dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2282
share rss forum feed

hardstyler

join:2013-02-17
italy

USG 100 REAL THROUGHPUT

Hi all!

I found some topics asking real speed with or without UTM futures, found a detailed but old usg 200 test.

Then I want to explain my experience to them with doubts.

I had a zywall 2 plus in the past but I cannot say you something interesting as I can for the USG 100 I have for 1 year and half.

Then:

I have a USG 100 and can say that the upgrade from the 2.20 to 3.00 firmware (I have aqq3 not 4) is impressive with fast browsing in the menus and if you want to set all IDP signatures to LOG ALERT and DROP you finally can do it without waste at least 4 hours unless you save a config file, edit with notepad then upload to the appliance!!! 30 minutes and it's done! I'm very happy!!!

I have a 12.8/1 ISP speed, is a really poor line but the usg with ALL active services uses less then 60% of cpu.

I explain this:

-10 rules in firewall to block and allow something as services that I don't use and IPs tried to enter on my lan.
-IDP active with about all rules active and log alert and drop packet. (not really all)
-ADP active same as IDP
-APP PATROL active with all blocking except some apps
-CF active with blucoat and some personal rules. report service to myzyxel.com not active, it doesn't work for me!!!
-AV Zyxel with 15000 signatures active to check HTTP, MAIL, FTP and something else. NOT RAR AND ZIP FILES, for me is unusefull! And so It can scan everithing in the pages you browse!
-ANTI-SPAM deactivated, really unusefull and stupid as it is implemented, you must give it the login and server credentials of your mail accounts to be effective.
-LOGS active for all except VPN I don't use. Daily log with graphs and more active.

I use max 2 pc in the lan connected to it and served by internet. No servers and no VPNs. I am home user, not professional or work from home.

cpu goes up to 60% when updating signatures or up to 95% when managing the web configurator and downloading or updating signatures when downloading from a pc, never happens.

cpu goes about 55% when I download at full speed of my line 12.8 Mb/s, yes 1.6 MB/s from file hosters. Sessions? really low.

Cpu goes to 3% max when browsing internet such as youtube and many sites loaded at the same time in one or 2 pcs, max 6% or less with 2 PCs, still low session number used.

If I download torrents, 4 torrents, download via hosters and play online games saturating the line download and upload bandwidth the cpu goes to 72%, using 2 PCs at the same time, sessions? never more then 3400 but a real hestimate is about 2500, So I had a max of 3400 when downloading and the usg activated signatures download and installed new signatures.

I can hestimated a real value of max 4 PCs downloading torrents and files from files hosters at the same time with the usg 100 and a 12.8 Mb/s ISP line. But If I think for only one pc with all activated then the usg 100 for sure can manage a 22 Mb/s ISP when downloading from file hosters, same as from hosters and torrents ath the same time and full load of the ISP line.

If You plan to browse the internet with all UTM futures activated you can sleep well with max 20 users, Zyxel says 25, yes I think it will can do it but 20 is safer, if the browsing is intensive, calculate max 1000 sessions per user and you are ok also when the usg starts signatures updates!!! 20000 sessions limit with 20 users will be surelly saturated but cpu I'll hestimate will be maxed to 80% and not more when not upgrading signatures.

If you plan to download from hosters, torrents (LOL!!! what a serious office, except for linux distros...) and browsing from 20 PCs with alla UTM and firewall activated then usg 100 is really not for you!!!!

If you have only one pc downloading from hosters with UTM activated and a 100 Mb/s ISP line then you must consider USG 2000 with the acceleration module (sem dual module) and you are sure you can download 290 Mb/s with no problems and you can add more then one PCs downloading!!!! a USG 1000 I really don't think can manage with all utm activated a 100Mb/s link. Yes I hestimated that the USGs can manage a speed equal to 73% of the UTM value performance that Zyxel says in the brochures.

I only hestimate but what I have seen till today from 3 years I can say I'm hestimating well!!!!

Same thing with other vendors but you must compare only between models of the same vendor unless they public same throughput testing methodology such as RFC 2544 with large packets!!! Sonicwall for example uses same test methodology!


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

1 edit

The largest cause of a session count way above what a torrent client shows for the number of connections is due to Bit Torrent connections not being closed correctly. To fix this, change the UDP and TCP session timeout values to shorter times, perhaps one-fifth the default values. (See the CLI user manual "Session Timeout" section for information.) You can leave link sticking at maximum if you are using dual wan. The UDP parameter is now exposed to the GUI in the latest firmware.

Only the TCP-established parameter needs to be changed among al the TCP parameters. Only the UDP-deliver parameter needs to be changed among the UDP parameters. Defaults for my USG 50 were 9000 and 300, respectively, and I could cut these to one-tenth. I do not run any VPNs so I haven't tested the effect of shortening the times on VPN hold-up.

There is a table of performance capabilities with and without UTM that I recall Brano put together and which is linked to in various past forum messages relating to performance. (As near and dear as it is to my heart, I do not keep the URL handy.)

kirby

[edit] I should note that in the CLI manual there are a few errors on the referenced page, and the table should be corrected as shown below.

session timeout { ...} not session timeout session {... }
show session timeout { icmp | tcp | udp } not show session timeout { icmp | tcp-timewait | udp }

Be sure to "write" any parameter changes per the guide's instructions.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

»USG series FW 3.00 Comparison I believe Kirby is alluding too.

Hey Kirby where are those TCP and UDP exposed parameters in the gui. I want to apply your 1/5th rule.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

1 edit

Anav:

Only the UDP is exposed, but that might be the majority of present Bit Torrent traffic (haven't checked my session tables lately).

I'm looking for the parameter ... stand by with bated breath

kirby

[edit] I think UDP outweighs TCP, but the ratio is probably in the 60/40 to 70/30 range.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

1 recommendation

Anav:

The path is Configuration/firewall/session control [tab].

I notice that it is also possible to set session count limits per host on this page. I haven't looked into that feature. Might be good with a large family or one data aggressive teenager.

kirby


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

2 edits
reply to hardstyler

I should add that I once found a table at frozentux.net on the default values used for TCP timeouts in iptables. The TCP-established parameter was set to 5 days! And close-wait to 12 hours. So one might not want to depend on his Linux PC to delete sessions that were long abandoned by Bit Torrent peers.

Looking at /proc/sys/net/ipv4 my impression is that iptables parameters have changed since that table at frozentux.net was published, so for now I consider what Cinnamon Mint 14 is actually doing for session control to be a mystery.

[edit] Other sources of values that might influence one's tuning may be found wherever DD-WRT directions might be, and/or those for pfSense.

[edit2] I found the new path in Mint 14 (based on Ubuntu 12.04). /proc/sys/net/netfilter is where the usual parameter suspects may be found. TCP_established is shown as 432000, so I hope that isn't a value in seconds.

k


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

According to www.iptables.info/en/connection-state.html, the netfilter values are seconds and 5 days is the intent for tcp-established. What I haven't found (and probably won't) is what they had in mind for making such a large value the default. Default close_wait is 12 hours. Maybe they had bad telephone connections to their 300 baud modems.

I'll have to find out the terminal command to determine the size of the state table in my PC. It could be gigantic unless when the USG closes a hanging state it sends a RST to the PC. Where's SYN-ACK when you need him?

kirby