Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Can't reach full 10Gb when crossing VLAN ?

Hi all,

I'm using Sophos XG Home with dual SFP+ ports that can theoretically reach 10Gb. I have 3 machines with these.

If I perform iPerf3 from Machine X to Machine Y, I get the full 10G when they are on the same VLAN.

If they are not, then the speed drops quite a bit (2.5 Gb ish, sometimes 1Gb).

IPS/DOS are turned off, and when I look at the performance graph, it doesn't look like the CPU is maxed out.

Note, Sophos is running on a VM in Proxmox.

Thanks



Added TAGs
[edited by: Erick Jan at 12:19 AM (GMT -8) on 16 Dec 2024]
Parents
  • Question 1: Does the firewall interfaces show you 10 Gbit/s? Can you show us the screenshot of your interfaces? 
    Question 2: Any kind of Bottlenecks available in your setup? For example: Using the same interface for in / out. 

    __________________________________________________________________________________________________________________

  • 1. It doesn't show actually. The screenshot i have reattached below.

    2. Actually no. The communication goes from one machine (where Sophos is virtualised) to my NAS, both through a 10G switch.

    I have tested the switch throughput, by using the same iPerf to yet another machine but in the same VLAN and connected through the same switch, and I have not problem reaching the 10G there. The "problem" happens only when crossing VLANs (and going through Sophos).

Reply
  • 1. It doesn't show actually. The screenshot i have reattached below.

    2. Actually no. The communication goes from one machine (where Sophos is virtualised) to my NAS, both through a 10G switch.

    I have tested the switch throughput, by using the same iPerf to yet another machine but in the same VLAN and connected through the same switch, and I have not problem reaching the 10G there. The "problem" happens only when crossing VLANs (and going through Sophos).

Children
  • Could you double check via ethtool ? 

    __________________________________________________________________________________________________________________

  • I did that yesterday actually but shows the speed of the interface as “!Unknown”

  • I'd not expect any firewall to be capable of getting interface speed for traffic that passed through the device.

    But what's the "Supported link modes" from the output of ethtool -i PortA

  • Is that the correct command ?

    ethtool -i PortB shows doesnt show "Supported Link Modes", but ethool PortB shows "Not Reported"

    ethool PortB :

    ethtool PortB
    Settings for PortB:
            Supported ports: [ ]
            Supported link modes:   Not reported
            Supported pause frame use: No
            Supports auto-negotiation: No
            Supported FEC modes: Not reported
            Advertised link modes:  Not reported
            Advertised pause frame use: No
            Advertised auto-negotiation: No
            Advertised FEC modes: Not reported
            Speed: Unknown!
            Duplex: Unknown! (255)
            Port: Other
            PHYAD: 0
            Transceiver: internal
            Auto-negotiation: off
            Link detected: yes

    ethtool -i PortB :

    driver: virtio_net_nm
    version: 1.0.0
    firmware-version:
    expansion-rom-version:
    bus-info: 0000:00:13.0
    supports-statistics: no
    supports-test: no
    supports-eeprom-access: no
    supports-register-dump: no
    supports-priv-flags: no

  • __________________________________________________________________________________________________________________

  • Mixed results. The speed of the interface is known now but capped to 1G (lower than before).
    Also, 10G doesnt seem to show up in the available Link Speed.

    Settings for PortB:
            Supported ports: [ TP ]
            Supported link modes:   10baseT/Half 10baseT/Full
                                    100baseT/Half 100baseT/Full
                                    1000baseT/Full
            Supported pause frame use: No
            Supports auto-negotiation: Yes
            Supported FEC modes: Not reported
            Advertised link modes:  10baseT/Half 10baseT/Full
                                    100baseT/Half 100baseT/Full
                                    1000baseT/Full
            Advertised pause frame use: No
            Advertised auto-negotiation: Yes
            Advertised FEC modes: Not reported
            Speed: 1000Mb/s
            Duplex: Full
            Port: Twisted Pair
            PHYAD: 0
            Transceiver: internal
            Auto-negotiation: on
            MDI-X: off (auto)
            Supports Wake-on: umbg
            Wake-on: d
            Current message level: 0x00000007 (7)
                                   drv probe link
            Link detected: yes