QoS issues (again)

Hello,

What are the results when you perform the test without any users on the network and please share result? Also have you tried directly testing without the FW? PC->directly connected to router->Speedtest? could you share result if you're getting exactly 500 or at least near 500MB DL speed w/o the FW?

Also could you share your current SFOS version? Thank you

Regards,

I have replied to you, but my post was flagged as spam, possibly due to the fact that I pasted speedtest links to share the results (was running the windows app this time).

Anyway, since I don't know when/if my reply will be unflagged, I am replying again..

So at the moment there is not much bandwidth consumed at the house

Run a speedtest (from a linux machine now) without the firewall rule enabled:

Download: 422.91 Mbps (data used: 407.7 MB)
32.73 ms (jitter: 4.52ms, low: 3.74ms, high: 253.45ms)
Upload: 52.96 Mbps (data used: 25.2 MB)
44.28 ms (jitter: 9.33ms, low: 19.42ms, high: 292.46ms)
Packet Loss: 0.0%

I enable the firewall rule again:

Download: 313.15 Mbps (data used: 238.5 MB)
5.93 ms (jitter: 1.43ms, low: 2.98ms, high: 12.61ms)
Upload: 47.09 Mbps (data used: 22.4 MB)
2.84 ms (jitter: 0.41ms, low: 2.27ms, high: 12.94ms)
Packet Loss: 0.0%

I disabled the rule again and at the next speedtest I got 430/45

I enabled it then once more and got 310/47

The ISP's router is set to bridge mode, which effectively turns it to an ONT

I have seen many times the speed reaching at 500, but even if I didn't, the QoS rule (which has the correct numbers for KBps) should not limit me to 300, it should at least give me the full available speed since it is capped at a higher speed that the actual one. It should not contantly cap me at 300

I am running the latest sfos version SFVH (SFOS 20.0.2 MR-2-Build378)

Hi ,

for future reference please post screen shots.

I am running a 250/100 internet connection, to get it to perform, I used the following settings. My peak is slightly less than maximum to allow for the VoIP service requirements.

Ian

Thanks a lot for the example Ian!

I actually want to also limit the upload speed, so this setting alone would not do what I want, but nevertheless I tried your way.

I disabled the firewall rule and only set the below (based on your numbers, so setting my numbers double than yours)

Result:

Download: 254.42 Mbps (data used: 264.8 MB)
8.40 ms (jitter: 6.47ms, low: 2.36ms, high: 286.60ms)
Upload: 52.95 Mbps (data used: 24.5 MB)
43.45 ms (jitter: 1.38ms, low: 14.06ms, high: 49.38ms)
Packet Loss: 0.0%

I immediately change the settings to Disable "Enforce guaranteed bandwidth" 

Result:

Download: 424.80 Mbps (data used: 414.4 MB)
29.13 ms (jitter: 1.66ms, low: 5.16ms, high: 39.75ms)
Upload: 52.93 Mbps (data used: 25.2 MB)
42.67 ms (jitter: 1.65ms, low: 16.11ms, high: 49.23ms)
Packet Loss: 0.0%

It makes no sense... 

The settings I showed are only for overall lists, you then need toast QoS limits for applications to be able to apply them to individual rules.

Ian

OK, but this does not explain the aforementioned behavior..  

Additionally, I only want one simple thing..

I want the total bandwidth down/up to be restricted to a specific speed.

I don't want to apply rules to applications and/or users and/or machines

Nothing complicated. Just this simple thing.

In fact I have already - as mentioned - created a traffic shaping rule and applied it to a top rule for the whole network

It limits the speed to 300 although it should not, based on the numbers I set

I even applied the traffic shaping policy to a rule that has one test machine in it.

It does the same thing. Instead of limiting to 495 (I have set it to 62000 KBps), it limits to 300.

So the problem is not that traffic shaping does not work.

The problem is that its settings for the speed are not reflected by the outcome

OK, but this does not explain the aforementioned behavior..  

Additionally, I only want one simple thing..

I want the total bandwidth down/up to be restricted to a specific speed.

I don't want to apply rules to applications and/or users and/or machines

Nothing complicated. Just this simple thing.

