.dfw01.atlas.cogentco.com (154.54.47.106)  2.039 ms be2362.ccr32.dfw01.atlas.cogentco.com (154.54.87.6)  2.039 ms
 6  be2443.ccr42.iah01.atlas.cogentco.com (154.54.44.229)  6.917 ms be2441.ccr41.iah01.atlas.cogentco.com (154.54.41.65)  6.709 ms  6.668 ms
 7  be2690.ccr42.atl01.atlas.cogentco.com (154.54.28.129)  20.219 ms be2687.ccr41.atl01.atlas.cogentco.com (154.54.28.69)  20.228 ms  20.373 ms
 8  be2113.ccr42.dca01.atlas.cogentco.com (154.54.24.221)  36.652 ms  36.713 ms  36.298 ms
 9  be2806.ccr41.jfk02.atlas.cogentco.com (154.54.40.105)  41.929 ms be2807.ccr42.jfk02.atlas.cogentco.com (154.54.40.109)  41.990 ms be2806.ccr41.jfk02.atlas.cogentco.com (154.54.40.105)  42.148 ms
10  be3295.ccr31.jfk05.atlas.cogentco.com (154.54.80.2)  42.693 ms be3294.ccr31.jfk05.atlas.cogentco.com (154.54.47.218)  42.303 ms  42.314 ms
11  38.104.75.138 (38.104.75.138)  42.870 ms  42.890 ms  45.658 ms
12  if-4-24.router1-nac.linode.com (173.255.239.5)  43.184 ms if-4-11.router2-nac.linode.com (173.255.239.17)  43.049 ms  43.186 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

WebToor · August 1, 2022, 1:22pm

From behind Colo router (VyOS) to VPS seems to be OK (check latency ms)
From behind Colo router (pfSense) to VPS same

slow :
From home to Colo Public IP (Using VyOS)

4 172.16.103.213 (172.16.103.213) 408.053 ms 408.032 ms 408.011 ms
5 * * *
6 ae1.3509.edge2.Dallas2.level3.net (4.69.206.165) 408.014 ms 100.907 ms 100.854 ms
7 te0-1-0-12.cr01.dal.nexril.net (192.34.100.74) 100.830 ms 325.961 ms 325.882 ms
8 po1.tor03.dal.nexril.net (192.34.100.9) 325.840 ms 325.810 ms 325.787 ms

From home to Colo Public IP (Using pfSense)

7 te0-1-0-12.cr01.dal.nexril.net (192.34.100.74) 109.474 ms 203.765 ms te0-0-0-12.cr01.dal.nexril.net (192.34.100.66) 203.712 ms
8 po1.tor03.dal.nexril.net (192.34.100.9) 203.684 ms 203.667 ms 203.647 ms

Check speed auto and duplex full on ethernet VyOS interface
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 duplex full

set interfaces ethernet eth1 speed auto
set interfaces ethernet eth1 duplex full

WebToor · August 1, 2022, 2:54pm

And if you system can be integrate this command :

https://docs.vyos.io/en/latest/configuration/system/acceleration.html

set system acceleration qat

Check Offload for WAN Interface

https://docs.vyos.io/en/latest/configuration/interfaces/ethernet.html#offloading

Obiouvously :

set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload lro
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth0 offload sg

Don’t forget to configure TimeZone :

set system time-zone […]

jmarmorato · August 1, 2022, 3:15pm

I forgot to mention in the initial post that VyOS and pfSense are running in VMs on Proxmox server. I tried the speed and duplex commands, and VyOS doesn’t like them together.

Proxmox reports the physical interface is running at 1gbps full duplex. The VyOS vm is using VirtIO NIC drivers, the pfSense is using an emulated Intel E1000.

WebToor · August 1, 2022, 3:51pm

do you tried vmxnet3

and the others commands ?

strange to speed auto & duplex auto cann’t be commited !

PROMOX it’s a VM on your workstation /or host server Hypervisor ?

jmarmorato · August 1, 2022, 3:56pm

I’m working through the different adapters now, but my home internet connection is having some latency issues itself, so my numbers aren’t accurate. My testing methodology is to change a setting, and ping the WAN IP of VyOS 100 times then average the latency in localc. I’m checking to see if my girlfriend can do the tests from her internet connection.

Proxmox is running on a Dell R330. I think I’m using the integrated NIC, but I honestly don’t remember. The server has been on the other side of the country for a few years now so I’ts been a while since I’ve seen it.

jmarmorato · August 1, 2022, 4:46pm

I think the actual problem has been solved - it was an issue involving the webhost VM not being able to reach DNS as the VyOS VM didn’t have the site to site vpn setup yet. Bottom line: the issue was not related to VyOS, and I need to do some research as to why wordpress needs DNS to generate pages.

I still have a little bit of latency weirdness, but I’m working on trying each virtual NIC driver and seeing which is best.

Thanks all!

system · August 3, 2022, 4:47pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.