Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 24 replies
  • Subscribers 35 subscribers
  • Views 3892 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

At my wit's end with WAN bottleneck on FW Home

MaxC12

My friend decided to run FW Home on my recommendation, but he's having trouble and I took the machine home to troubleshoot.  Five days later, I still haven't found the issue.

SFVH (SFOS 19.5.2 MR-2-Build624)

Lenovo ThinkCentre SFF PC
Intel Core i3-8145UE
8GB (6GB usable on Home edition) DDR4 2666

Everything works...  except the WAN download speed is garbage.  On a 400/50 connection, I get ~30mbps download, ~40mbps upload on speedtest.net and ~100mbps download, ~48mbps upload on the Google speed test.  That is across all VLANs and on LAN port direct.  I can also confirm that running speedtest-cli on the device shell gives the same exact results.  Interface speed is confirmed to be gigabit, and multiple cables have been tested.

There is a test top rule that has no features, that I confirmed is used for all access.  IPS off, AV off, Web off, no Advanced protection, no QoS (but limit was tested adjusted to 56250 regardless), no VPN.

CPU usage barely ever passes 18%, memory is stable at 33-35%, including when running `top` in the shell.  Gateway set to DHCP.  DNS set to 127.0.0.1, 1.1.1.1, 8.8.8.8.

WAN zone bandwith reports the reality, slow connection.

I have used a live Linux distribution on the machine and can connect to the WAN at full speed, ruling out port/chipset issues.

With those specs, I should be able to run everything with all services on without a hiccup on a 400/50 connection, yet I can't crack what the issue is.

I use pfSense at home and have no issues if I connect through it at full speed, but the Sophos box immediately slows everything down.



This thread was automatically locked due to age.
  • 0

    Are the DoS (DoS attack) settings enabled in the Intrusion DoS & Spoof Protection settings? In some cases DoS protection TCP/UDP flood protection can impact speed test results.

  • 0

    What virtualization do you use? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It's running on bare metal.

  • 0

    What NICs brand/chipset are you using? 

    why are you using 127.0.0.1 as a DNS server? That is no upstream resolver.

  • 0 in reply to MaxC12

    Check with ethtool and ifconfig the WAN and LAN ports. 

    __________________________________________________________________________________________________________________

  • 0 in reply to alan weir

    Simply faster when it already resolved.  I tried removing it as well, with no changes to speed.

    Realtek RTL8111s which I found extensive usage of on this forum in working configs.

  • 0 in reply to LuCar Toni 

    SFVH_SO01_SFOS 19.5.2 MR-2-Build624# ethtool Port1
Settings for Port1:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supported pause frame use: Symmetric Receive-only
        Supports auto-negotiation: Yes
        Supported FEC modes: Not reported
        Advertised link modes:  Not reported
        Advertised pause frame use: Symmetric Receive-only
        Advertised auto-negotiation: No
        Advertised FEC modes: Not reported
        Speed: 1000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: off
        MDI-X: Unknown
        Supports Wake-on: pumbg
        Wake-on: g
        Current message level: 0x00000033 (51)
                               drv probe ifdown ifup
        Link detected: yes
SFVH_SO01_SFOS 19.5.2 MR-2-Build624# ethtool Port2
Settings for Port2:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supported pause frame use: Symmetric Receive-only
        Supports auto-negotiation: Yes
        Supported FEC modes: Not reported
        Advertised link modes:  Not reported
        Advertised pause frame use: No
        Advertised auto-negotiation: No
        Advertised FEC modes: Not reported
        Speed: 1000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: off
        MDI-X: Unknown
        Supports Wake-on: pumbg
        Wake-on: g
        Current message level: 0x00000033 (51)
                               drv probe ifdown ifup
        Link detected: yes

    Port1     Link encap:Ethernet  HWaddr 90:2E:16:59:E4:A4
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::922e:16ff:fe59:e4a4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5797713 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4812204 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3044936479 (2.8 GiB)  TX bytes:3621812441 (3.3 GiB)
          Interrupt:127 Base address:0xe000

    Port2     Link encap:Ethernet  HWaddr AC:16:2D:A0:E4:B8
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.xx  Mask:255.255.255.0
          inet6 addr: xx::xx:xx:xx:xx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4401472 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5300475 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3545409914 (3.3 GiB)  TX bytes:2973207609 (2.7 GiB)
          Interrupt:128 Base address:0x3000

  • 0 in reply to MaxC12

    Hi,

    please review the QOS settings.

    Ian

    XG115W - v20 EAP 1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Total WAN bandwidth is 56250.  VOIP and Guaranteed are both Disable.

    Test firewall rules use None as traffic shaping.

Unfiltered HTML