Speed tests are both an art and a science, and it often takes a bit of trial and error to get the results you want. Here are our tips to help you use Firewalla to optimize all your equipment, especially if you have a Gigabit WAN network or faster.
If the tips in this article don't solve your network speed problems, please contact our support team through this form: https://help.firewalla.com/hc/en-us/requests/new. Please share some of your test results when you open the issue to help move the diagnostic process faster.
Please note that we're continuously adding to and improving this article.
- Finding Network Slowdowns
- Example: Troubleshooting a Performance Issue
- Tuning Wi-Fi
- Testing over Wi-Fi vs. Ethernet
- Multi-WAN Network Speed with Firewalla
- For Pros
Finding Network Slowdowns
To tune your network and identify the cause of any performance problems, test each segment of your network individually. By checking each component of your network connection separately, you can quickly find any issues.
If your WAN isn't performing, chances are you need help from your ISP. If your LAN isn't performing, calling your ISP won't help, but you will want to know where to look. This article will help diagnose and fix the issue(s). Being armed with this level of detail is better than only using public test servers like speedtest.net.
- Test Firewalla's Internet Connection. Use the Internet Speed test in the Firewalla app to measure the connection from Firewalla to Internet speed servers.
- Check your network infrastructure. Ensure your hardware and cables are in good condition and can handle your network speeds.
- Test your Ethernet connections. Check any connections coming directly from your Firewalla and then any segment that's not performing as expected.
- Test your Wi-Fi connections. Make sure your Wi-Fi network is performing as expected.
- Test your network with an external speed test server. This will show you the overall speed from a device to an external server.
If you test in the order listed above, you can save a lot of time and effort. If, for example, the problem is with your ISP, there is no need to investigate your network. On the other hand, if the ISP connection is working as expected, you can move on to isolating which part of your network is having an issue.
1. Test Firewalla's Internet Connection
Start by testing your WAN connection. This will only test the Internet connection outside your LAN (the area not in yellow in the picture above). There are two options to test your WAN:
- Use the Internet Speed Test in the Firewalla mobile app.
- Use the Terminal-based test from Firewalla to the speed test server. For more details, see the "Pros" section below.
If this test is close to what you expect, you can move to the next step. If not, try changing the test server to see if it performs better. See Test Your Network with an External Speed Test Server for an explanation of why different speed test servers give different results.
Note that your ISP may count Internet speed tests in your bandwidth usage, but they won't be included in Firewalla's bandwidth calculations.
Expected Results
With this test, you should expect results very close to your ISP's promised service. If the results are poor, it will not be because of anything on your LAN. Your LAN is not being measured in this test.
2. Check your Network Infrastructure
Before evaluating a local network's speed, check your hardware to ensure everything's in good condition. Your speed is only as fast as the slowest point in the journey, so if your Ethernet is going through a bad cable or a slow switch, everything that crosses that part of the network up and down will also be slowed.
Tip: You can start by checking the following on any device that is performing poorly or the device you will use for Testing your Ethernet Connections or Testing your Wi-Fi Connections.
How to Prepare
- Make sure you have the right cables. Gigabit networks require CAT 5E, 6, or 7 Ethernet cables. Cables usually have their category printed on them. If there is no indication, assume it is CAT5. Replace any CAT 5 cables if you find them. This is the most common problem.
- Make sure your cables are in good condition. Test or replace any cables you have doubts about, even if you don't see physical damage.
- Make sure your Ethernet switches can handle your network speeds.
- Check device negotiation speed settings.
- On the Firewalla app, tap Settings > About > Port Speed to check the port speed of devices connected directly to your Firewalla.
- Check your device settings to ensure a slower speed isn't manually or automatically set. A bad cable or a slow switch can cause a device to slow a connection automatically. Below is an example of where speed can be manually configured in macOS.
Devices should generally set negotiation speed automatically; you shouldn't need to change this.
3. Test your Ethernet Connections
Once you've established that your ISP isn't causing any slowdowns, you should test your Ethernet connections by visiting http://fire.walla:8833/ss/ over an Ethernet connection. Testing over Ethernet takes all of the variables that come with Wi-Fi out of the equation. Don't worry, we will test Wi-Fi next.
Note, that this test will not measure your Internet connection at all. It is only measuring between the device you run the test on and Firewalla.
- If you're visiting http://fire.walla:8833/ss/ using Safari and you're getting slower-than-expected results, try another browser such as Chrome.
- Make sure you know the port's expected speed. You can see Firewalla's port speeds by tapping Settings > About > Port Speed.
How to Prepare
- Make sure you're using the right cables. If you have Firewalla Gold Plus, you'll need CAT 6a cables (or better). CAT 5e is adequate for Purple and Gold. If you have Gold SE, you should use at least CAT 6a cables for the 2.5G ports and CAT 5e cables for the Gigabit ports.
