This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall dropping packets for standard applications

Hi Community,

I am seeking your advice... I recently upgraded my hardware from an XG105 to and XG115 to address performance issues we were experiencing with MSFT Teams, WebEx, Nintendo Switch, etc.

Given both my wife and I are WFH now due to Covid, our issues have become more apparent.

I am not a network or security engineer, but know enough to navigate my way around the FW. 

If I set up a persistent ping to and external address, say Google's DNS, and run a Team calls concurrently, I will notice the video and audio performance degrades and I see packet loss on the ping.  I also filter the logs by my laptop IP, where I am running Teams from, and can see denied traffic.  When I look at the addresses via a domain lookup (Centralops), most of the addresses are AWS, MSFT (direct) & Azure (Hosting), etc.

I have added exceptions into my rules but this doesnt seem to make a difference.

The last thing I want to do is create a whole bunch of bypass rules and compromise the effectiveness of the FW - whats the point of having it.

So, what is the best way to get support on this?  I need some help in diagnosing the root cause (poor configuration, missing rules or policies, etc).



This thread was automatically locked due to age.
  • thank you for all this help Ian, very much appreciated and the wife and kids are a big thumbs up!

    here is the DHCP range, with my static addressed excluded.

     
    Default_DHCP_Server
    br0 - 10.0.0.1
    10.0.0.20 - 10.0.0.62

    Re: IPv6, it was enabled on the laptop so should I actually enable it now on all interfaces? 

    Re: Exception, I have added the O365 Sophos exception policy which updated all the URLs, I was just a little nervous about creating FW rules to match some the exceptions in case i inadvertently compromised my security. 

    Q. Are yo also able to confirm if you have Enabled spoof Prevention and if so, have you added trusted MAC addresses?

     

  • HiMatt,

    I did enable spoof protection but did not add any MAC addresses.

    IPv6, the current version of XG does not handle IPv6 very well, it does not allocate any internal addresses and you need seperate IPv6 rules to allow traffic out. You would also need to setup a DHCP server and enable RA.

    You could delete the linked NAT rules and just use the default which reduce the confusion when debugging. 

    At this stage of your configuration don't worry too much about compromising your security, you need to get connectivity then fine tune your rules. You would need to move away from using any as a service to specific rules using https (proxy) and other rules to allow non proxied traffic but still get it scanned.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I think we are getting close Ian, and will be able to confirm performance tomorrow when work fires back up.

    One last thing re Wireless

    I have tried to separate 2.4 from 5 by creating another Wireless Network, but cant see how I allocate a particular AP as part of the Hardware.  Where am I going wrong?

     

  • Hi Matt,

    in one SSID you have both 2.4 and 5ghz enabled.

    This might help.

    Also when using IPv6 your exception list will not work because it contains IP4 addresses. Also IPv6 at this stage does not know about FQDN and FQDN groups, just beware that I think MS tries to use IPv6 by default.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • this did help thanks Ian.

    Resultant WiFi config looks like this now

     

  • I may have cut too far back now Ian.

    Having browsing issues and apps on iPhone like FB are taking time to load images and video.

    I think I am missing either FW rule from Wifi / Lan to WAN or missing a NAT

    Please see the FW log filtered on Denied and my iPhone that I am testing with

     

  • Hi Matt,

    those packets can usually be ignored, they are from sessions that have finished.

    frim memory your wifi are bridged to you lan, you shouldn’t need any extra rules for them.

    i suspect the issue will be with your IPv6 configuration, most of my devices try to use IPv6 first, I have mainly apple devices as primary toys. If no IPv6 rule is found the connection will time out and try again using ip4 so hence the delay.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Looks like it was the DoS settings that may have impacted browsing and FB image / video loading, so put back to default.

    Thank you for all your help the last couple of days Ian, am now set for tomorrow and will test performance whilst I work.

    Here is a summary:

  • Hey Emmanuel, I have now added step 4 and things are looking good.  I will test it with a few Teams calls tomorrow.

    Cheers,

    Matt