Upgrade needed???

I'm running a Firebox T10 on my home network. I use one subnet for the house and the second for work. In the past few months I've noticed the house subnet often has issues accessing IPv4-based websites (no problem with IPv6 addresses) and my WiFi is in shambles. However, if I bypass the Firebox, some of the problems go away -- I can reach the Comcast Gateway while I cannot access the WiFi that's behind the Firebox.

I'm running mainly Win10 systems (some game systems for the kids, one Linux laptop plus cell phones) -- about 30 devices in total. I have three questions: Has the T10 simply run out of gas to handle WiFi 5/6 and would an upgrade to the T35 solve the problem? If I upgrade to the T35, can I just copy over my configuration file from the T10 and use that? I'm no network engineer -- I just write about them.

Comments

  • A T10 has always been a tad underpowered. I'd recommend a trade-up to the T20, not a T35. My T20 is easily as fast as my T35, maybe even faster. What do you use for WiFi? I use Ubiquiti UniFi wireless access points and I have no issues, but I also don't have 30 wireless devices.

    You can copy the config to the new Firebox, change the feature key, then save it.

    Gregg Hill

  • A T20 is a much newer device than the T35.
    If the T20 specs look good enough, it will have a longer supported lifetime than the T35.

    Here is the comparison for a T10, T35 & T20:
    https://www.watchguard.com/wgrd-products/appliances-compare?pid1=216&pid2=17846&pid3=42051

    Not sure why the comparison tool suggests that the T20 is only good for 5 users... I'm using one wit no issues.
    And as Gregg said, the T10 was always under powered.

  • I have a similar configuration at home, work network, camera vlan, guest vlan, wife work vlan ........ and it was running on a T-10.
    It worked but my Internet struggled even though I had the fastest speed I can get at home.
    Then I upgraded to a T-20 and boy-howdy did that make a difference. Even with all the scanning and DPI I actually had a speedtest.net result of over 700mb / sec download. Pretty impressed.

    • Doug

    It's usually something simple.

  • IF for some reason you DO want a T35...DON"T buy one! Get a T40 instead for the same price.

    Gregg Hill

  • I have a T35 and T40.. The T40 is light years ahead of the T35 in terms of real world performance.. I don't have a T20, but I have heard nothing but good comments from people that have them..

    Adrian from Australia

  • Thanks, all. Will my T10 config files work with the T20?

  • Then I think I have all I need for now. Thank you all for your great help. Very much appreciated. Hope everyone has a very Happy Thanksgiving and a safe and sane holiday season.

  • Just to jump in here, I know this is dated but we are getting a ton of issues with clients that have been upgrading to Spectrum 600x60 service. The either have a T10 or T15. Can't get over 80Mbps out of them. How are you guys handling these issues? I have even tried disabling all the UTM services but still no gain. Just put in bigger boxes?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Larry.
    I wouldn't expect anything over ~100Mbps with a T10. For a 600Mbps line I'd suggest at least a T80.

    Try the sizing tool here:
    https://www.watchguard.com/wgrd-resource-center/watchguard-appliance-sizing-tool

    -James Carson
    WatchGuard Customer Support

  • edited December 2020

    @James_Carson said:
    Hi @Larry.
    I wouldn't expect anything over ~100Mbps with a T10. For a 600Mbps line I'd suggest at least a T80.

    Try the sizing tool here:
    https://www.watchguard.com/wgrd-resource-center/watchguard-appliance-sizing-tool

    James,

    I am confused. I have Spectrum 200 x 10 service, and with my T20, I get about 220 x 11 speeds on a bare packet filter test. I just put my old expired T10 in place as a test using a bare unrestricted packet filter, and it got 96Mbps x 10Mbps.

    At a minimum, I expected performance higher than its rated 160Mbps for an IPS Fast Scan because there supposedly is NO scanning taking place.

    A T10 has a Gigabit WAN interface, so with all UTM services off and just using a straight packet filter, why does it have sub-100 Mbps speed? With zero scanning, I'd expect to see it max out my 200 Mbps Wan connection.