- Use the right device. If you have Gigabit Ethernet or faster, you should use a PC or Mac for the test.
- Start as close to the Firewalla as possible.
- First, connect a device directly to Firwalla over Ethernet if possible, and work down each network segment that is underperforming.
- If you have a switch or other equipment with Ethernet in and out, re-test by connecting to the switch.
- If you have daisy-chained switches, test by connecting a device to each subsequent switch. You may find that one switch is failing for example. This also applies to any device with Ethernet in and out. For example, some access points allow you to connect other devices over Ethernet. Testing on both sides of that device may help you discover a hardware or software issue with that device.
- Try different ports on any switch. Sometimes one port starts to fail but others are working just fine.
- If you have a MoCA network with long coax cables in your home, test on either side to eliminate the MoCA from the equation. To do this, connect your device's Ethernet to the MoCA adapter, test the connection, then repeat the process on the other side. If there's a significant difference between the results, consult a networking expert.
Expected Results
The results here should be close to the slowest number in the "negotiated speed" described above in Network Infrastructure. For example:
Device | Test Device | Expected Result |
Firewalla Gold (1Gbps port) | Windows box (with 1Gbps) | ~1Gbps |
Firewalla Gold Plus (2.5 Gbps port) | Windows box (with 1Gbps) | ~1Gbps |
Firewalla Gold Plus (2.5 Gbps port) | mac mini (with 10Gbps) | ~2.5Gbps |
Notes
- The speed for the LAN test may be higher than your ISP's service. This means devices on your network can talk to each other faster than they can reach the Internet.
- The LAN speed tests are never counted by your ISP in your monthly bandwidth nor are they included in Firewalla's bandwidth calculations.
4. Test your Wi-Fi Connections
If your Ethernet connections are performing well, test the connection speed between your Wi-Fi devices and Firewalla next to see if there are any bottlenecks there. You can use either the Wi-Fi Speed Test or the Live Wi-Fi Test in the Firewalla app or visit http://fire.walla:8833/ss/ over a Wi-Fi connection. If possible, please use Chrome as your browser.
- You can use our Live Wi-Fi Test to help you visualize and tune your Wi-Fi connection in real-time. The live Wi-Fi Test will show you your download and upload speed, ping latency, and Wi-Fi roaming. To use this feature, make sure you're connected to your box's local Wi-Fi, then tap Wi-Fi Test on your box's main page. This is also a great way to find the best placement for your Wi-Fi access points.
Notes
- The speed for the Wi-Fi test may be higher than your ISP's service. This means devices on your network can talk to each other faster than they can reach the Internet.
- LAN speed tests are never counted by your ISP in your bandwidth usage nor are they are not included in Firewalla's bandwidth calculations.
- Wi-Fi tests can change depending on things outside your control, like nearby Wi-Fi, or things in your control, like distance from or location of the access point. Some access points have settings you can adjust, like channel, radio power, etc. You can use Firewalla's live Wi-Fi Test to tune your access point's performance. See Tuning Wi-Fi for more details.
5. Test your Network with an External Speed Test Server
Now, you know the speed from your Firewalla to your ISP and your local network. But it isn't a bad idea to compare it to a public speed test server for an end-to-end comparison. We recommend speedtest.net, fast.com and dslreports.com.
As mentioned, it is normal for LAN tests to be different than the Firewalla Internet Speedtest. However, there can also be differences between a public speed test such as speedtest.net and the Firewalla Internet speed test for a lot of reasons:
- A public test is an end-to-end test that includes the entire path from the device through your LAN, through your Firewalla, over the Internet, and to the server. The speed results will show the slowest part of that journey.
- Not all speed test sites are equal, and not all will work consistently worldwide (a server that performs well for you may not perform well for a neighbor or someone in another city.) On most tests, you can change which server is being used. Remember that a server that showed great results yesterday might not be good today, so always try a few servers before making any conclusions.
- Some speed tests will limit the maximum bandwidth getting tested. For example, fast.com only measures speeds up to 250 Mbits. That may be far less than your connection provides. Imagine your car's speedometer being limited to 50 mph.
- If you're not using Firewalla in Router Mode, check your router to see if it has a device or traffic prioritization setting. This may limit the speed test.
- If you use Firewalla in Router mode, check if you have set Smart Queue to limit speed on any of your devices.
- If you are using a shared medium (cable modem, for example), your speed may be impacted by what your neighbors are doing as well or how many speed tests are running at the same time.
Here are our tips for getting the most accurate results from an external speed test server:
- If you can pick the location of the target server, choose one close to you. Try a few others if you are not getting the speed you are after. Make a note of which are consistently better and worse.
- Use an app instead of a web page for the test. For example, speedtest.net has apps that you can download and use. They're likely more reliable than browser-based tests.
