I am seeking your advice... I recently upgraded my hardware from an XG105 to and XG115 to address performance issues we were experiencing with MSFT Teams, WebEx, Nintendo Switch, etc.
Given both my wife and I are WFH now due to Covid, our issues have become more apparent.
I am not a network or security engineer, but know enough to navigate my way around the FW.
If I set up a persistent ping to and external address, say Google's DNS, and run a Team calls concurrently, I will notice the video and audio performance degrades and I see packet loss on the ping. I also filter the logs by my laptop IP, where I am running Teams from, and can see denied traffic. When I look at the addresses via a domain lookup (Centralops), most of the addresses are AWS, MSFT (direct) & Azure (Hosting), etc.
I have added exceptions into my rules but this doesnt seem to make a difference.
The last thing I want to do is create a whole bunch of bypass rules and compromise the effectiveness of the FW - whats the point of having it.
So, what is the best way to get support on this? I need some help in diagnosing the root cause (poor configuration, missing rules or policies, etc).
what type of link are you using and what speeds?
I have Unlimited Telstra NBN HFC.
thank you for the screen shot.
Your single performance looks very much like my FTTC 50/20.
I don't think your issue is with the firewall rules but more with connection issues.
Please check the Network tab in the XG GUI to see what each interface is showing. You should be looking for auto-negotiation or full duplex and 1000mb/s.
what about internal network? Are you using an AP to connect?
Finally which version of XG are you running?
I am running an XG115W with two AP55s attached via a 1gb switch with SFOS 18.0.1 MR-1-Build396
this might seem like a dumb question, but why are you inning bridge mode?
it was default due to the way I connect my Telstra gateway. I tried to avoid it based on some previous posts I read.
Happy to rebuild in route mode...
with just two of you, bridge is hard to configure with all your extra equipment in my opinion. But having said that I don’t think Telstra hfc gateways allow bridge mode.
also depends on what you are trying to achieve.
Thank you for the follow-up.
If possible please post your Firewall rules configuration and the exceptions you created.
As per the bridge, I would recommend you to break it if possible, and/or remove the 2 ports that are not being used.
is there a way to dump the config via CLI or will screen shots do?
screenshots are fine and best.
thank you for those screenshots.
Things you might like to sconsider
1/. 2.4ghz throughput is max 150mb/s
2/. your link is 50/20mb/s
3/. using different SSIDs for 2.4 and 5gz bands.
4/. removing some of the functions in the LAN and WIFI settings.
5/. firewall rule processing is from top down.
Below are my IP settings.
Do you have a server at home?
If not you do not need DMZ, the rule which can be deleted. You also seem have a lot of disabled rules which you should consider deleting. Do you plan on remote connections into your network or firewall, if not remove the ssh vpn from the WAN interface.
How are you APs connected?
1/. 2.4ghz throughput is max 150mb/s: [so have put my main SSID to 5GHz feq]
2/. your link is 50/20mb/s [which should be plenty for what we need - shouldnt have packet loss during a single Teams call]
3/. using different SSIDs for 2.4 and 5gz bands. [done, have separated the frequency into two SSIDs and turned Guest off]
4/. removing some of the functions in the LAN and WIFI settings. [done, see images]
6/. Remove disabled FW rules [removed]
7/. Server and DMZ [removed]
8/. How are APs connected [via a switch into the Bridge on Port 1 - I can deleted port 3 from the bridge but not port 4]
One Observation: I have my key devices configured for Static IP, but I see regular releases for these addressed via DHCP. I am wondering if these renews are creating connectivity issues.
Q. do you have 'enable spoof protection' enabled, as I dont see any trusted Mac addr in the image. I got a warning when I clicked Enable and IP Spoofing for LAN and WiFi.
"Please use this feature with caution! You may lock out from network access to this device if incorrect MAC addresses are added to the "Trusted MAC" list."
this is my work laptop (10.0.0.12), and the destination address appears to be a standard MSFT network likely to be Office 365 (e.g. Teams and Outlook).
is this normal?
if using static addresses on devices they need to be outside of the DHCP range of the XG.
While you have a lot of IP address exceptions in your web exception list, I suspect the the Teams application uses URLs to connect, so you would need to review the logviewer -> report for those URLs. Also check the FQDN group listing that already exist in the XG for what is included.
The log you have posted shows that there is no matching firewall rule for IP addresses.
I see you have some form of IPv6 enabled. Also please post your NAT rules.
If you do not have IPv6 configured on the XG that will new casu9ing some of your failed connection attempts. You will need to disable IPv6 on your laptop while working at home.
thank you for all this help Ian, very much appreciated and the wife and kids are a big thumbs up!
here is the DHCP range, with my static addressed excluded.
Re: IPv6, it was enabled on the laptop so should I actually enable it now on all interfaces?
Re: Exception, I have added the O365 Sophos exception policy which updated all the URLs, I was just a little nervous about creating FW rules to match some the exceptions in case i inadvertently compromised my security.
Q. Are yo also able to confirm if you have Enabled spoof Prevention and if so, have you added trusted MAC addresses?
I did enable spoof protection but did not add any MAC addresses.
IPv6, the current version of XG does not handle IPv6 very well, it does not allocate any internal addresses and you need seperate IPv6 rules to allow traffic out. You would also need to setup a DHCP server and enable RA.
You could delete the linked NAT rules and just use the default which reduce the confusion when debugging.
At this stage of your configuration don't worry too much about compromising your security, you need to get connectivity then fine tune your rules. You would need to move away from using any as a service to specific rules using https (proxy) and other rules to allow non proxied traffic but still get it scanned.
I think we are getting close Ian, and will be able to confirm performance tomorrow when work fires back up.
One last thing re Wireless
I have tried to separate 2.4 from 5 by creating another Wireless Network, but cant see how I allocate a particular AP as part of the Hardware. Where am I going wrong?