Optimize T20 for best throughput

Trying to optimize my personal T20 (12.9.B673767) home-office config and looking for some feedback.

My home is dual-fed, 50Mbps DSL and 1Gbps Cable. I have two AP's, one AP125 and a used AP325 I recently purchased from eBay. Our cable connection used to be 150Mbps and upgraded it to 1Gbps this past week.

I've created an ANY hole and am doing speedtests through it. Plugged in to the T20, I'll see around 300-310Mbps on the cable connection. If I do a speedtest directly from the back of the cable modem, I'll reach around 770Mbps. As I've read through some other forum posts, I understand that the T20 will have some limitations on how much traffic it's able to process. I'd clearly like it to be more, but understand I'm at the upper limit of the T20 (I think).

Port 0 - cable modem
Port 1 - Trusted with APs
Port 2 - NVR
Port 3 - DSL modem
Port 4 - inactive

As this is a home office, my teenagers (wireless Windows 11's, MacBooks, iPhones, goodness knows what else) are utilizing their own SSID on the APs. If I moved the AP's to port 4, would they be able to process around ~300Mbps while port 1 would also allow ~300Mbps -- hence the T20 would be processing around 600Mbps, or is it best to leave it as is? I'm trying to think of ways to alleviate the bottleneck of around 300Mbps.

Basically I'm trying to think of ways to best optimize the T20. Being a small business / home office, a M290 isn't feasible.


  • Options

    What do you have set for Multi-WAN?
    Fail-over would be a reasonable option here.

    I have a T20, currently running V12.9 U1.
    I have a WG wifi 6 AP - AP 330, and the throughput from it is very good - it reaches or exceeds my supposedly current max cable download of 300 Mbps, and was what I used for my earlier throughput tests when I had a 600 Mbps cable connection service which got near the stated speeds.
    This is using the Windows Speedtest by Ookla app.
    Their web site test (www.speedtest.net) shows a similar download speed for me > 300 Mbps.
    Using a Ethernet cable, I'm getting over 450 Mbps, which shows that my cable company has upgraded my service, gratis.

    What is the latency that you are seeing to your speed test site?
    High(er) latency can seriously impact a single device speed test result.
    My latency (ping) results are usually under 20 msecs - mostly 16.

    And for a speed test, one does want to use a packet filter.
    By default, an Any packet filter will end up near the bottom of the policy list, so it is possible that some higher up policy is allowing the speed test packets, and potentially degrading the speed test.
    One can manually reorder the policies to move your test policy to the top of the policies list.

    The firewall specs are for total traffic though a firewall, and include all traffic, no matter what interfaces are involved, and thus I would not expect an improvement in separating this traffic. However, doing so, can potentially give you more control over what the kids are doing to consume your Internet bandwidth - such as via Traffic Management, if desired.

    So - look at your setup.

    FYI, my HTTP & HTTPS traffic is going via proxy policies (and HTTPS is going via Inspect) to protect my user access from the nasties out there. If there are specific needs for higher throughput for a specific device or app, those can often be provide via specific policies.
    In general, we here are not having Internet response time issues. I perhaps have fewer heavy users on my network than you (NO kids)

  • Options

    Thanks Bruce. I'm always in awe of your knowledge. You've helped me since my original FireBox II.

    I am using failover on the multi-wan. I have also created 2 policies: 1 is cable fails to dsl, and the other is dsl fails to cable. I route some packets out on the DSL first, things like SMTP / IMAP / DNS / NTP. I figure I might as well use the pipe since it's there and move some traffic off the cable connection. The latency on the cable modem to my local speedtest.net site is 18-19ms on both DSL and cable.

    For various reasons, I do have my policy manager in manual order mode. My temporary "any-hole" is at the top of the list and is definitely passing traffic. Once I find my optimized-bandwidth solution, I'll switch back to proxied services. I'm controlling the kids wifi by VLAN ID from their SSID. So far everything is working well, just looking for that last bit of speed to squeak out of this thing. 300 Mbps isn't bad, but knowing I'm leaving almost 500 Mbps on the table is bugging me. I'll survive, but it could be that much better!

    For whatever reason, my last speedtest pulled 390Mbps -- at 9:30 PM EST. I didn't change any settings, so I can't claim a victory yet.

  • Options
    edited February 2023

    Contact your cable ISP and have them verify that your link has been properly upgraded. Sometimes errors are made.
    Ignore this since above you said that you get 770Mbps when connected directly to the modem.

    Check WSM Firebox System Manager -> Status Report -> Interfaces section, and look for errors or collisions in interfaces. These usually indicate a speed/duplex mismatch between what is connected to the firewall or perhaps a bad Ethernet cable.

Sign In to comment.