- Check your Smart Queue Rules. We've had many cases where a customer forgot that they applied a Smart Queue Rule, which slowed down the network in an unexpected or undesired way.
- Test during off-hours. For example, if someone is loading a 4k video, that will compete with your speed test. Similarly, large uploads or downloads can have an impact.
- Test multiple times. You may get different results, so testing a few times can help you get an average.
- Be consistent. Once you find test conditions that work well, running the same test each time will give you an apples-to-apples comparison that makes it easier to know if things have changed.
Firewalla's monitoring mode will influence your test results slightly – Router Mode provides the fastest result, then DHCP Mode, then Simple Mode. For details on why, see our article on how Firewalla intercepts traffic.
Example: Troubleshooting a Performance Issue
If you're experiencing network performance problems, you can identify the root of the issue by testing at different points. For example, in the network below, let's say the computer is showing poor performance.
- Check that the computer has a 1Gb connection.
- Check the cable between the computer and the switch. Try new ones if you can, or switch a cable with one you know is working well.
- Check that the switch is operating at 1Gb or better. Switches usually indicate speed by the lights on each Ethernet port.
- Check the cables that make up the connection between the Gold and the switch.
- Check Port 1 on Gold to make sure it shows 1GbE as well.
- Move Computer 1 to port 3 of Firewalla (removing the switch) and see if the performance differs. This will test a different port on Firewalla to exclude a problem with Firewalla.
- Remove the cable from the switch and connect the computer directly to Firewalla port 1. This confirms that the switch or cables in the old path were somehow an issue.
See Tune your Speedtest Server for additional details.
Tuning Wi-Fi
When testing your Wi-Fi, move close to an AP. The speed test should be close to the top speed of your Wi-Fi AP. If it is not near the advertised speed, try the following steps:
- Is your Access Point connected via Ethernet, or is it a wireless backhaul? Ethernet is always preferable when possible.
- Try moving your AP to a different location. Physical obstructions can interfere with performance.
- If your AP has adjustments for the radios, consider settings such as radio power. Consult your AP's documentation for specific instructions.
- Check to see if the channels you are using are saturated by nearby APs. Use less crowded channels.
- If your device supports 5Ghz, Wi-Fi speed may be better, but the range is usually shorter than with 2.4Ghz.
Testing over Wi-Fi vs. Ethernet
Wi-Fi is not always reliable when doing speed testing. Your results depend on a variety of factors, ranging from how your neighbor is using the Internet to your Smart Queue settings. For more consistent tests, please use an Ethernet connection.
Here is an example of a speed test via DSL Reports over Ethernet:
Here's the same test over Wi-Fi, using an access point 15ft away. Even with Smart Queue on, you can see some buffer bloat.
Multi-WAN Network Speed with Firewalla
If you have multiple WANs in load balancing mode and your speed test uses the same destination IP address, then your max speed will be whatever link is used. Firewalla's load balancing mode is based on the destination IP, so if the speed test server IP is the same, all the traffic will go to the same circuit. A workaround is to run two different speed tests on two different servers.
For Pros
WAN Speed Testing Inside Firewalla (PRO ONLY)
If you know how to access the Firewalla SSH shell, you can use these commands to do a quick speed test. This test may not always reach Gigabit speed due to Python limitations.
pi@firewalla:~ (GoldJCMain) $ remote_speed_test
Retrieving speedtest.net configuration...
Testing from Comcast Cable (73.162.248.251)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Razzolink Inc (San Jose, CA) [7.37 km]: 21.692 ms
Testing download speed................................................................................
Download: 714.04 Mbit/s
Testing upload speed................................................................................................
Upload: 39.63 Mbit/s
If you have Gigabit connections, you can use the speed test client. You will need to install the test binary yourself.
For Firewalla Gold, Gold Plus:
wget https://install.speedtest.net/app/cli/ookla-speedtest-1.2.0-linux-x86_64.tgz
For Firewalla Purple, Gold SE:
wget https://install.speedtest.net/app/cli/ookla-speedtest-1.2.0-linux-aarch64.tgz
Then, enter this command to run a speed test:
tar -zxvf ookla-speedtest*.tgz
Your results should look something like this:
pi@firewalla:~/tools (GoldJCMain) $ ./speedtest
Speedtest by Ookla
Server: EGI Hosting - Santa Clara, CA (id = 32408)
ISP: Comcast Cable
Latency: 10.23 ms (1.53 ms jitter)
Download: 934.95 Mbps (data used: 1.1 GB)
Upload: 39.67 Mbps (data used: 29.7 MB)
Packet Loss: 0.0%
#If you want to test it on each interface
pi@firewalla:~/tools (GoldJCMain) $ ./speedtest --interface eth0
The two test results above were run in sequence. You can see the speed difference due to different test tools.
