Firewalla Gold Pro in Bridge Mode: very poor latency values and rather poor speed
I have a Unify system with a UDM SE and currently a Sophos UTM appliance in bridge mode on the LAN side of the UDM SE. The Sophos UTM bridges the untagged native LAN and plural VLANS.
My intention was to replace the Sophos UTM by a Firewalla Gold Pro in bridge mode. I have configured in the Firewalla Gold Pro bridges for the untagged native LAN and plural VLANS, so that the intended replacement should work appropriately.
However, the Firewalla Gold Pro provides a very unsatisfying performance in comparison to the Sophos UTM, concerning the achieved speed as measured with www.speedtest.net and - more importantly - concerning the latency under load, as measured with www.waveform.com/tools/bufferbloat. The resulting bufferbload grade is very very poor in comparison the bufferbload grade that I get with the Sophos UTM.
Does the Firewalla Gold Pro need some more engineering concerning the bridge mode that appears to have been somewhat neglected so far? The hardware of the Firewalla Gold Pro should be beefy enough in view of the technical data thereof. I hope for substantial improvements in due course. Currently I will stick to the Sophos UTM.
-
I think you should focus on the LAN side first before getting LAN+WAN together. Firewalla does have many different tests that you can run on the LAN side, please see https://help.firewalla.com/hc/en-us/articles/360056875493-Speed-Tests-and-Speed-Optimization-with-Firewalla
And while do the test, make sure you use a device with ethernet port and test LAN performance first, and then move to WiFi.
-
Hi Firewalla team, I do not understand your advice. The Firewalla Gold Pro in bridge mode is located on the LAN side of the UDM SE, without any WAN connection. The WAN is handled by the UDM SE only. I compared the Sophos UTM in bridge mode and the Firewalla Gold Pro in bridge mode unter essentially identical conditions, just by unplugging the ethernet cable on the remote side of the UDM SE of one thereof and plugging the ethernet cable on the remote side of the UDM SE of the other thereof from / into in a respective 10G ethernet port of a switch to which the Unify access points are connected. The Wifi connection between my Mac laptop and a very near Unifi access point remained the same. Did you really read my post?
-
What I am suggesting to you is to isolate the problem and measure each piece of the network independently. If you mix WiFi, WAN, two firewalls together, it is going to be pretty hard to identify the slow party.
1. The Firewalla LAN tests like visiting http://fire.walla:8833/ss/ via an ethernet device will eliminate any interference of your AP / WiFi.
2. if you want, you can run a WiFi test (as in the article I sent you) to test your WiFi speed.
Both of the above will give you a good idea if your LAN (before firewalla is slow or not)
After this, you can look at the Firewalla speedtests, and see how fast it is. This will test the speed "after" your firewalla. Since you are not using the firewalla as your router, this also will include WAN performance. (example https://help.firewalla.com/hc/en-us/articles/360056875493-Speed-Tests-and-Speed-Optimization-with-Firewalla#h_01HJ24N663KF9TQ6GEXBZMD7QP)
-
Hi Firewalla team, triggered by your advice I did some additional testing:
The bridges (bridge 1 for the untagged LAN, bridges 2, 3, 4 and 5 for a respective VLAN) configured in my Firewall Gold Pro each show optimal network performance according to the automatic internet download and upload speed tests, namely about 1071 Mb/s download rate and about 54 MB/s upload rate that correspond essentially to the rates provided by my cable internet provider. Of these bridges, in practice, only bridges 2 and 3 have traffic load, since bridge 1 is only the management LAN of the Unifi system having plural switches and access points and bridges 4 and 5 with the related VLANs of the Unifi system were set up for future use. Most of the traffic flows via the VLAN corresponding to bridge 2, and my tests mentioned in my previous post caused traffic that had to pass bridge 2.
The Firewalla LAN tests (HTML5 Speedtest) at http://fire.walla:8833/ss/ show via ethernet about 988 Mbps download rate, about 988 Mbps upload rate, about 2.1 ms ping and about 0.3 ms jitter, if I have connected my MacBook to VLAN 2 and use the IP address of bridge 2 to access the Firewalla Gold Pro via the Safari browser.
