This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Speed through UTM 9

Hi,

I just upgraded my external internet connection to 300 Mbit. I am running UTM in an elderly PC with 3 Gbit nics.

I verified speed directly on the connection, I verified all cables and nics to support and run gigabit.

My issue is, that even on cable connections, as soon as I go through the UTM, I cannot reach more than 80-90 Mbits. I cannot find any logs to indicate the limitations. 

An possible explanation would be, that nics are not running at Gbit - even though they support it (Intel 82541 Gbit adapter). Can that be verified somewhere in UTM logs?

 

Any suggestions / ideas / anything? Where to look?

 

Best regards

Claus, DK



This thread was automatically locked due to age.
Parents
  • Hi Claus,

    Any insight after checking #7 in the Rulz by Bob?

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi,

    thank for the suggestion. I checked as much as possible:

    1. Does not apply – I do, however, have a Realtek 8139 onboard NIC for my DMZ. I assume that should not influence the internal→external running on Intel
    2. Confirmed
    3. Completely block communication ?!?
    4. No change
    5. No change
    6. Not possible – however testing directly there, the speed is as expected
    7. Tried, however the switch is not managed – and externally on the ISP equipment I do not have access to that tuning. Changing on the UTM didn’t yield any difference – at least not to the better: Running the UTM at fixed FD1000 was bad.
    8. My NICs for internal and external are indeed Intel, the Intel Corporation 82541PI Gigabit Ethernet Controller. Could that be influenced by the bug? Since the MB in the host only support PCI my options are a bit limited.
      • Could it be a limitation related to the motherboard bus?

     

    Does that shed light on anything?

    BR, Claus

Reply
  • Hi,

    thank for the suggestion. I checked as much as possible:

    1. Does not apply – I do, however, have a Realtek 8139 onboard NIC for my DMZ. I assume that should not influence the internal→external running on Intel
    2. Confirmed
    3. Completely block communication ?!?
    4. No change
    5. No change
    6. Not possible – however testing directly there, the speed is as expected
    7. Tried, however the switch is not managed – and externally on the ISP equipment I do not have access to that tuning. Changing on the UTM didn’t yield any difference – at least not to the better: Running the UTM at fixed FD1000 was bad.
    8. My NICs for internal and external are indeed Intel, the Intel Corporation 82541PI Gigabit Ethernet Controller. Could that be influenced by the bug? Since the MB in the host only support PCI my options are a bit limited.
      • Could it be a limitation related to the motherboard bus?

     

    Does that shed light on anything?

    BR, Claus

Children
  • Claus, you won't get much better speed than that with your old CPU.  If you temporarily disable Intrusion Prevention (Snort), you should see a substantial increase, but you probably can't get to 300Mbps unless you also disable antivirus and Application Control.  Even then, maybe not.  Since Snort is single-threaded, only one of the newest, fastest Intel processors will get you close to 300 with Intrusion Prevention active.

    At the top of the Hardware & Installation forum, you will find a thread that's an unofficial HCL.  You might want to read the last page or two of that thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thank you.

    1) Yes - disable IPS certainly helps: 190/200 Mbit

    2) Do you have Web Protection, Application Control and Endpoint Protection, Antivirus in mind?

    Thank for the reference to the unofficial HCL, which I have browse. However, few cases which actually mentions the throughput, so limited progress.

    In your opinion: Main bottleneck would be the CPU?

    Best regards

  • I have tested a UTM120 vs my self-build Celeron J1900 setup, CPU power DOES make a difference, even when you're not using IPS. my WLAN throughput with UTM120 was around 25 MBit/s, with the J1900 it went up to 35 MBit/s with the same Sophos AP15 as Accesspoint. My internet connection is 200/10 MBit.

    I don't know where my poor WLAN speed generally comes from, maybe too much WLANs in the neighborhood as I was having bad speed even without an UTM and AP15... sender and receiver are in the same room. Sometimes it's hard to stream in 1080p from Amazon Prime or any other streaming services.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • BAlfson said:

    Claus, you won't get much better speed than that with your old CPU.  If you temporarily disable Intrusion Prevention (Snort), you should see a substantial increase, but you probably can't get to 300Mbps unless you also disable antivirus and Application Control.  Even then, maybe not.  Since Snort is single-threaded, only one of the newest, fastest Intel processors will get you close to 300 with Intrusion Prevention active.