Simple Ping Tests
If your Zoom calls are choppy or you think your speed is slower than usual, you can try using a ping test to check your network.
First, ping a well-known and stable IP, like 1.1.1.1 or 8.8.8.8. If you see something like the result below, something between your PC/Mac and the Internet is dropping the packet.
ping 1.1.1.1
In parallel, ping Firewalla's main IP or your router IP.
ping 192.168.2.1
If the ping to your router or Firewalla has dropped a packet and the time is erratic and >100ms, then your LAN most likely has a problem. This is usually due to your Wi-Fi connection or a bad switch.
VPN Speed Test
You can also test the speed of your connection from your VPN phone to your Firewalla by using the speed test that is normally for LAN Wi-Fi testing.
Additionally, if you're connected to the VPN server, the Live Wi-Fi Test feature will be displayed as VPN Test instead of Wi-Fi Test. This will show you the speed from your phone to your Firewalla box via VPN.
Comments
24 comments
Which IP do we use in FWG when it's in router mode?
if you are doing local testing, it will be the gateway IP (of your network segment) of the Firewalla Gold.
This doesn’t work with the Internet IP address - right?
I've read that ISP's cheat and grant traffic priority to speed test websites to give their customers the dishonest appearance that the boosted results are accurate measurements that represent the customer's typical internet speeds...does the choice of speedtest providers have this in mind?
I've read good things about self-hosting your own instance of librespeed is one such way of effectively combating this, just to put this out there in case the issue hasn't already been addressed....
https://github.com/librespeed/speedtest
Want to have speedtest cli on Firewalla Gold? This will tell you how fast your internet connection is right on Firewalla (no wifi or Ethernet involved)
Firewalla will remove anything installed after upgrades so you can install a script to reinstall for you after firewalla upgrades and possibly reboots. See https://gist.github.com/mbierman/9ac6a35622ee5a0c631ed6f6ad74b722.
Then you can run speedtest.
Or
if you have dual WAN and want to test WAN2
The wget command doesn't work.
Yeah, speedtest changed something. I'll update my script shortly.
Why don't you just use Speedtest CLI?
speedtest cli fails with:
Interesting. it is working correctly for me. Are you running the latest speedtest version?
Yes I think so, I just installed it.
Weird, it's working fine for me.
I followed the steps mentioned here
Speedtest CLI - Internet connection measurement for developers
Thanks for supplying this, makes me feel quite happy with the quality of monoprices cat6 cables! with a 16 port netgear switch in between the test computer and the firewalla I hit 1006.10 up, 999.33 down 2.49ms ping and 0.14ms jitter with a fairly standard dell win 10 system. I've seen 1000 down briefly on internet transfers so I can safely say, the firewalla gigabit ports work properly!
@Ben I don't know if this would interest you, but for fun I wrote a script that can capture speedtest data from both of my Firewalla WAN connections and send the data to a google spreadsheet to make some nice graphs. I'm running it 1/hour at least for now. It can also capture and save to a log file on Firewalla. You can turn off either of these if you don't want one or the other.
@Michael oh my god that's a ton of beautiful data definitely awesome work there!
@Ben you are very kind. Thanks!
@Michael This looks great. However the --interface flag for my secondary WAN isn't working. I have set my WAN config to be in failover mode.
@sukumar, Sorry! I agree it would be nice to handle the failover use case. I will see if I can figure out a good way to determine which WAN is active and add that to the script.
I don't know if you can access the WAN port if it is in failover mode. Maybe @Firewalla can clarify if that should be working or not. I can see why it might make sense that it wouldn't.
Temporarily at lest, you could of course leave WAN2 blank and test your primary WAN.
@sukumar, actually I just put my FWG into failover and tested the second WAN and it worked fine. Are you sure pppoe0 is the correct interface?
@Michael Yes its the correct interface. I will reach out to Firewalla with this.
Thanks @sukumar. I don’t have a ppoe connection so I can’t test. Let me know what the resolution is if you can.
@remotebloke I fixed the script. Might be good to have because some Firewalla upgrades will overwrite Speedtest.
https://gist.github.com/mbierman/9ac6a35622ee5a0c631ed6f6ad74b722
Hi community, I've run http://fire.walla:8833/ss/ test (using Cat7 cables) and I have similar picture as in the article: download speed almost 2x faster than upload. Any idea why? Is this something on Firewalla's side?
[Update]: here we go. It is browser specific test. Chrome gives better picture, while Firefox has this imbalance. Same is applicable for ping and jitter. See below.
Another useful diagnostic from the CLI is using ethtool to give you more details about WAN link problems. Here's an example:
Note the "Link partner advertised" lines, those tell you what the other side is capable of supporting, so if you're seeing slow throughput and getting "Link partner advertised link modes: 10baseT/Full / 100baseT/Full" then there's a problem with the upstream device.
Please sign in to leave a comment.