Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

QoS issues (again)

.Hello @all!

So I have asked in the past a few questions about QoS, but I had a more complicated setup with two WANs and additionally the second was a bonding between an ADSL line and a 4G+ sim card, which was nor really steady regarding the bandwidth

Time went by and I finally have a decent FTTH connection (500/50)

Now the never-ending question: When I perform a speedtest I get a result of 508 down / 53 up

What I want is to limit my whole network to 495 down/ 49 up

I went to system services and created a Traffic shaping rule as follows

Then in Firewall rules I created a top firewall rule and set as source zone my LANs/VLANs and Destination zones WAN.

In this rule I set Shape Traffic to the traffic shaping rule above

I run a command line speedtest from a linux machine and this is what I get


Speedtest by Ookla

Server: LANCOM LTD - Athens (id: 12031)
ISP: FORTHnet SA
Idle Latency: 2.97 ms (jitter: 0.34ms, low: 2.83ms, high: 4.02ms)
Download: 292.54 Mbps (data used: 251.7 MB)
6.49 ms (jitter: 1.77ms, low: 3.61ms, high: 14.59ms)
Upload: 46.91 Mbps (data used: 21.8 MB)
3.09 ms (jitter: 0.31ms, low: 2.55ms, high: 4.53ms)
Packet Loss: 0.0%

Upload Speed is not exactly what I want but I don't mind.

But download speed is a far cry from 495Mbps

Funny thing is that if I change the download limit from 62000 to say, 70000, I get the exact speed from speedtest

Now I turn off the firewall rule and immediately run another speedtest

Speedtest by Ookla

Server: HYPERHOSTING - Athens (id: 5377)
ISP: FORTHnet SA
Idle Latency: 2.40 ms (jitter: 0.55ms, low: 1.71ms, high: 3.14ms)
Download: 408.47 Mbps (data used: 490.1 MB)
30.79 ms (jitter: 1.59ms, low: 3.77ms, high: 40.38ms)
Upload: 51.28 Mbps (data used: 23.9 MB)
44.51 ms (jitter: 8.94ms, low: 11.40ms, high: 301.76ms)
Packet Loss: 0.0%

My kids are downloading something from PS4 at the moment so not the full 500Mbps speed but still..

I have created another traffic shaping rule with the exact same numbers but this time instead of individual I set it to shared.

I get the exact same results: Setting download bandwidth to 62000 I get a speed of 300. Changing again to 70000 I get no increase.

Disabling the rule gets me back to 400+

Can someone explain what is going on?



Edited TAGs
[edited by: Erick Jan at 8:09 AM (GMT -7) on 20 Sep 2024]
Parents
  • Hello,

    What are the results when you perform the test without any users on the network and please share result? Also have you tried directly testing without the FW? PC->directly connected to router->Speedtest? could you share result if you're getting exactly 500 or at least near 500MB DL speed w/o the FW?

    Also could you share your current SFOS version? Thank you

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • I have replied to you, but my post was flagged as spam, possibly due to the fact that I pasted speedtest links to share the results (was running the windows app this time).

    Anyway, since I don't know when/if my reply will be unflagged, I am replying again..

    So at the moment there is not much bandwidth consumed at the house

    Run a speedtest (from a linux machine now) without the firewall rule enabled:

    Download: 422.91 Mbps (data used: 407.7 MB)
    32.73 ms (jitter: 4.52ms, low: 3.74ms, high: 253.45ms)
    Upload: 52.96 Mbps (data used: 25.2 MB)
    44.28 ms (jitter: 9.33ms, low: 19.42ms, high: 292.46ms)
    Packet Loss: 0.0%

    I enable the firewall rule again:

    Download: 313.15 Mbps (data used: 238.5 MB)
    5.93 ms (jitter: 1.43ms, low: 2.98ms, high: 12.61ms)
    Upload: 47.09 Mbps (data used: 22.4 MB)
    2.84 ms (jitter: 0.41ms, low: 2.27ms, high: 12.94ms)
    Packet Loss: 0.0%

