Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
I live in Australia and have just had my 100/40Mbps NBN (National Broadband Network) connection provisioned. I know, most of you will probably laugh at how behind the times we are here, but this is a big step from my old ADSL2+ connection!
In any case, the NBN provides what they call an NCD (Network connectiond device) which is essentially a bridged VDSL2 modem to which you then connect a router and configure a PPPoE connection to authenticate, provision a public IP address via DHCP and "connect". The ISP supplies the usual crappy router (in this case a TP-Link Archer, but whatever), and I connected it up initially to test the speed and was getting a consistent 92-96Mbps download and 35-37Mbps upload - not bad! FYI - this was measured using speedtest.net.
I then replaced the TP-Link router with my existing SG-125W rev.2 setup running UTM 9.701-6 and to my dismay, my download speed dropped to 75-82Mbps. Upload remains pretty much the same.
I checked the specs of the SG-125W rev.2 and they are as follows:
So even at worse with AV turned on etc., it should be able to handle 100Mbps no problem?
Obviously the first thing I tried doing was turning off Web Protection briefly, including AV, but it didn't make any difference at all. I also checked for anything else that might be slowing things down, but couldn't find anything obvious. CPU / RAM is not running high, so it doesn't appear to be a resource issue?
To make the comparison fair, I ensured at the time of testing I had disconnected the rest of my internal network from UTM and used a wired connection to both routers. So it was basically just my laptop connected to each router for each test. I also tried downloading a 1GB file from close mirror on both routers and the average download speed matched the results of speedtest.net, so I don't think it's any specific to using speedtest.net.
So, my question is - can anyone suggest anything I might have configured in UTM that would be slowing down my throughput? Or, could it possibly be one the parameters of the PPPoE connection itself? I have set the MTU to 1480 which is the same as on the ISP supplied router. Both use VLAN tag of 2. I don't know what else I could change that might affect connection speed? Here is a screenshot of the current connection parameters:
So in summary, the whole thing works, but is just 10-15Mbps slower than the $100 rubbish router supplied by the ISP! I find it hard to believe it is a hardware limitation of the SG-125W based on the published specifications, so I hope I'm just missing something simple.
Any help would be greatly appreciated!
try just for testing to turn off IPS. Any QoS rules active?
In reply to Alexander Busch:
I don’t know but any changes if you use fast.com for example and adjust the number of streams?
Of course you want to achieve the speed in a single stream but just to be sure.
Thanks for the response. You hit the nail on the head, it is definitely IPS. As soon as I disable it, speed comes up to 92-94Mbps. I only have the patterns ticked applicable to my network (not many at all really), but after doing some experimenting ticking even one category, e.g. Protocol anomaly reduces throughput down to the high 70's range.
So does this mean it is simply a harware/resource limitation of the SG-125W? That seems rather disappointing.. That stats for the rev.2 state 750Mbps for IPS! Obviously I don't want to have to disable IPS altogether just so I can achieve my optimal throughput.
Any thoughts from the community or similar experiences?
Number of streams doesn't appear to make any difference. Single or multiple streams - the total throughput is pretty much the same.
In reply to ChrisNunn:
one problem is that the IPS of UTM is not able to process one connection parallel. That means one connection is bound to the speed of one cpu core.
I personally don’t have experience with SG125, but hope someone here can comment on that specific model.
The speeds from the manufacturers aren’t practical values in most cases unfortunately. What I would have expected is that the speed would increase with multiple streams. Because then the limitation to one CPU core should not be relevant. Maybe a second device would be needed to get more throughput. That’s what the common use case is in a company. A lot of devices share the bandwidth and in total you get for example 100 Mbit/s but one of them uses 25, another 45 and one 30. So in total the UTM needs to handle 100 Mbit/s.
Often in home environments the demand is another and sometimes you have to use more powerful hardware, which seems oversized. But at all these are my theoretical thoughts and someone with the same can surely comment on that.
It’s a little consolation, but in practice you should only be aware of that limitation in case of a download or something like that. I think a website will be displayed with not slower.
Thanks very much for your response. I did some more reading on IPS processes / core usage, and I see where you were going with parallel streams utilising multiple cores. According to this KB article (https://community.sophos.com/kb/en-us/122942), all connections between a source-destination IP pair are assigned to the same IPS process, I think my "multi stream" testing using fast.com yielded a false result as I assume the mutliple streams are connecting to the same destination IP in this scenario. In any case, I tested using two large file downloads from two different source sites. Unfortunately I was still hitting the ~75-80Mbps cap. Hmmm..
After looking up the hardware specs of the SG125W though, I see it's only running a dual core Atom. So it might be that one core is reserved for system processes leaving only one spare core to handle all IPS processes? I'm just guessing, but the end result is that with IPS enabled no one core is capable of greater than 80Mbps, and multiple streams don't seem to increase throughput.
So, where does this leave me.. As you said, practically speaking it probably isn't much of a big deal, but still it bugs me that my hardware can't even handle 100Mbps throughput, especially when I am paying a premium cost through my ISP for the 100Mbps connection. I don't believe adding a second unit would help either, as a single core/IPS process can't handle 100Mbps, so while adding more cores to the pool should saturate the connection throughput across multiple streams, it won't help the single stream scenario.
Upgrading to a 125W rev. 3 increases the core count to 4, but doesn't increase clock speed, so again - unsure if this would help the single stream scenario. 135W rev.3 also bumps the clock speed up, but you start talking big $$ for a home network!
What I do have is an older desktop machine I used to use as a home theatre PC which has a pretty powerful (though a few years old now) quad core i5 in it. Perhaps I bite the bullet and move across to that.
I know this is off-topic, but is XG now mature enough to move across to for relatively basic requirements? Have Sophos coded IPS to make better use of available hardware resources in XG? I have been running the home license of UTM9 on the SG125W hardware (via the hack). I know this can't be done for XG home. But if I install it on a PC, this could work, and all I would need to do is purchase another Sophos AP (I already have two on the network).
I would be keen to hear anyone's thoughts on the matter..
I know it’s frustrating if the device only manages 80 MBit/s. Thank you for clarification about the connection of source IP and IPS, that make sense.
You use the software image of UTM correct? That’s an important point too, because the hardware image of UTM is optimized and maybe capable of higher throughput. Would be nice if anyone can comment on that specific device.
An i5 could possible handle the load. I know there are some threads in the forum about cpu speed and throughput. What I heard is that XG could use multiple cores for IPS, that limitation is not a problem in XG.
Best regards from rainy Berlin
Yes, I am using the software image with home license. It doesn't make financial sense for me to purchase a business license for home use. I never considered there could be a performance hit as a result, but I suppose that could make sense.
At this stage I think I will take the opportunity to move to XG and to some upgraded HW in the hope of a better outcome.
If no one else has anything to contribute with regards to specific performance around around the SG125W I will close this thread off.
I'd just like to add for anyone else who may stumble upon a similar issue - after discarding my SG125w and changing over to a quad core i5 with 8GB (max specs for home license) on my own hardware, I certainly don't have bandwidth issues any more! Now to sell the 125w :)