Wireless throughput reduced significantly when proxy enabled

We have been testing a couple of AP55C devices and finally started using the Guest Network. If the proxy is enabled for this network, throughput drops from about 40-50mbps to 2mpbs. We don't see this issue on the internal bridged wireless network or anywhere else. Only on the Guest Network.

Any thoughts on why it gets such a high performance hit?

  • I'd be interested to know what Sophos Support has to say about this, Tim.

    Cheers - Bob

  • In reply to BAlfson:

    I just got back to testing this. Tonight, I get the same speed whether I go through the proxy or not. The night after my original post, I upgraded all my UTM's to 9.506-2. Maybe something got fixed? Or, I have made a change in the past week that made a difference. If it happens again, I will open a ticket.

  • In reply to TimBoggs:

    Just to follow-up. I finally called support after the issue recurred and I had tried several different things. Long story short was to not send Guest WiFi through the proxy if you are using the internal "wlan0" interface.

    What I really want to share are some of the issues I had:

    1. If you have networks in the Transparent Mode SkipList and "Allow HTTP/S traffic for listed hosts/nets" checked, the Guest network will have access to all networks in the list and it won't be logged anywhere we could find. Not in the Proxy or Firewall logs.

    2. "Any IPv4" and "Internet IPv4". Both of these are created by the Sophos Device. Don't trust them. Any IPv4 existed before I added a second ISP. You can't edit or view the definition, but it is a 0.0.0.0/0 network object. Internet IPv4 appeared after I added a second ISP, but didn't go away when I removed it. It specifically states ""Any" network, bound to interfaces with default IPv4 gateway" and is bound to my lone existing ISP interface. You can view it's properties, but you cannot edit it. It is my understanding that both of these should represent public external IP Addresses, vs your internal subnets. While on the phone with support, Internet IPv4 was allowing traffic from the Guest Wireless to my internal network even though it was in an allow rule that followed a block rule explicitly blocking what we were trying to reach. We changed it to Any IPv4 and the traffic quit flowing to internal. Ah problem solved. After getting off the phone, I was doing some more testing and bam, it was letting traffic through again with no changes made. I switched back to Internet IPv4 and the traffic was blocked again. I decided to create my own object and bind it to the ISP interface. I will see how that goes, but there is something wrong here.

    Spent 4 hours on the phone with support and they dug through everything. Hopefully we found all the problems, but it remains to be seen.

  • In reply to TimBoggs:

    From the Online Help:

     

     

    • Any (IPv4/IPv6): A network definition (for IPv4 and IPv6 each, if IPv6 is enabled) bound to the interface which serves as default gateway. Making use of it in your configuration should make the configuration process easier. With uplink balancing enabled, the definition Internet is bound to Uplink Interfaces.
  • In reply to TimBoggs:

    Tim, you might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

  • In reply to BAlfson:

    You previously sent me the document and I followed it for initial setup. However, it's been about six months and while trying to resolve the throughput issue, I deviated from the document, particularly "IX. Web Filtering / Webfilter".

    I am still concerned with the behavior of the system generated "Internet" definitions and the inconsistency encountered.

  • In reply to TimBoggs:

    Interesting about Guest traffic from built-in WiFi going slowly though Web Filtering.  Did that also happen with traffic from other wireless networks defined on the internal AP?

    Section IX recommends not checking the box to allow traffic for the Networks/Hosts in the Skip Transparent boxes, and then making explicit firewall rules for that which you want to allow.

    I'm confused by your description of results using the "Internet IPv4" and "Any IPv4" Network objects.  "Any IPv4" includes all IPs including all IPs with routes known to the UTM, such as your internal network, guest network, etc.  "Internet IPv4" was around before, but you might not have noticed it earlier.   As you said, it only includes IPs reached by interfaces with an IPv4 default gateway - that is generally all IPs with routes unknown to the UTM.

    Cheers - Bob

  • In reply to BAlfson:

    I have one WiFi that is "Bridged to LAN" and it could utilize the full 100mbps of our ISP. The "Separate Zone" guest network when proxied was running very slow, 20-40 Mbps max. Now that I have "unproxied" it, it's running at full speed. The only thing I can think is that the Guest wlan1 interface is a virtual interface somehow behaves differently than traffic from a physical connection. Support basically said they don't expect "Guest" traffic to run through the proxy.

    Sophos support was determined that Internet IPv4 was incorrect and tried creating the policy with the external wan interface address as the destination. That didn't work so they tried Any IPv4. Your definition of "Any IPv4" doesn't seem to match the Online Help I quoted above. So something is not right about it or I am misinterpreting the definition.

  • In reply to TimBoggs:

    "Support basically said they don't expect 'Guest' traffic to run through the proxy."

    I would ask that the case be escalated so that this problem can be addressed.  I can't think of a company that would allow a guest device to access p0rn via their Internet connection.

    The online help has gotten jumbled, Tim.  "Any IPv4" and "Internet IPv4" behave as I've described.  Here's a picture from the 2012 V8.2 User Guide:

    Cheers - Bob