    I disabled the rule again and at the next speedtest I got 430/45

    I enabled it then once more and got 310/47

    The ISP's router is set to bridge mode, which effectively turns it to an ONT

    I have seen many times the speed reaching at 500, but even if I didn't, the QoS rule (which has the correct numbers for KBps) should not limit me to 300, it should at least give me the full available speed since it is capped at a higher speed that the actual one. It should not contantly cap me at 300

    I am running the latest sfos version SFVH (SFOS 20.0.2 MR-2-Build378)

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hi ,

    for future reference please post screen shots.

    I am running a 250/100 internet connection, to get it to perform, I used the following settings. My peak is slightly less than maximum to allow for the VoIP service requirements.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks a lot for the example Ian!

    I actually want to also limit the upload speed, so this setting alone would not do what I want, but nevertheless I tried your way.

    I disabled the firewall rule and only set the below (based on your numbers, so setting my numbers double than yours)

     

    Result:

    Download: 254.42 Mbps (data used: 264.8 MB)
    8.40 ms (jitter: 6.47ms, low: 2.36ms, high: 286.60ms)
    Upload: 52.95 Mbps (data used: 24.5 MB)
    43.45 ms (jitter: 1.38ms, low: 14.06ms, high: 49.38ms)
    Packet Loss: 0.0%

    I immediately change the settings to Disable "Enforce guaranteed bandwidth" 

    Result:

    Download: 424.80 Mbps (data used: 414.4 MB)
    29.13 ms (jitter: 1.66ms, low: 5.16ms, high: 39.75ms)
    Upload: 52.93 Mbps (data used: 25.2 MB)
    42.67 ms (jitter: 1.65ms, low: 16.11ms, high: 49.23ms)
    Packet Loss: 0.0%

    It makes no sense... 

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • The settings I showed are only for overall lists, you then need toast QoS limits for applications to be able to apply them to individual rules.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • OK, but this does not explain the aforementioned behavior..  

    Additionally, I only want one simple thing..

    I want the total bandwidth down/up to be restricted to a specific speed.

    I don't want to apply rules to applications and/or users and/or machines

    Nothing complicated. Just this simple thing.

    In fact I have already - as mentioned - created a traffic shaping rule and applied it to a top rule for the whole network

    It limits the speed to 300 although it should not, based on the numbers I set

    I even applied the traffic shaping policy to a rule that has one test machine in it.

    It does the same thing. Instead of limiting to 495 (I have set it to 62000 KBps), it limits to 300.

    So the problem is not that traffic shaping does not work.

    The problem is that its settings for the speed are not reflected by the outcome

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

Reply
  • OK, but this does not explain the aforementioned behavior..  

    Additionally, I only want one simple thing..

    I want the total bandwidth down/up to be restricted to a specific speed.

    I don't want to apply rules to applications and/or users and/or machines

    Nothing complicated. Just this simple thing.

    In fact I have already - as mentioned - created a traffic shaping rule and applied it to a top rule for the whole network

    It limits the speed to 300 although it should not, based on the numbers I set

    I even applied the traffic shaping policy to a rule that has one test machine in it.

    It does the same thing. Instead of limiting to 495 (I have set it to 62000 KBps), it limits to 300.

    So the problem is not that traffic shaping does not work.

    The problem is that its settings for the speed are not reflected by the outcome

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

Children
  • Hi,

    what chips are the nics running?

    to limit the upload speed on an asymmetrical connection you will need to use application policies. 
    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • All are intel chips

    Regarding the asymmetrical connection: 

    1. Then why do I have the option to enter different limits for down and up? If this is the case, then having two different settings makes no sense

    In any case, I do not care that much for the upload and I could live with the ability to only limit the download. But the problem is that I am setting 62000 KBps to the download speed and instead of capping at 400+, it caps at 300 (continuously reproduceable).