Via ethernet (VLAN 2) I get at speedtest.net about 913 Mbps download rate and about 54 Mbps upload rate, when the traffic has to pass the Sophos UTM appliance.
The mentioned Bufferbload test provides via ethernet (VLAN 2) the result “Bufferbloat Grade A”, with 15 ms unloaded latency, 12 ms download active latency, 3 ms upload active latency, 875 Mbps download rate and 47.8 Mbps upload rate, when the traffic has to pass the Sophos UTM appliance.
In view of this I assume that the LAN side as well as the WAN side of my network and my internet connection are fine, and that the Sophos UTM appliance doesn´t substantially reduce the speed and doesn't substantially increase the latency. During these measurements the Firewall device was only connected at one of its 10G ports with the ethernet network
If I reconfigure my network so that the Firewalla device is connected with both of its 10G ports with the ethernet network such that the traffic has to pass the Firewalla Gold Pro in bridge mode via its bridge associated to my VLAN 2, bypasses the Sophos UTM, I get via ethernet (VLAN 2) the following results:
HTML5 Speedtest at http://fire.walla:8833/ss/ essentially the same good, only slightly reduced speed values: 993 Mbps download and 982 Mbps upload.
The internet speed test at speedtest.net shows a lower download rate, about 748 Mbps, and about 53 Mbps upload rate.
However, the mentioned Bufferbload test provides only very poor results: “Bufferbload Grade C”, meaning “Your latency increases considerably under load”, 24 ms unloaded latency, 118 ms download active latency, 108 ms upload active latency, 401.2 Mbps download rate and 42 ms upload rate.
Accordingly, appears that the bridge mode functionality needs substantial reengineering to achieve a performance that is in a sense promised by the technical data of the Firewall Gold Pro device. For the time being I can only use it as a rather expensive device for monitoring the network devices that are connected or get connected to my network and for measuring the LAN speed with the HTML5 Speedtest.
-
The LAN network speed looks good. When you see the significantly different performance, do you mean the same device got 748 Mbps/download and 53 Mbps/ upload through Gold Pro, compared with 913 Mbps download and 54 Mbps/upload through Sophos UTM using the Ookla speed test service?
Do you use the same speed test server?
-
Yes, your understanding is correct. In both cases the same MacBook was used, and nothing else was changed in the network, except of coupling two Unifi switches alternatively either via the Sophos UTM or via the Gold Pro.
I think that I used in both cases the same Ookla speed test server, but I didn't make a note of it. I will repeat these speed tests for both configurations of the network, and take care that the same server is used. Then I will report here.
-
I would highly appreciate to receive help / support to check and possibly correct the configuration. How shall I provide the information on the network topology and how shall I enable remote support?
Meanwhile I have the theory that the Gold Pro in bridge mode somehow causes something like a network loop or similar with a resulting network storm or the like, that is not caused if the two Unify switches are connected by means of the Sophos UTM or just by a simple ethernet patch cable.
This is hinted to me by the fact that IPTV, that is distributed by a VLAN not passing the Sophos UTM / Gold Pro / ethernet patch cable (since the switch ports of the two switches are not enabled for this IPTV VLAN, and since no corresponding bridge is configured in the Sophos UTM and the Gold Pro) shows freezing TV screens and error messages, it the connection between the two switches is provided via the Gold Pro. In case of having the connection via the ethernet patch cable or the Sophos UTM no such TV freezing occurs.
Could it be that the bridges configured in the Gold Pro provide internal network connections between the VLANS? This is the only idea that I have that could explain that the Gold Pro provides for a kind of network loop or similiar that is not provided by the ethernet patch cable or the Sophos UTM.
-
@Volker, it is pretty rare for a bridge to cause loops; almost always the loops are caused by external wiring. I see you have a case open, it is best to share your information there, and our support can help you out. If you do see loops, best double check wiring and make sure you don't have any physical loops.
-
Since a normal ethernet patch cable instead of the Gold Pro doesn't cause this effect I think that there is no external wiring that could be the culprit.
I have not yet a case open yet. Must this be done via the app or can I send an email, at least for the additional information I would like provide?
Please sign in to leave a comment.
Comments
13 comments