Firewall dropping packets for standard applications

Hi Community,

I am seeking your advice... I recently upgraded my hardware from an XG105 to and XG115 to address performance issues we were experiencing with MSFT Teams, WebEx, Nintendo Switch, etc.

Given both my wife and I are WFH now due to Covid, our issues have become more apparent.

I am not a network or security engineer, but know enough to navigate my way around the FW. 

If I set up a persistent ping to and external address, say Google's DNS, and run a Team calls concurrently, I will notice the video and audio performance degrades and I see packet loss on the ping.  I also filter the logs by my laptop IP, where I am running Teams from, and can see denied traffic.  When I look at the addresses via a domain lookup (Centralops), most of the addresses are AWS, MSFT (direct) & Azure (Hosting), etc.

I have added exceptions into my rules but this doesnt seem to make a difference.

The last thing I want to do is create a whole bunch of bypass rules and compromise the effectiveness of the FW - whats the point of having it.

So, what is the best way to get support on this?  I need some help in diagnosing the root cause (poor configuration, missing rules or policies, etc).

  • Hi,

    with just two of you,  bridge is hard to configure with all your extra equipment in my opinion. But having said that I don’t think Telstra hfc gateways allow bridge mode.

    also depends on what you are trying to achieve.

    ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hello Msaggers,

    Thank you for the follow-up.

    If possible please post your Firewall rules configuration and the exceptions you created.

    As per the bridge, I would recommend you to break it if possible, and/or remove the 2 ports that are not being used.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • is there a way to dump the config via CLI or will screen shots do?

  • Hi msaggers,

    screenshots are fine and best.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • we also have two internet leeches (teenagers) Ian.

    The reason for using this firewall is:

    a) external protection at the firewall rather than Mac / PC

    b) We dont run internal AV

    c) I wanted to use the APs to extend the wifi coverage

     

    So our needs are pretty simple

    1) strong wifi coverage

    2) protection from young people' stupidity of what they are downloading and browsing (Gateway AV, Web Filtering, IPS)

    3) priority of traffic for WFH (Teams, WebEx, Zoom)

    4) solid streaming services (Netflix, TelstraTV, AppleTV, etc)

     

    I am sure these problems are configuration related.  I have rebuilt the previous XG105 and this XG115 to try and simplify the config, but each time I try to troubleshoot complains of video drops or high ping rates for gaming, I find post on additional configurations (exceptions, FW rules, etc) which doesnt fully address the performance issues.

  • Hi Matt,

    thank you for those screenshots.

    Things you might like to sconsider

    1/. 2.4ghz throughput is max 150mb/s

    2/. your link is 50/20mb/s

    3/. using different SSIDs for 2.4 and 5gz bands.

    4/. removing some of the functions in the LAN and WIFI settings.

    5/. firewall rule processing is from top down.

    Below are my IP settings.

    Do you have a server at home?

    If not you do not need DMZ, the rule which can be deleted. You also seem have a lot of disabled rules which you should consider deleting. Do you plan on remote connections into your network or firewall, if not remove the ssh vpn from the WAN interface.

    How are you APs connected?

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • cheers Ian.

     

    1/. 2.4ghz throughput is max 150mb/s: [so have put my main SSID to 5GHz feq]

    2/. your link is 50/20mb/s [which should be plenty for what we need - shouldnt have packet loss during a single Teams call]

    3/. using different SSIDs for 2.4 and 5gz bands. [done, have separated the frequency into two SSIDs and turned Guest off]

    4/. removing some of the functions in the LAN and WIFI settings. [done, see images]

    5/. firewall rule processing is from top down.

    6/. Remove disabled FW rules [removed]

    7/. Server and DMZ [removed]

    8/. How are APs connected [via a switch into the Bridge on Port 1 - I can deleted port 3 from the bridge but not port 4]

     

    One Observation: I have my key devices configured for Static IP, but I see regular releases for these addressed via DHCP.  I am wondering if these renews are creating connectivity issues.

     

    Q. do you have 'enable spoof protection' enabled, as I dont see any trusted Mac addr in the image.  I got a warning when I clicked Enable and IP Spoofing for LAN and WiFi.

    "Please use this feature with caution!
    You may lock out from network access to this device if incorrect MAC addresses are added to the "Trusted MAC" list."

     

  • this is my work laptop (10.0.0.12), and the destination address appears to be a standard MSFT network likely to be Office 365 (e.g. Teams and Outlook).

    is this normal?

  • Hi Matt,

    if using static addresses on devices they need to be outside of the DHCP range of the XG.

    While you have a lot of IP address exceptions in your web exception list, I suspect the the Teams application uses URLs to connect, so you would need to review the logviewer -> report for those URLs. Also check the FQDN group listing that already exist in the XG for what is included.

    The log you have posted shows that there is no matching firewall rule for IP addresses.

    Ian

    I see you have some form of IPv6 enabled. Also please post your NAT rules.

    If you do not have IPv6 configured on the XG that will new casu9ing some of your failed connection attempts. You will need to disable IPv6 on your laptop while working at home.

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.