This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bandwidth/throughput problem

I'm running UTM v9 Home License, firmware version 9.703-3 on a Dell Optiplex 745, Core2Duo processor with 4GB RAM and a 120GB SSD. I use 3 Intel Gigabit NICs (a single PCI and a dual-port in the PCI Express slot) configured as WAN, DMZ (for wireless access point) and LAN. I've just upgraded my cable internet connection to 600mb down/20mb up, and I have tested >500mb down/20+ up with a direct ethernet connection from my laptop to the modem; however, when I connect the UTM into the mix I cannot get over 100mbps down (20 up is fine).  I see the same results whether I'm testing through LAN connected to an unmanaged gigabit ethernet switch, or through DMZ, where the WAP is directly connected to the DMZ port.  This is true even if I turn off Web Filtering and Advanced Protection, and turn on a firewall rule "Any-Any-Any > Allow." CPU utilization never breaks 25%, RAM is at about 60%, and I can find nothing wrong in my live logs.

Any suggestion where I need to look to open up the throttle on this?

Thanks, Dan



This thread was automatically locked due to age.
Parents
  • Hey Dan,

    What speeds do you get with Snort off and on?  You can copy and paste the following bock as root at the command line:

    cd /home
    wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py --no-check-certificate
    cc set ips status 0
    sleep 15s
    python speedtest.py
    cc set ips status 1
    sleep 30s
    python speedtest.py

    Snort is single-threaded, so that's the reason that multiple tests should be run simultaneously to see what total throughput can be with it enabled.  If you're using speedtest.net, you also have some slowdown caused by the web proxy.

    Your primary problem is your CPU. !00Mbps is about what I would expect for one test at a time with the 1GHz clock speed of your Dell.  You would be better off with 3+GHz, so you might want to check out the last few pages of the *Unofficial* Hardware Compatibility List (HCL) here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    I've done the same sort of test through the GUI ... turning off Web Filtering (which is what runs Snort) and IPS, and then opening an anything-goes rule in the firewall.  In fact, without Filtering off and "anything goes" on, I can't get speedtest.net to run at all.  But I can say conclusively that throughput doesn't change with IPS on or off.

    I did do it with your script as well ... sort of ... my machine said "command not found" when I ran the "cc" line, so I just manually turned IPS on and off in the GUI and ran the command-line speed test.  On repeated tests, I'm seeing from 199-249 mbps with the Python script.  Oddly, though, it won't work when I have Web Filtering turned off ... it sits at "Selecting best server based on ping..." for the better part of 60 seconds, then when it finally does a test it goes all the way to Cork and gets 0 download/upload.  This can't be a firewall problem b/c I can ping from the CLI no problem.

    As a consequence I can't really trace out whether the problem is my NIC (which I suppose is possible) or something else.  Any idea why it's failing with Web Protection off?  My first guess would have been a DNS failure, except that I can ping manually by domain name which means DNS must work ...

    In any case, the download is less than half what I can measure with Speedtest on a direct-connected laptop, but more than twice what I get from units connected to the LAN or WAN.

    TBH if the CPU were the problem, I'd expect to see usage get higher than the 25% max I see in the history.  With a dual-core CPU, that implies to me that it's not even maxing a single core.  Is that rationale incorrect, do you think?

    BTW, the ethernet NICs are Intil 82546EB chipset, Gigabit copper, in case you're wondering.

Reply
  • Hey Bob,

    I've done the same sort of test through the GUI ... turning off Web Filtering (which is what runs Snort) and IPS, and then opening an anything-goes rule in the firewall.  In fact, without Filtering off and "anything goes" on, I can't get speedtest.net to run at all.  But I can say conclusively that throughput doesn't change with IPS on or off.

    I did do it with your script as well ... sort of ... my machine said "command not found" when I ran the "cc" line, so I just manually turned IPS on and off in the GUI and ran the command-line speed test.  On repeated tests, I'm seeing from 199-249 mbps with the Python script.  Oddly, though, it won't work when I have Web Filtering turned off ... it sits at "Selecting best server based on ping..." for the better part of 60 seconds, then when it finally does a test it goes all the way to Cork and gets 0 download/upload.  This can't be a firewall problem b/c I can ping from the CLI no problem.

    As a consequence I can't really trace out whether the problem is my NIC (which I suppose is possible) or something else.  Any idea why it's failing with Web Protection off?  My first guess would have been a DNS failure, except that I can ping manually by domain name which means DNS must work ...

    In any case, the download is less than half what I can measure with Speedtest on a direct-connected laptop, but more than twice what I get from units connected to the LAN or WAN.

    TBH if the CPU were the problem, I'd expect to see usage get higher than the 25% max I see in the history.  With a dual-core CPU, that implies to me that it's not even maxing a single core.  Is that rationale incorrect, do you think?

    BTW, the ethernet NICs are Intil 82546EB chipset, Gigabit copper, in case you're wondering.

Children
  • Yeah, Dan, to use cc, you have to be logged in as root.

    If you can't get things to work without enabling Web Protection, as it works here with the Proxy disabled.  If this isn't a firewall rule issue (check your log), you might have a DNS configuration issue and want to check out DNS best practice.

    Yes, I still think that 1GHz processor is the culprit.  I bet your laptop has a much faster processor.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA