Thanks Michael, that is some great advice. The machines are setup for AutoUpdate for critical patches only, so in this case it was just the optional ones. But the total download sizes were in the ~200MB per machine. So sizable. In this case, we ran updates on 4 of the roughly 20 workstations. It was the middle of the night, so no users/traffic.
The new T1 is an AllStream connection, so I'm not certain I want to push it back to them to say it's their fault. I'm not even sure what I should say to them without sounding stupid. I'm wondering if I screwed up the config maybe. The config info they gave me was as followed (altered of course): Assigned Block: 10.10.193.248/29 Gateway: 10.10.193.249 Subnet Mask: 255.255.255.248 Usable IP's are 10.10.193.250 to .254 So I assume the .249 is the router they installed. I set the firewall's IP to be .250, with the gateway as .249. Used the Factory Default rules. Internet seems to work fine, just this saturation problem. I used cheapo DLink 10/100 Network cards to build the server. But I'm doubting that would be the cause. The only other oddity is that I threw a little DLink 8 Port Gigabit Switch between the router and firewall, simply because I didn't have a crossover cable available at the time. Iperf seems super complicated (over my head), but I will give it a read/attempt. As always, I'm still listening for ideas. ChuckM -----Original Message----- From: Michael Riglin [mailto:[email protected]] Sent: Wednesday, May 13, 2009 11:32 AM To: [email protected] Subject: RE: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ?? Normally, the packages sent out from the Windows Update service are quite small in size and the BITS service helps to stream these at a reasonable rate to your local system. However, there have been a couple of recently released security patches that are quite large (one was +300 MB) which could cause quite a strain on your connection if there were a large number of patches (including the larger packages) needed on each respective workstation and all were getting these large downloads simultaneously. The point is, that normally Windows Update packages shouldn't be an issue for your network connection especially when your systems are fully up-to-date with patches. However, with only four computers in this scenario it sounds like it may be worthwhile to some bandwidth and connection health testing to confirm your providers connection is actually performing as advertised. If you wanted to do some additional internal testing of throughput on your pipe or internal switched connections you can use IPERF, or other application to accomplish this and I'm sure this list can provide plenty of suggestions in this area as it relates to tools and methods to validate throughput, latency, packet loss or other network performance validation items. (I wouldn't solely rely on SpeetTest.net here.) Additionally, as mentioned previously in this thread, in the end traffic shaping may be required in order to properly prioritize traffic deemed as important to the business needs in critical network communication areas. This is especially true if you are stuck with a limitation in bandwidth. Regardless, at face value I find it difficult to believe that four computers downloading a few patches from Windows Update can bring a T1 to its knees. It sounds like there may be other issues here, and only testing and verification will the root cause to light. -----Original Message----- From: Chuck Mariotti [mailto:[email protected]] Sent: May-13-09 8:20 AM To: [email protected] Subject: RE: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ?? Thanks everyone... I should clarify a little more of what my worry is. Specifically the 4 machines downloading updates at the exact same time and taking the internet connection to its knees probably isn't too realistic a scenario. We did do it in the middle of the night, so it can happen, but WSUS is probably not a solution to the overall problem I'm worried about (it's specific to the windows update problem). I am still blown away that this happened so easily though. Maybe I expected too much intelligence on the firewall to handle overloading? It just doesn't feel right. I a more worried about the realistic scenarios where publishing could be downloading a few large files via web (say some artwork that's 200MB). Another user is streaming a video, another is ftping some files, etc... so the overall usage pegs the 1.5Mbit to it's max download (like the Microsoft Update did), and the whole thing stalls the internet again. This is what I am worried about. Or some similar combination of traffic and the firewall just sits there letting it saturate/stall everything. I'm sorry if it sounds like I'm blaming the firewall... but I never thought a T1 would saturate and become useless with 4 computers downloading some large files. There must be a LOT of people having this problem then. ChuckM -----Original Message----- From: Paul Mansfield [mailto:[email protected]] Sent: Wednesday, May 13, 2009 6:09 AM To: [email protected] Subject: Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ?? put in a big squid proxy with a large disk cache, and or set up windows clients to auto-download updates during the night so at least congestion happens outside critical times if you're using managed switches, can you throttle back individual ports? otherwise, traffic shaping may be your friend --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
