Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

QoS issues (again)

.Hello @all!

So I have asked in the past a few questions about QoS, but I had a more complicated setup with two WANs and additionally the second was a bonding between an ADSL line and a 4G+ sim card, which was nor really steady regarding the bandwidth

Time went by and I finally have a decent FTTH connection (500/50)

Now the never-ending question: When I perform a speedtest I get a result of 508 down / 53 up

What I want is to limit my whole network to 495 down/ 49 up

I went to system services and created a Traffic shaping rule as follows

Then in Firewall rules I created a top firewall rule and set as source zone my LANs/VLANs and Destination zones WAN.

In this rule I set Shape Traffic to the traffic shaping rule above

I run a command line speedtest from a linux machine and this is what I get


Speedtest by Ookla

Server: LANCOM LTD - Athens (id: 12031)
ISP: FORTHnet SA
Idle Latency: 2.97 ms (jitter: 0.34ms, low: 2.83ms, high: 4.02ms)
Download: 292.54 Mbps (data used: 251.7 MB)
6.49 ms (jitter: 1.77ms, low: 3.61ms, high: 14.59ms)
Upload: 46.91 Mbps (data used: 21.8 MB)
3.09 ms (jitter: 0.31ms, low: 2.55ms, high: 4.53ms)
Packet Loss: 0.0%

Upload Speed is not exactly what I want but I don't mind.

But download speed is a far cry from 495Mbps

Funny thing is that if I change the download limit from 62000 to say, 70000, I get the exact speed from speedtest

Now I turn off the firewall rule and immediately run another speedtest

Speedtest by Ookla

Server: HYPERHOSTING - Athens (id: 5377)
ISP: FORTHnet SA
Idle Latency: 2.40 ms (jitter: 0.55ms, low: 1.71ms, high: 3.14ms)
Download: 408.47 Mbps (data used: 490.1 MB)
30.79 ms (jitter: 1.59ms, low: 3.77ms, high: 40.38ms)
Upload: 51.28 Mbps (data used: 23.9 MB)
44.51 ms (jitter: 8.94ms, low: 11.40ms, high: 301.76ms)
Packet Loss: 0.0%

My kids are downloading something from PS4 at the moment so not the full 500Mbps speed but still..

I have created another traffic shaping rule with the exact same numbers but this time instead of individual I set it to shared.

I get the exact same results: Setting download bandwidth to 62000 I get a speed of 300. Changing again to 70000 I get no increase.

Disabling the rule gets me back to 400+

Can someone explain what is going on?



Edited TAGs
[edited by: Erick Jan at 8:09 AM (GMT -7) on 20 Sep 2024]
  • Hello,

    What are the results when you perform the test without any users on the network and please share result? Also have you tried directly testing without the FW? PC->directly connected to router->Speedtest? could you share result if you're getting exactly 500 or at least near 500MB DL speed w/o the FW?

    Also could you share your current SFOS version? Thank you

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • At the moment not much bandwidth is consumed at the house.

    Just run a speedtest without having the firewall rule enabled. 

    https://www.speedtest.net/my-result/d/a8dece83-3b26-4fd2-bf3a-ed2d4747bbd6

    (speeds down/up --> 442/53)

    I enabled then the firewall rule. This is the result

    https://www.speedtest.net/my-result/d/bf474902-ca96-4090-90f3-c55a091fd8b5

    Although the numbers in KBps are calculated correctly, the traffic is capped at 300

    (speeds down/up --> 286/47)

    I do have an ISP router, however it is set to bridge mode and is now acting as an ONT.

    I have seen many times the speed reaching 500 down, but even if I hadn't seen it, the traffic shaping rule should give me the full available at any given moment (for example 440+ that I got at the first speedtest). But with the firewall rule for the QoS enabled I always get capped at 300

    My SFOS version is SFVH (SFOS 20.0.2 MR-2-Build378)

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • I have replied to you, but my post was flagged as spam, possibly due to the fact that I pasted speedtest links to share the results (was running the windows app this time).

    Anyway, since I don't know when/if my reply will be unflagged, I am replying again..

