0

We have a SonicWall as our business router for around 50 ish people. Recently it was getting super slow, and it turns out the fans in it died and it was overheating. I've replaced it with a Ubiquiti EdgeRouter 4, and everything sped right up, and so we now get the speed we're paying for from our ISP.

Except for a few sites... Our old router didn't have any complicated settings on it except for the static IP and one port forward to one of our servers. Browsing the internet normally everything seems super fast, except on this one site at least, where random requests just never seem to go through and hang indefinitely.

I set the DNS to 1.1.1.1 at first, and I thought that could be the issue, so I've since changed it to 8.8.8.8 and 8.8.4.4, but the problem is still happening, to every computer in the building. The site it's having trouble connecting to is our own, hosted on AWS (not locally), which is useful because I was able to check for the traffic coming from our building to see why the requests were hanging, except it looks like the requests that hang never actually even came through to our server (apache2 doesn't see the connections).

Another odd thing is that if I switch to Firefox from Chrome, after Chrome hangs, then Firefox will likely load the page just fine for a bit, and after a while will have the same random hanging that Chrome was experiencing, which of course I can temporarily solve by switching to another browser. If I reboot a computer, the problems go away for maybe 30 minutes and then come back, same with rebooting our router and switches.

I even pulled our website from GitHub to a whole new AWS server with a new IP to see if it was the server we were using that was the issue, but no dice.

Is there something in the EdgeRouter settings that I can check to see what's going on here? Any other ideas that might not even be router related that I can try?

EdgeRouter config

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address xx.xx.xx.xx/29
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.80.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface eth1
    rule 1 {
        description "Storage WebDAV"
        forward-to {
            address 192.168.80.65
            port 8443
        }
        original-port 8443
        protocol tcp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.80.0/24 {
                default-router 192.168.80.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.80.38 {
                    stop 192.168.80.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    gateway-address xx.xx.xx.xx
    host-name ubnt
    login {
        user brian {
            authentication {
                encrypted-password xxxx
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
Brian Leishman
  • 111
  • 1
  • 8
  • Sounds like you ER may be filtering TCP-based DNS traffic. Can you post your ER config? – Mark Wagner Mar 26 '19 at 21:08
  • @MarkWagner I added the config file to the bottom, I updated the firmware (it's brand new but there was an update available) but it doesn't look like that helped – Brian Leishman Mar 26 '19 at 21:16
  • @MarkWagner whoop! My first config was incomplete, the correct one is up now (I'm fairly certain) – Brian Leishman Mar 26 '19 at 21:31
  • The config looks good to me. You can try the packet capture feature to see what traffic is reaching your router or egressing on eth0. Is it stuck at DNS or stuck at opening a socket to the server? https://help.ubnt.com/hc/en-us/articles/204962304-EdgeRouter-Capturing-Packets – Andy Mar 26 '19 at 23:14
  • It looks like you're not allowing any incoming ICMP packets, e.g. "fragmentation needed". If there are MTU issues then that could cause connections with large packets to fail. I guess it depends on what is covered by "related" traffic. – wurtel Mar 27 '19 at 10:47
  • @Andy just noticed that stamps.com is doing something similar, Chrome tells me it's "waiting for socket" (and it was a first visit, so there wasn't like >6 ajax calls happening or anything like that) – Brian Leishman Mar 27 '19 at 13:40
  • @wurtel I've followed this guide (https://community.ubnt.com/t5/EdgeRouter/EdgeRouter-GUI-Tutorial-Allow-ICMP-ping/td-p/1495130) on allowing all ICMP, so we'll see if anyone reports any new slowness – Brian Leishman Mar 27 '19 at 14:20
  • As long as you haven't limited the ICMP type to 8 (ping), then it should be OK. Lots of people misunderstand ICMP (thinking it's only for ping), but a lot of functionality of IPv4 depends on ICMP. – wurtel Mar 27 '19 at 15:02
  • @wurtel yeah I skipped that suggestion intentionally, just to let everything of that type come through – Brian Leishman Mar 27 '19 at 15:18
  • So I personally have not had any problems, and I haven't heard anything from anyone else in our building (stark difference from the hanging every 30 minutes), so I guess I'd consider this solved, even though I'm not sure exactly which things fixed it – Brian Leishman Mar 28 '19 at 13:01

0 Answers0