    Gregg Hill

  • As a reference, I have a T20, with a 300 Mbps cable connection.
    I get 250+ Mbps on download speed test with a 15 ms ping latency, using a packet filter and connected with Ethernet.
    No idea what the real max throughput is for a packet filter speed test for a T20.
    The IPS values is 271 Mbps
    https://www.watchguard.com/wgrd-products/appliances-compare?pid1=42051&pid2=42056&pid3=42061

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Greggmh123
    IPS is most like, it won't match. Speeds will vary based on what you're doing (your testing methodology, and load on the firewall.)

    The T10 is a rather old device, and the measured speeds on it would be back with its released firmware (11.8.5.) We've added quite a few features since.

    If you're not seeing expected throughput, I'd suggest opening a case with WatchGuard support so they can test with you and go over the results you're seeing.

    Both your and Bruce's tests are about what I'd expect to see for those respective devices.

    -James Carson
    WatchGuard Customer Support

  • James,

    Regarding "IPS is most like, it won't match", I don't expect a packet filter to match IPS Fast Scan speeds; I expect it to EXCEED that old rated 160Mbps IPS Fast Scan speed. After all, with an expired UTM and just a bare packet filter, there shouldn't be anything to slow it down by half the connection's rated 200Mbps speed.

    My question to you is WHY you would expect just a bare packet filter to be at 100Mpbs or slower when the T10's 1000Mbps port is connected to 200Mbps service. If it's not filtering anything, why would it drop the speed by over 100Mbps?

    I'll test again tomorrow to see what its actual connection is and verify if it was at 1000Mbps to begin with. The T10 was a testing unit, so there is some chance I have a restriction on it somewhere.

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Greggmh123
    If you're not seeing the speeds you expect, please open a support case. There's not nearly enough information to troubleshoot this here.

    The addition of security services running on the device as well as software updates could potentially be causing the issue. Depending on when the T10 expired its feature key may also have a line that needs to be changed. Testing process also plays a role. None of this is going to be shareable in the forums due to PII potentially being shared.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi @Greggmh123
    If you're not seeing the speeds you expect, please open a support case. There's not nearly enough information to troubleshoot this here.

    The addition of security services running on the device as well as software updates could potentially be causing the issue. Depending on when the T10 expired its feature key may also have a line that needs to be changed. Testing process also plays a role. None of this is going to be shareable in the forums due to PII potentially being shared.

    My T10 feature key expired April 26, 2018, and it has Fireware 12.2.1 on it. Testing was through a plain packet filter with Any as the protocol and Any as the target, using speedtest.net servers.

    What line are you talking about? No PII below!

    Serial Number:
    License ID:
    Name: 11-01-2018_07:57
    Model: T10
    Version: 2
    Feature: APP_CONTROL@Apr-26-2018
    Feature: AUTHENTICATED_USER#200
    Feature: AV@Apr-26-2018
    Feature: BOVPN_TUNNEL#5
    Feature: FIREWARE_XTM
    Feature: FW_RULE#0
    Feature: FW_SPEED#400
    Feature: FW_USERS#0
    Feature: IPS@Apr-26-2018
    Feature: L2TP_USER#5
    Feature: LIVESECURITY@Apr-26-2018
    Feature: MUVPN_USER#5
    Feature: NETWORK_DISCOVERY@Apr-26-2018
    Feature: RED@Apr-26-2018
    Feature: SESSION#100000
    Feature: SPAMBLOCKER@Apr-26-2018;UC1xxxxxxxxxxxx
    Feature: SSLVPN_USER#5
    Feature: VLAN#10
    Feature: VPN_SPEED#100
    Feature: WEBBLOCKER@Apr-26-2018
    Expiration: never
    Signature: xxxxxxxxxxxxxxxxxxx

    Gregg Hill

  • @Greggmh123 Did you have any time to test?

  • edited December 2020

    @Larry said:
    @Greggmh123 Did you have any time to test?

    @Larry

    Yes. See my December 15th post.

    EDIT: Hmm, I think you were referring to testing its connection, either 100 or 1000, not the download speed. No, I have not checked that yet.

    Gregg Hill

  • Larry,

    If you were referring to testing my T10's connection, meaning either 100 or 1000, not the download speed, then I just reconnected the T10 and confirmed it is connecting at 1000Mbps to my cable modem.

    With expired UTM and a plain packet filter doing no scanning, I just got 95 x 11 on my Spectrum 200 x 10 service. On my T20, I get over 200 down and 10 to 12 up going through the same packet filter.

    Gregg Hill

Sign In to comment.