    At the top of the Hardware & Installation forum, you will find a thread that's an unofficial HCL.  You might want to read the last page or two of that thread.

    Cheers - Bob

     
    Thanks for your help Bob!
     

    I read this thread with great interest as I had just upgraded my network from 45/5mbps to 100/20mbps and saw zero throughput increase through the UTM but was getting very close to  quoted wire-speed when connected directly to the Uverse box. I had already done everything in "Rulz #7" that was applicable before coming here, even swapping the on-board Realtek RTL8111DL with one of the add-in Intel with one of the Intel 82541GI add-on ports even though the Realtek is perfectly able to handle 100mbps, and nothing changed. I came here hoping to find some help and got the answer right away.

    I didn't worry about my CPU as it generally idled at 7% and only spiked to around %35. Unfortunately I had no idea snort wasn't multi-threaded. WTF is the snort project thinking? They should have hopped on that bandwagon as soon as it was apparent that multi-core processors were going to be the norm. Especially no excuse now that Cisco owns them.

    Might I suggest that you add the IPS suggestion to "Rulz #7?"

    One thing though; I'm curious about your statement that one would need one of the newest, fastest Intel processors to see 300mbps IPS throughput. After my experience I was curious as to what hardware Sophos puts in their UTMs. Even the lowest-end SG105 quotes 350mbps IPS throughput. Sophos coyly doesn't provide details as to the hardware it uses, but it does state it's power usage is "4.83W idle, and 9.84W fully loaded." This is either an ARM or Intel embedded/mobile processor. So perhaps you meant a modern embedded Intel processor? Obviously my D525 can't handle it, but I bet a modern Atom or Celeron could. I don't suppose you know what processor and NICs are in the SG105s?

     

    Again, thanks for your help Bob. You continue to be one of the most helpful participants on this board.  :-)

     

    On a personal note, I grew up in Stillwater, BTW. ;-)

  • It must have been rough growing up in the shadow of the second best Oklahoma football team :).

    Sorry - could not resist.

  • darrellr said:

    It must have been rough growing up in the shadow of the second best Oklahoma football team :).

    Sorry - could not resist.

     

     

    Nope, not at all. I have absolutely no interest in any sports outside of some Olympic events. Collegiate and pro sports exist to suck the money out of suckers' pockets and have zero redeeming qualities.

     

    Sorry, likewise couldn't resist.    ;-))

     

    But if you have to grow up in Oklahoma, Stillwater was a nice place to do it. When I was there the population was 36k, of which 19k were university students. Not a more intellectually stimulating place in OK, nor one with better "scenery" for an adolescent boy.   ;-p

  • Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • KennethHolmqvist said:

     

    Thank you very much for this information. 

     

    I've currently got my UTM 9 running on a JetWay NF96FL-525-LF (from 2011) with 2GB of RAM, which uses an Intel D525 vs. the SG105's E3826. (I love JetWay's mini-ITX mobos, btw. Unfortunately they've moved away from custom mezzanine NIC add-in cards, though there are advantages to this move.)

    According to this comparison, I don't see a great deal of difference between these processors with respect to their abilities to manage IPS at 100Mbps. The SG105 is rated at 350Mbps for IPS. When I've got IPS enabled I see my connection drop from ~96Mbps to ~44Mbps. I'm upgrading my UTM to a X3470-based system, so hopefully I'll be able to get wire-speed IPS.

    BTW, when Sophos shows throughput capabilities for their appliances, these aren't concurrent loads, correct? i.e., the SG105 isn't capable of simultaneously handling the loads it's listed as being capable of:

     

    Firewall throughput               1.5 Gbps
    VPN throughput                   325 Mbps
    IPS throughput                    350 Mbps
    Antivirus throughput (proxy)  90 Mbps

    I appreciate your input on this!

  • You can't predict real-world performance based on any manufacturer's figures.  Since there's no world-wide government regulation in place, the rule is "under ideal conditions, when this is the only thing being measured and everything else is off, how fast can we make this go?"

    Also, since Snort is single-threaded, you will want to run speed tests on two or more devices to see what the total throughput really is.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA