Slower speedy through Firewall - #4498

Hi guys, i've been dealing with an unfortunate common behavior to me.

Getting slower speed through firewall compare to connected directly to ISP's router/modem.

Right now, I'm dealing with an XTM330 11.11OS

Right through modem - AVG 67Mbps Down and 42Mbps Up - Wireless was disabled and Firewall was unplugged from ISP's modem

Through firewall using Any policy on the top of firewall policy associated to Probe PC's IP
AVG 55Mbps Down and 5Mbps Up

Through firewall using Any policy on the top of firewall policy associated to Probe PC's IP AND CONNECTED ALONE ON ETH1 - Even stranger behavior, Download speed decreased - almost to half, i was expecting a speed more similar to PC connected to the modem on its own
AVG 55Mbps Down and 5Mbps Up

For what i could understand, firewall wasn't overwhelmed. I even rebooted firewall expecting a higher speed - no success

Bandwidth meter measures followed speed test results, an example of the last test

What am i missing guys?


  • Options

    Check the speed/duplex settings for external & trusted in WSM Firebox System Manager -> Status Report
    If either of then is set to half duplex, that will be an issue, and usually indicates a speed/duplex mismatch between the 2 connected interfaces.
    You can also check for errors or collisions on those 2 interfaces - which may indicate a duplex issue or a bad Ethernet cable or marginal Ethernet port.

  • Options

    Hi Bruce, i am truly thankful for your early reply.

    None interfaces are half-duplex, neither has collisions.

    The Internet link which i'm testing - ETH2 has 100Mbps acquired from ISP. It has set on Outgoing Interface Bandwidth 100Mbps and Auto Negotiate.

    LAN is connected to ETH1 with Link Speed of 100Mbps, Full Duplex and 0 Kbps set to its Outgoing Interface Bandwidth.

    I just notice MTU "received" on the external link 1484, when interface is set to 1492.

    I never understood it very well, but i'll match this MTU settings to 1484 and see what happens.

    If you have anymore thoughts about what could be degrading link speed, i'd be glad to hear.

    Rafael da Costa

  • Options

    MTU = Maximum Transmission Unit
    MTU will be an issue for large packets.
    The default MTU for Ethernet is 1500.
    So if your PC sends 1500 byte packets, the firewall will need to break that into 2 packets - 1484 and 16.
    DSL links often have a MTU of 1492.
    No idea why the MTU is set to 1484 instead of 1492.

  • Options

    I thought the modem was adversting its preferred MTU size, but everytime i drop 8 bytes on the firewall's interface, status report shows me an even smaller number than the firewall.

    1484, 1476 and now 1468.

    Not sure if it's coincidence or not, but the download speed increased after these changes.

    I'll run some MTU test, reviewing the computer itself as well and see how it goes.

    Upload acquired is 40Mbps, so it's gotten better, but it needs improvement.

  • Options
    Set the MTU on your PC to the value on the firewall and test again
  • Options
    The value you see in Status Report
  • Options

    Hi Bruce, i still didn't do lowering PC's MTU test. But i was researching the MTU value found on the PPPoE interface and i came to the conclusion that firewall itself reduces it by 8 bytes to not overcome 1500 MTU size after PPP encapsulation that PPPoE does. So everytime i decrease the MTU size on firewall's interface, the OS follows tha decrease maintaining 8 bytes distance.

    Or ISP could be really adverting its preferred MTU size.

    But since this behavior follows GRE interface (PPTP) which increases MTU size by 24 bytes and firewall also decreases it by 24 bytes.

    On January 29th, i did MTU size changes to MTU firewalls interface and i've got a lot better download speed, but reversing it to previous 1492, didn't made any changes on internet speed test.

    If PC's MTU change works, what are you thoughts? Change all network MTUs devices?

    I'll maintain researching, thanks in advanced!

  • Options

    P.S.: LAN interface is set to MTU 1500, that MTU interfers as well as WAN interface?

  • Options

    Does anyone knows what is this? This value is alright? If not, how to change it?


  • Options

    I think that this is the queue length of packets waiting to go out that interface.
    I see 0 on my interfaces (eth0 - eth4), including external.

  • Options

    Hi Bruce, it's really annoying when solutions seems easy after long troubleshoot, but i had only to let MTU set to 1500 on PPPoE's interface - i've found nothing documented, but i believe the firewall itself decreases 8 bytes when the external interface is set to PPPoE.

    I also change local interface speed from 1000Mbps Ful Duplex to Auto Negotiate, not sure which of those two settings solve the problem, i didn't want to mess it up doing more tests after solving it.

    And i read somewhere that when an interface isn't auto negotiate, it doesn't advertise its link speed and full/half duplex settings to other network nodes, that might decrease throughput as well.

    I appreciate your help, thank you.

  • Options

    If 1 end is set to auto, then the other end should also be set to auto. Auto is normally preferred.
    Both ends need to match.
    If both set to auto has issues, such as collisions/errors, then both should be set to the same fixed setting such as 1000Mbps Full Duplex - whatever the max that both ends support.

    No idea why the MTU setting is being decreased by 8 as you have seen for PPPoE.

  • Options

    WG is "smart" decreasing on its own 8 bytes to suit PPP encapsulation (MTU 1492), so when the data leaves the firewall, doesn't go over MTU 1500.

Sign In to comment.