In fact I have already - as mentioned - created a traffic shaping rule and applied it to a top rule for the whole network

It limits the speed to 300 although it should not, based on the numbers I set

I even applied the traffic shaping policy to a rule that has one test machine in it.

It does the same thing. Instead of limiting to 495 (I have set it to 62000 KBps), it limits to 300.

So the problem is not that traffic shaping does not work.

The problem is that its settings for the speed are not reflected by the outcome

Hi,

what chips are the nics running?

to limit the upload speed on an asymmetrical connection you will need to use application policies. 
ian

All are intel chips

Regarding the asymmetrical connection: 

1. Then why do I have the option to enter different limits for down and up? If this is the case, then having two different settings makes no sense

In any case, I do not care that much for the upload and I could live with the ability to only limit the download. But the problem is that I am setting 62000 KBps to the download speed and instead of capping at 400+, it caps at 300 (continuously reproduceable).

Regarding application policies I am sorry but I don't quite follow. A setting to limit total/up down is something simple that I've seen a lot people using (even with some crap ISP routers). Can't I do this thing with XG?

As mentioned I only need a top rule to do nothing else but limit up/down. All I see points to the fact that it is able to do it, however it is not limiting the speed correctly

The screen shot I posted applies to the wan and is not part of a firewall rule.

ian

Hello ChriZathens ,

Could you please try setting up "Total available WAN bandwidth" to 68500 (instead of 62500) and observe?

Sorry if I am not making myself comprehensive enough...

I understand that it is for the WAN and it can have impact only on the download speed.

I tried the setting you posted on the screenshot (using my limits, so around 60000+). The result is that it caps the download at 300 instead of 400+.

Disabling this setting immediatelly I get 400+

The different thing I then tried is (by having the setting from your screenshot disabled) to  created traffic shaping policies.

I created one, selected to limit the speed (screenshot is at my first post) and it stills caps me at 250-300

Hello Sanket!

So step 1. I have set the "Enforce guaranteed bandwidth" to disabled and I run a speedtest

Results:

Download: 420.99 Mbps (data used: 380.8 MB)
30.39 ms (jitter: 1.38ms, low: 4.28ms, high: 40.13ms)
Upload: 52.91 Mbps (data used: 25.8 MB)
44.26 ms (jitter: 1.82ms, low: 10.21ms, high: 48.07ms)
Packet Loss: 0.0%

Step2: I set the total available bandwidth to 68500 and set the "Enforce guaranteed bandwidth" to enabled and the rest as follows:

Results:

Download: 262.78 Mbps (data used: 241.0 MB)
6.95 ms (jitter: 1.65ms, low: 3.07ms, high: 13.44ms)
Upload: 52.92 Mbps (data used: 24.6 MB)
47.51 ms (jitter: 19.21ms, low: 22.11ms, high: 340.94ms)
Packet Loss: 0.0%

I set "Enforce guaranteed bandwidth" to disabled it again. Results:

Download: 444.77 Mbps (data used: 423.3 MB)
19.19 ms (jitter: 5.32ms, low: 4.60ms, high: 259.21ms)
Upload: 52.96 Mbps (data used: 23.8 MB)
44.07 ms (jitter: 9.06ms, low: 7.36ms, high: 316.16ms)
Packet Loss: 0.0%

Hello ChriZathens ,

For step 2, This is possible. Let me explain.

Enforce guaranteed bandwidth - enable

- Any firewalled traffic passing thru WAN (inbound/outbound), where traffic shaping policy is not applied, would go thru "default policy". In your case, it's wrong configuration because you now have 2 traffic shaping policy which exceeds total ISP bandwidth you have.

When you would be doing speed test and you might have other traffic which can compete for guarantee, you might see some drop which would make TCP connection to go in "slow start" mode and would lead to decrease in bandwidth usage.

Do you mind setting guaranteed value too low (like 2KBps) and check?

Enforce guaranteed bandwidth - disable

- Either admin has orchestrated all firewalled traffic to go thru some traffic shaping policies (either firewall/user/web/app) OR providing guarantee is not the primary use case. In such scenarios, default policy would be "disabled". 