    Regarding application policies I am sorry but I don't quite follow. A setting to limit total/up down is something simple that I've seen a lot people using (even with some crap ISP routers). Can't I do this thing with XG?

    As mentioned I only need a top rule to do nothing else but limit up/down. All I see points to the fact that it is able to do it, however it is not limiting the speed correctly

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • The screen shot I posted applies to the wan and is not part of a firewall rule.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello  ,

    Could you please try setting up "Total available WAN bandwidth" to 68500 (instead of 62500) and observe?

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Sorry if I am not making myself comprehensive enough... Disappointed

    I understand that it is for the WAN and it can have impact only on the download speed.

    I tried the setting you posted on the screenshot (using my limits, so around 60000+). The result is that it caps the download at 300 instead of 400+.

    Disabling this setting immediatelly I get 400+

    The different thing I then tried is (by having the setting from your screenshot disabled) to  created traffic shaping policies.

    I created one, selected to limit the speed (screenshot is at my first post) and it stills caps me at 250-300

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hello Sanket!

    So step 1. I have set the "Enforce guaranteed bandwidth" to disabled and I run a speedtest

    Results:

    Download: 420.99 Mbps (data used: 380.8 MB)
    30.39 ms (jitter: 1.38ms, low: 4.28ms, high: 40.13ms)
    Upload: 52.91 Mbps (data used: 25.8 MB)
    44.26 ms (jitter: 1.82ms, low: 10.21ms, high: 48.07ms)
    Packet Loss: 0.0%

    Step2: I set the total available bandwidth to 68500 and set the "Enforce guaranteed bandwidth" to enabled and the rest as follows:

    Results:

    Download: 262.78 Mbps (data used: 241.0 MB)
    6.95 ms (jitter: 1.65ms, low: 3.07ms, high: 13.44ms)
    Upload: 52.92 Mbps (data used: 24.6 MB)
    47.51 ms (jitter: 19.21ms, low: 22.11ms, high: 340.94ms)
    Packet Loss: 0.0%

    I set "Enforce guaranteed bandwidth" to disabled it again. Results:

    Download: 444.77 Mbps (data used: 423.3 MB)
    19.19 ms (jitter: 5.32ms, low: 4.60ms, high: 259.21ms)
    Upload: 52.96 Mbps (data used: 23.8 MB)
    44.07 ms (jitter: 9.06ms, low: 7.36ms, high: 316.16ms)
    Packet Loss: 0.0%

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hello  ,

    For step 2, This is possible. Let me explain.

    Enforce guaranteed bandwidth - enable

    - Any firewalled traffic passing thru WAN (inbound/outbound), where traffic shaping policy is not applied, would go thru "default policy". In your case, it's wrong configuration because you now have 2 traffic shaping policy which exceeds total ISP bandwidth you have.

    When you would be doing speed test and you might have other traffic which can compete for guarantee, you might see some drop which would make TCP connection to go in "slow start" mode and would lead to decrease in bandwidth usage.

    Do you mind setting guaranteed value too low (like 2KBps) and check?

    Enforce guaranteed bandwidth - disable

    - Either admin has orchestrated all firewalled traffic to go thru some traffic shaping policies (either firewall/user/web/app) OR providing guarantee is not the primary use case. In such scenarios, default policy would be "disabled". 

    If no other traffic is going thru during speed test at that time, speed test might give you good results but if you have some other traffic bypassing traffic shaping policy, it can affect traffic which is going thru traffic shaping processing. And you might see "decrease in bandwidth usage".

    In general, if you just have simple use case of traffic shaping policy and planning to have 1-2 firewall rules only, you may want to consider "disabling" enforce guaranteed bandwidth. However, if you are planning to have more firewall rules, better to divide bandwidth among all firewall rules and "default policy". It shouldn't exceed "total available WAN bandwidth".

