Performance Issue - Routers

This is a discussion on Performance Issue - Routers ; Folks, I ran into a performance issue with a Watchguard firewall which even the manufacturer's technical support has no explanation of. Here is the scenario: Internet -- DSL Modem -- Watchguard Firebox III model 1000 -- LAN1 (very slow ???) ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Performance Issue

  1. Performance Issue

    Folks,

    I ran into a performance issue with a Watchguard firewall which even the
    manufacturer's technical support has no explanation of. Here is the
    scenario:

    Internet -- DSL Modem -- Watchguard Firebox III model 1000 -- LAN1
    (very slow ???)
    |
    Netgear/Linksys/DLink Router -- LAN2 (very fast)

    We are connected to the ISP via DSL modem. It is a turbo technology which
    provide 3Mb/sec of download speed. We are using a Watchguard FB3 1000
    router for connecting to the DLS modem. We noticed that the users at LAN1
    which goes through the Watchguard gateway did not get very good throughput.
    At any time, the download speed to any site is just 250Kb/sec at most. We
    have even eliminated other traffic by just allowing one PC to be connected
    to the router.

    Out of curiosity, we ran a test with a SOHO Internet gateway. We have tried
    Netgear RP311, RP314, Dlink and Linksys. They all gave at least 450Kb/sec
    of throughput. At first, we thought that the Watchguard has a problem with
    the external interface. We then connected the DLS modem lan port,
    Watchguard external interface, and Netgear external interface onto a mini
    switch and ran the tests again. Results are consistent.

    Finally, we plugged in an FTP server to the mini-switch where the Watchguard
    ext interface, Netgear ext interface and DLS modem lan port are connected
    to. We
    configured it with a public IP address. To our surprise, Watchguard can
    provide a very high throughput to the FTP server via the external interface,
    8500Kb/sec. Netgear and Dlink are stable at about 450Kb/sec, but they are
    not as fast.

    That means the external interface of Watchguard is communicating effectively
    on the mini switch. That eliminate the hand-shaking and duplex issue. What
    can be wrong? I have no idea.

    Cheers,

    Joe



  2. Re: Performance Issue

    In article ,
    nospam_pangjoe@rogers.com says...
    > Folks,
    >
    > I ran into a performance issue with a Watchguard firewall which even the
    > manufacturer's technical support has no explanation of. Here is the
    > scenario:
    >
    > Internet -- DSL Modem -- Watchguard Firebox III model 1000 -- LAN1
    > (very slow ???)
    > |
    > Netgear/Linksys/DLink Router -- LAN2 (very fast)
    >
    > We are connected to the ISP via DSL modem. It is a turbo technology which
    > provide 3Mb/sec of download speed. We are using a Watchguard FB3 1000
    > router for connecting to the DLS modem. We noticed that the users at LAN1
    > which goes through the Watchguard gateway did not get very good throughput.
    > At any time, the download speed to any site is just 250Kb/sec at most. We
    > have even eliminated other traffic by just allowing one PC to be connected
    > to the router.
    >
    > Out of curiosity, we ran a test with a SOHO Internet gateway. We have tried
    > Netgear RP311, RP314, Dlink and Linksys. They all gave at least 450Kb/sec
    > of throughput. At first, we thought that the Watchguard has a problem with
    > the external interface. We then connected the DLS modem lan port,
    > Watchguard external interface, and Netgear external interface onto a mini
    > switch and ran the tests again. Results are consistent.
    >
    > Finally, we plugged in an FTP server to the mini-switch where the Watchguard
    > ext interface, Netgear ext interface and DLS modem lan port are connected
    > to. We
    > configured it with a public IP address. To our surprise, Watchguard can
    > provide a very high throughput to the FTP server via the external interface,
    > 8500Kb/sec. Netgear and Dlink are stable at about 450Kb/sec, but they are
    > not as fast.
    >
    > That means the external interface of Watchguard is communicating effectively
    > on the mini switch. That eliminate the hand-shaking and duplex issue. What
    > can be wrong? I have no idea.


    It all depends on what rules you are using. The performance of a Proxy
    filter is going to be slower than a non-proxy filter. The Proxy filter
    does much more than just NAT.

    Setup a test using routed mode - 1:1 mapping, like your router would,
    and you'll find that it's just as fast. Each rule that you use takes a
    little horse power, and Proxy rules take the most.

    I have a 3mbps/2mpbs connection to the internet, I use a Firebox II
    unit, and I use the Proxy filters for security reasons. I get about
    380KBytes/sec on HTTP connections.

    You should include what port/protocol you used when testing - was it
    HTTP?

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)

  3. Re: Performance Issue

    Thanks for your idea. I have added an FTP server in the diagram for
    illustration. There is no doubt that http proxy will affect performance to
    some extend. Here is a summary of the policy on Watchguard FB3 1000:

    1. HTTP Proxy - for outbound only; created on the advice of WG technical
    support to secure internal LAN
    2. HTTP - for inbound; NAT to webserver in DMZ
    3. Outgoing - from internal LAN to any
    4. FTP - outbound from internal to any

    The rest of them are quite standard. We have different WG technicians
    review it at different time. No problems found. Let's look at the network
    set up and some findings:

    FTP Server (using a public IP for
    testing)
    |
    Internet -- DSL Modem -- Mini-Sswitch -- Watchguard Firebox III model
    1000 -- LAN1 (very slow!!!)
    |
    Netgear/Linksys/DLink Router --
    LAN2 (very fast)


    1. An FTP server is set up for trouble-shooting this performance issue. It
    is connected to the same mini-switch as the external interfaces of WG and
    Netgear.

    2. FTP server, WG ext interface, Netgear ext interface all have public IP's.

    3. Users at LAN1 found that when they use WG as DG to go to the Internet,
    performance is not good. Using FTP to log on to any Internet site and
    download files,
    you can get 240Kb/sec at most. We have tried both FTP & HTTP for
    downloading, results are consistent. By FTP, I mean going to the command
    prompt and starting up FTP session.

    4. Users at LAN2 found that when they use Netgear as DG to go to the
    Internet, performance is much better. Using FTP for downloading files, they
    can get over 450Kb/sec of transfer speed.

    5. Surprisingly, LAN1 get a very good download speed when they FTP to the
    FTP Server attached on the mini-switch. They get over 8,000Kb/sec of
    throughput. LAN2, using Netgear, can go up to 800Kb/sec only. Maybe
    because the Netgear ext interface is only a 10-based port.


    What I don't understand is why FTP transfer between LAN1 and the Internet is
    much slower than the Netgear. However, if it does not go out to the
    Internet but just connect to the test server - the FTP server set up before
    DSL modem, LAN1 can get a good performance. I don't see proxy filtering can
    be an issue here. First of all, we have not applied the filter for
    outgoing. Secondly, even if filtering exists, when it has no adverse effect
    for the traffic to the test server.

    Cheers,

    Joe





    > It all depends on what rules you are using. The performance of a Proxy
    > filter is going to be slower than a non-proxy filter. The Proxy filter
    > does much more than just NAT.
    >
    > Setup a test using routed mode - 1:1 mapping, like your router would,
    > and you'll find that it's just as fast. Each rule that you use takes a
    > little horse power, and Proxy rules take the most.
    >
    > I have a 3mbps/2mpbs connection to the internet, I use a Firebox II
    > unit, and I use the Proxy filters for security reasons. I get about
    > 380KBytes/sec on HTTP connections.
    >
    > You should include what port/protocol you used when testing - was it
    > HTTP?
    >
    > --
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)




+ Reply to Thread