If no other traffic is going thru during speed test at that time, speed test might give you good results but if you have some other traffic bypassing traffic shaping policy, it can affect traffic which is going thru traffic shaping processing. And you might see "decrease in bandwidth usage".

In general, if you just have simple use case of traffic shaping policy and planning to have 1-2 firewall rules only, you may want to consider "disabling" enforce guaranteed bandwidth. However, if you are planning to have more firewall rules, better to divide bandwidth among all firewall rules and "default policy". It shouldn't exceed "total available WAN bandwidth".

Hello again!

With Enforce guaranteed bandwidth - enable I tried setting the guaranted value to a low value, as you said. I set it to 20  and the results are:

Download: 231.99 Mbps (data used: 273.8 MB)
6.96 ms (jitter: 1.65ms, low: 2.01ms, high: 14.47ms)
Upload: 52.71 Mbps (data used: 23.8 MB)
40.62 ms (jitter: 1.22ms, low: 28.77ms, high: 48.41ms)
Packet Loss: 0.0%

Setting Enforce guaranteed bandwidth - disable

Download: 412.24 Mbps (data used: 364.3 MB)
23.45 ms (jitter: 1.59ms, low: 3.07ms, high: 39.31ms)
Upload: 52.76 Mbps (data used: 23.8 MB)
43.55 ms (jitter: 2.12ms, low: 5.30ms, high: 52.29ms)
Packet Loss: 0.0%

Additionally you say that 

" In your case, it's wrong configuration because you now have 2 traffic shaping policy which exceeds total ISP bandwidth you have."

But the thing is exactly that: I don't have 2 traffic shaping policies. The traffic shaping policy I have created is attached to a top level firewall rule, which only applies traffic shaping, nothing else, and for the purposes of these tests, this specific firewall rule is disabled. I am only messing with the "Traffic Shaping Settings"

So let me ask it more simply:

Let's pretend that I don't have set anything regarding traffic shaping. (please pretend that I have installed XG right now and it is out of the box.)

I have a 500/50 internet connection.

I want to limit ALL machines via a single rule to not consume more than 450/50. 

Can you please tell me what I need to do?

Hi,

1/. you don't need a firewall rule

2/. using the screenshot I posted but modifying the values as recommended by Sanket Shah.

Ian

Hello Ian!

But this is what I am saying form the start.. The values don't work.

1. There was only one firewall rule with QoS. This rule is disabled

 So there is absolutely nothing in settings limiting the bandwidth.

2. I run a speedtest. Results:

Download: 415.84 Mbps (data used: 466.4 MB)
27.21 ms (jitter: 1.99ms, low: 3.27ms, high: 40.02ms)
Upload: 52.87 Mbps (data used: 23.8 MB)
44.41 ms (jitter: 1.98ms, low: 13.42ms, high: 54.25ms)
Packet Loss: 0.0%

I then go to traffic shaping settings and set "Enforce guaranteed bandwidth" to Enabled with the below values:

Even if in the first speedtest I don't get the full speed, since QoS is set to 68500 (about 550Mbit), it should give me the full available speed, correct?

So with the above settings I run a speedtest. Results:

Download: 227.66 Mbps (data used: 215.1 MB)
9.57 ms (jitter: 12.67ms, low: 2.14ms, high: 232.48ms)
Upload: 52.79 Mbps (data used: 26.5 MB)
43.15 ms (jitter: 1.47ms, low: 4.20ms, high: 48.14ms)
Packet Loss: 0.0%

I 

I immediately go to traffic shaping settings and set "Enforce guaranteed bandwidth" to Disabled again and run another speedtest:

Download: 411.33 Mbps (data used: 465.5 MB)
19.72 ms (jitter: 1.77ms, low: 3.39ms, high: 41.71ms)
Upload: 53.02 Mbps (data used: 25.1 MB)
43.50 ms (jitter: 1.43ms, low: 16.28ms, high: 48.40ms)
Packet Loss: 0.0%

As you can (both) see, traffic shaping settings does not limit according to the numbers I set. This has been my problem from the beginning of this discussion.