    Regards,

    Sanket Shah

    Director, Software Development, Sophos Firewall

  • Hello again!

    With Enforce guaranteed bandwidth - enable I tried setting the guaranted value to a low value, as you said. I set it to 20  and the results are:

    Download: 231.99 Mbps (data used: 273.8 MB)
    6.96 ms (jitter: 1.65ms, low: 2.01ms, high: 14.47ms)
    Upload: 52.71 Mbps (data used: 23.8 MB)
    40.62 ms (jitter: 1.22ms, low: 28.77ms, high: 48.41ms)
    Packet Loss: 0.0%

    Setting Enforce guaranteed bandwidth - disable

    Download: 412.24 Mbps (data used: 364.3 MB)
    23.45 ms (jitter: 1.59ms, low: 3.07ms, high: 39.31ms)
    Upload: 52.76 Mbps (data used: 23.8 MB)
    43.55 ms (jitter: 2.12ms, low: 5.30ms, high: 52.29ms)
    Packet Loss: 0.0%

    Additionally you say that 

    " In your case, it's wrong configuration because you now have 2 traffic shaping policy which exceeds total ISP bandwidth you have."

    But the thing is exactly that: I don't have 2 traffic shaping policies. The traffic shaping policy I have created is attached to a top level firewall rule, which only applies traffic shaping, nothing else, and for the purposes of these tests, this specific firewall rule is disabled. I am only messing with the "Traffic Shaping Settings"

    So let me ask it more simply:

    Let's pretend that I don't have set anything regarding traffic shaping. (please pretend that I have installed XG right now and it is out of the box.)

    I have a 500/50 internet connection.

    I want to limit ALL machines via a single rule to not consume more than 450/50. 

    Can you please tell me what I need to do?

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)

  • Hi,

    1/. you don't need a firewall rule

    2/. using the screenshot I posted but modifying the values as recommended by Sanket Shah.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Ian!

    But this is what I am saying form the start.. The values don't work.

    1. There was only one firewall rule with QoS. This rule is disabled

     So there is absolutely nothing in settings limiting the bandwidth.

    2. I run a speedtest. Results:

    Download: 415.84 Mbps (data used: 466.4 MB)
    27.21 ms (jitter: 1.99ms, low: 3.27ms, high: 40.02ms)
    Upload: 52.87 Mbps (data used: 23.8 MB)
    44.41 ms (jitter: 1.98ms, low: 13.42ms, high: 54.25ms)
    Packet Loss: 0.0%

    I then go to traffic shaping settings and set "Enforce guaranteed bandwidth" to Enabled with the below values:

    Even if in the first speedtest I don't get the full speed, since QoS is set to 68500 (about 550Mbit), it should give me the full available speed, correct?

    So with the above settings I run a speedtest. Results:


    Download: 227.66 Mbps (data used: 215.1 MB)
    9.57 ms (jitter: 12.67ms, low: 2.14ms, high: 232.48ms)
    Upload: 52.79 Mbps (data used: 26.5 MB)
    43.15 ms (jitter: 1.47ms, low: 4.20ms, high: 48.14ms)
    Packet Loss: 0.0%

    I immediately go to traffic shaping settings and set "Enforce guaranteed bandwidth" to Disabled again and run another speedtest:


    Download: 411.33 Mbps (data used: 465.5 MB)
    19.72 ms (jitter: 1.77ms, low: 3.39ms, high: 41.71ms)
    Upload: 53.02 Mbps (data used: 25.1 MB)
    43.50 ms (jitter: 1.43ms, low: 16.28ms, high: 48.40ms)
    Packet Loss: 0.0%

     

    As you can (both) see, traffic shaping settings does not limit according to the numbers I set. This has been my problem from the beginning of this discussion.

     
    Sophos XG Home Licence.

    Machine: Checkpoint 3100 appliance (Intel Atom C2558 CPU, 6GB Ram, 250GB sata SSD)