QoS issues (again)

Question

.Hello @all! 
 So I have asked in the past a few questions about QoS, but I had a more complicated setup with two WANs and additionally the second was a bonding between an ADSL line and a 4G+ sim card, which was nor really steady regarding the bandwidth 
 Time went by and I finally have a decent FTTH connection (500/50) 
 Now the never-ending question: When I perform a speedtest I get a result of 508 down / 53 up 
 What I want is to limit my whole network to 495 down/ 49 up 
 I went to system services and created a Traffic shaping rule as follows

Then in Firewall rules I created a top firewall rule and set as source zone my LANs/VLANs and Destination zones WAN. 
 In this rule I set Shape Traffic to the traffic shaping rule above 
 I run a command line speedtest from a linux machine and this is what I get 
 Speedtest by Ookla 
 Server: LANCOM LTD - Athens (id: 12031) ISP: FORTHnet SA Idle Latency: 2.97 ms (jitter: 0.34ms, low: 2.83ms, high: 4.02ms) Download: 292.54 Mbps (data used: 251.7 MB) 6.49 ms (jitter: 1.77ms, low: 3.61ms, high: 14.59ms) Upload: 46.91 Mbps (data used: 21.8 MB) 3.09 ms (jitter: 0.31ms, low: 2.55ms, high: 4.53ms) Packet Loss: 0.0% 
 Upload Speed is not exactly what I want but I don't mind. 
 But download speed is a far cry from 495Mbps 
 Funny thing is that if I change the download limit from 62000 to say, 70000, I get the exact speed from speedtest 
 Now I turn off the firewall rule and immediately run another speedtest 
 
 Speedtest by Ookla 
 Server: HYPERHOSTING - Athens (id: 5377) ISP: FORTHnet SA Idle Latency: 2.40 ms (jitter: 0.55ms, low: 1.71ms, high: 3.14ms) Download: 408.47 Mbps (data used: 490.1 MB) 30.79 ms (jitter: 1.59ms, low: 3.77ms, high: 40.38ms) Upload: 51.28 Mbps (data used: 23.9 MB) 44.51 ms (jitter: 8.94ms, low: 11.40ms, high: 301.76ms) Packet Loss: 0.0% 
 My kids are downloading something from PS4 at the moment so not the full 500Mbps speed but still.. 
 
 I have created another traffic shaping rule with the exact same numbers but this time instead of individual I set it to shared. 
 I get the exact same results: Setting download bandwidth to 62000 I get a speed of 300. Changing again to 70000 I get no increase. 
 Disabling the rule gets me back to 400+ 
 Can someone explain what is going on?

rfcat_vk · Accepted Answer

CPU1 runs to 99.7% and appears to carry the load which looks like thE CPU performance is the limiting factor. 
 Ian

LuCar Toni · Answer

It is an old behavior, single connections are getting loaded to a single core. Therefore, most speed tests nowadays offers multi download speedtest per default. 
 If you start another speedtest or another download of a file, it will be loaded to the second CPU etc. 
 Thats the behavior for years (UTM and SFOS).

sanket.shah · Answer

Hello ChriZathens , 
 The above traffic shaping policy (Home_QoS) which you have configured is of type "limit" instead of "guarantee". It means it can go up to configured value but not giving any minimum guarantee. 
 Could it be possible to try following configuration and check it once? 
 Rule type: Guarantee 
 Upload bandwidth: 6000 to 6250 
 Download bandwidth: 59000 to 60000 
 I presume Total available WAN bandwidth setting is still 68500 and Enforce guaranteed bandwidth is disabled.

ChriZathens · Answer

Hello again, guys! 
 I just wanted to give a quick update regarding this topic. 
 I replaced my old appliance (which had an Atom C2558) with a new one with an Intel N100. 
 I am happy to report that the new CPU is very comfortable and QoS works as expected. 
 I would like to thank you again for your help! 
 Have a great day!

rfcat_vk · Answer

The settings I showed are only for overall lists, you then need toast QoS limits for applications to be able to apply them to individual rules. 
 Ian

sanket.shah · Answer

Hello ChriZathens , 
 Could you please try setting up "Total available WAN bandwidth" to 68500 (instead of 62500) and observe?

sanket.shah · Answer

Hello ChriZathens , 
 For step 2, This is possible. Let me explain. 
 Enforce guaranteed bandwidth - enable 
 - Any firewalled traffic passing thru WAN (inbound/outbound), where traffic shaping policy is not applied, would go thru "default policy". In your case, it's wrong configuration because you now have 2 traffic shaping policy which exceeds total ISP bandwidth you have. 
 When you would be doing speed test and you might have other traffic which can compete for guarantee, you might see some drop which would make TCP connection to go in "slow start" mode and would lead to decrease in bandwidth usage. 
 Do you mind setting guaranteed value too low (like 2KBps) and check? 
 Enforce guaranteed bandwidth - disable 
 - Either admin has orchestrated all firewalled traffic to go thru some traffic shaping policies (either firewall/user/web/app) OR providing guarantee is not the primary use case. In such scenarios, default policy would be "disabled". 
 If no other traffic is going thru during speed test at that time, speed test might give you good results but if you have some other traffic bypassing traffic shaping policy, it can affect traffic which is going thru traffic shaping processing. And you might see "decrease in bandwidth usage". 
 
 In general, if you just have simple use case of traffic shaping policy and planning to have 1-2 firewall rules only, you may want to consider "disabling" enforce guaranteed bandwidth. However, if you are planning to have more firewall rules, better to divide bandwidth among all firewall rules and "default policy". It shouldn't exceed "total available WAN bandwidth".

rfcat_vk · Answer

you need to change the limit to less than your link speed otherwise the firewall has nothing to negotiate 
 and increase your guaranteed value. 
 Works fine for me. I have a firewall rule with QOS policy for my VoIP service only. 
 Ian

rfcat_vk · Answer

Make sure they are are not i219 or 225/6 series chips and there bios is NOT UEFI. 
 Ian

QoS issues (again)

Top Replies