    So at the moment there is not much bandwidth consumed at the house

    Run a speedtest (from a linux machine now) without the firewall rule enabled:

    Download: 422.91 Mbps (data used: 407.7 MB)
    32.73 ms (jitter: 4.52ms, low: 3.74ms, high: 253.45ms)
    Upload: 52.96 Mbps (data used: 25.2 MB)
    44.28 ms (jitter: 9.33ms, low: 19.42ms, high: 292.46ms)
    Packet Loss: 0.0%

    I enable the firewall rule again:

    Download: 313.15 Mbps (data used: 238.5 MB)
    5.93 ms (jitter: 1.43ms, low: 2.98ms, high: 12.61ms)
    Upload: 47.09 Mbps (data used: 22.4 MB)
    2.84 ms (jitter: 0.41ms, low: 2.27ms, high: 12.94ms)
    Packet Loss: 0.0%

    I disabled the rule again and at the next speedtest I got 430/45

    I enabled it then once more and got 310/47

    The ISP's router is set to bridge mode, which effectively turns it to an ONT

    I have seen many times the speed reaching at 500, but even if I didn't, the QoS rule (which has the correct numbers for KBps) should not limit me to 300, it should at least give me the full available speed since it is capped at a higher speed that the actual one. It should not contantly cap me at 300

    I am running the latest sfos version SFVH (SFOS 20.0.2 MR-2-Build378)

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hi ,

    for future reference please post screen shots.

    I am running a 250/100 internet connection, to get it to perform, I used the following settings. My peak is slightly less than maximum to allow for the VoIP service requirements.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks a lot for the example Ian!

    I actually want to also limit the upload speed, so this setting alone would not do what I want, but nevertheless I tried your way.

    I disabled the firewall rule and only set the below (based on your numbers, so setting my numbers double than yours)

     

    Result:

    Download: 254.42 Mbps (data used: 264.8 MB)
    8.40 ms (jitter: 6.47ms, low: 2.36ms, high: 286.60ms)
    Upload: 52.95 Mbps (data used: 24.5 MB)
    43.45 ms (jitter: 1.38ms, low: 14.06ms, high: 49.38ms)
    Packet Loss: 0.0%

    I immediately change the settings to Disable "Enforce guaranteed bandwidth" 

    Result:

    Download: 424.80 Mbps (data used: 414.4 MB)
    29.13 ms (jitter: 1.66ms, low: 5.16ms, high: 39.75ms)
    Upload: 52.93 Mbps (data used: 25.2 MB)
    42.67 ms (jitter: 1.65ms, low: 16.11ms, high: 49.23ms)
    Packet Loss: 0.0%

    It makes no sense... 

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • The settings I showed are only for overall lists, you then need toast QoS limits for applications to be able to apply them to individual rules.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • OK, but this does not explain the aforementioned behavior..  

    Additionally, I only want one simple thing..

    I want the total bandwidth down/up to be restricted to a specific speed.

    I don't want to apply rules to applications and/or users and/or machines

    Nothing complicated. Just this simple thing.

    In fact I have already - as mentioned - created a traffic shaping rule and applied it to a top rule for the whole network

    It limits the speed to 300 although it should not, based on the numbers I set

    I even applied the traffic shaping policy to a rule that has one test machine in it.

    It does the same thing. Instead of limiting to 495 (I have set it to 62000 KBps), it limits to 300.

    So the problem is not that traffic shaping does not work.

    The problem is that its settings for the speed are not reflected by the outcome

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hi,

    what chips are the nics running?

    to limit the upload speed on an asymmetrical connection you will need to use application policies. 
    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • All are intel chips

    Regarding the asymmetrical connection: 

    1. Then why do I have the option to enter different limits for down and up? If this is the case, then having two different settings makes no sense

    In any case, I do not care that much for the upload and I could live with the ability to only limit the download. But the problem is that I am setting 62000 KBps to the download speed and instead of capping at 400+, it caps at 300 (continuously reproduceable).

    Regarding application policies I am sorry but I don't quite follow. A setting to limit total/up down is something simple that I've seen a lot people using (even with some crap ISP routers). Can't I do this thing with XG?

    As mentioned I only need a top rule to do nothing else but limit up/down. All I see points to the fact that it is able to do it, however it is not limiting the speed correctly

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • The screen shot I posted applies to the wan and is not part of a firewall rule.

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.