Highlighted
Emerging Member
Posts: 65
Registered: ‎09-11-2011
Solutions: 3
Accepted Solution

Slight Performance Issues with ERL

[ Edited ]

I just put in my first ERL at a client this past week and everything has been going fairly well, though I get a call from them today saying that their IVR software is having issues. I log in through LogMeIn and noticed that I kept getting disconnected, which has not happened with their old pfSense firewall. As I was running some ping tests, I noticed that ever so often I'd get a response that was around 143ms rather than the normal. 18-19ms.

 

I'm not exactly sure how to troubleshoot this one, does anyone have any ideas?

 

Thanks.

 

Config:

 

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "Allow Established"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop Invalid"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description "Allow SIP"
            destination {
                address 192.168.2.5
            }
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 4 {
            action accept
            description "Allow IVR"
            destination {
                address 192.168.2.18
            }
            log disable
            protocol all
            source {
                address 1.1.1.1
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description ""
        enable-default-log
        rule 1 {
            action accept
            description "Allow Established "
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop Invalid"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 3 {
            action accept
            description SIP
            destination {
                address 192.168.2.6
            }
            log disable
            protocol all
            source {
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 10.0.0.1/30
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.1/24
        description LAN
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name Phones {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.10 {
                    stop 192.168.2.60
                }
                static-mapping NAS{
                    ip-address 192.168.2.106
                    mac-address 00:11:32:0D:3B:CB
                }
                static-mapping Lexmark {
                    ip-address 192.168.2.139
                    mac-address 00:21:B7:80:83:F1
                }
                static-mapping Office {
                    ip-address 192.168.2.204
                    mac-address 00:23:AE:6C:74:B0
                }
                static-mapping POS {
                    ip-address 192.168.2.206
                    mac-address 64:70:02:C6:E6:75
                }
                static-mapping Savin {
                    ip-address 192.168.2.210
                    mac-address 00:00:74:F2:86:79
                }
                static-mapping TalkSwitch {
                    ip-address 192.168.2.6
                    mac-address 00:0F:4D:00:3C:CC
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth1.1
            listen-on eth1.2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 1 {
            description SIP
            destination {
                address 10.0.0.1
            }
            inbound-interface eth0
            inside-address {
                address 192.168.2.6
            }
            log disable
            protocol tcp_udp
            source {
                address SIP
            }
            type destination
        }
        rule 2 {
            description Telemanager
            destination {
                address 192.168.2.18
            }
            inbound-interface eth0
            inside-address {
                address 1.1.1.2
            }
            log disable
            protocol all
            type destination
        }
        rule 5000 {
            description "NAT for WAN"
            log disable
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 10.0.0.254
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password removed
                plaintext-password ""
            }
            full-name "Administrator"
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password removed.
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.1.0.4543695.130312.1019 */

 

 


Accepted Solutions
Emerging Member
Posts: 65
Registered: ‎09-11-2011
Solutions: 3

Re: Slight Performance Issues with ERL

I believe the updated firmware fixed the issue. Thanks for your help!

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Slight Performance Issues with ERL

Getting disconnected sounds like some kind of timeout issue? In the current alpha release there are some timeout-related improvements in the offload module, and you can sign up for the beta program if you want to give it a try.

Emerging Member
Posts: 65
Registered: ‎09-11-2011
Solutions: 3

Re: Slight Performance Issues with ERL

Thanks ancheng, email sent to the beta group. 

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Slight Performance Issues with ERL


@mygeeknc wrote:

I just put in my first ERL at a client this past week and everything has been going fairly well, though I get a call from them today saying that their IVR software is having issues. I log in through LogMeIn and noticed that I kept getting disconnected, which has not happened with their old pfSense firewall. As I was running some ping tests, I noticed that ever so often I'd get a response that was around 143ms rather than the normal. 18-19ms.

 

I'm not exactly sure how to troubleshoot this one, does anyone have any ideas?

 

Thanks.

 

Config:

 

......
    nat {
......
rule 2 { description Telemanager destination { address 192.168.2.18 } inbound-interface eth0 inside-address { address 1.1.1.2 } log disable protocol all type destination }

 

 


The inbound-interface should be 'eth1' for this rule 2 of NAT? Who has 1.1.1.2? and 1.1.1.1? How do they connect to the ERL? Looks like this rule 2 of NAT isn't necessary.

 

And rule 3 and 4 of firewall 'WAN_IN" do get hit? "show firewall statistics" results should tell.

Emerging Member
Posts: 65
Registered: ‎09-11-2011
Solutions: 3

Re: Slight Performance Issues with ERL

I put that rule in just for testing purposes and forgot to take it out. 1.1.1.1 and 1.1.1.2 are outside IPs thus eth0 should have them.

 

No, it doesn't look like rules 3 and 4 are getting hit at all. 

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: Slight Performance Issues with ERL


@mygeeknc wrote:

I put that rule in just for testing purposes and forgot to take it out. 1.1.1.1 and 1.1.1.2 are outside IPs thus eth0 should have them.

 


outside? do you own them? If so, it's better to use some private addresses instead.

 


No, it doesn't look like rules 3 and 4 are getting hit at all. 


I think that's because rule 3 and 4 are more specific than rule 1 and rule2, so packets suppose to hit rule 3 or 4 hit rule 1 first, then not possible to hit rule 3 or 4. Please try below steps, then test -

arthur@ubnt# edit firewall name WAN_IN
[edit firewall name WAN_IN]
arthur@ubnt# move rule 1 to rule 5
[edit firewall name WAN_IN]
arthur@ubnt# move rule 2 to rule 6
[edit firewall name WAN_IN]
arthur@ubnt# exit
[edit]
arthur@ubnt# commit
[edit]

 

Emerging Member
Posts: 65
Registered: ‎09-11-2011
Solutions: 3

Re: Slight Performance Issues with ERL

Outside as in Public IPs, yes. Their the source for two services that we have, our SIP provider and IVR provider. Though, I do realized I need to open up the ports instead of the entire IPs, that may make some difference. 

 

I will try to rearrange the rules as well. 

 

Thank you for your help.

Emerging Member
Posts: 65
Registered: ‎09-11-2011
Solutions: 3

Re: Slight Performance Issues with ERL

Strangely, when I try to make these edits via CLI I get this error. 

 

http://screencloud.net/v/bHRY

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Slight Performance Issues with ERL

Looks like you are not in "configuration mode". Use the "configure" command first to get into configuration mode.
Emerging Member
Posts: 65
Registered: ‎09-11-2011
Solutions: 3

Re: Slight Performance Issues with ERL

I believe the updated firmware fixed the issue. Thanks for your help!