Jim,Originally Posted by Jim.Alles
This is a cool find. The strange thing though is that not all installation have those QoS limits by default.
Below are the defaults for a fresh Untangle 15.1 installation (designated as "Home", in case that matters): Untangle 15.1 Default QoS Priorities.jpg
With those default even medium priority traffic can exhaust the bandwidth. But perhaps those defaults have changed recently and you are working off an older installation?
As it turns out, the 50% limit is not likely to be a default
In general, I have streaming media go to medium Priority.
This is what I have done:
QoS Pri.png
Thanks for all the great info Jim (and others) - apologies for going radio silent, but it's been a heckuva week with both work and getting the kitchen back together after not having one since early April (burst pipe).
Teenagers are awake and streaming; I'll use today to catch up on reviewing the wiki and getting the basic bandwidth control setup done, then I'll do testing in the AM before they wake up.
Phew, feels like this week has been 10 Mondays long. Finally got some time in for testing this morning. I'll try and do some more tests tomorrow where I only disable one thing at a time instead of ramping up to (almost) fully disabling the app suite.
Test (1), Time: 7:15 am, PDT
Conditions: Nothing disabled on Untangle, minimal streaming, Apps: Web Filter, Virus Blocker, Bandwidth Control, Application Control, Firewall, Ad Blocker, Intrusion Prevention, Reports, Config Backup, Directory Connector
Interface usage: 372 Kb External, 326 Kb Internal (from 7:00 - 7:14 am)
Hosts: 21 active
Total session snapshot: 182 (162 scanned, 20 bypassed)
Results (167.5 Mb/s down, 25.9 Mb/s up):
*****
Test (2), Time: 7:19 am, PDT
Conditions: Applied bypass rule (first rule processed) on my desktop through Network Config, minimal streaming, Apps: Web Filter, Virus Blocker, Bandwidth Control, Application Control, Firewall, Ad Blocker, Intrusion Prevention, Reports, Config Backup, Directory Connector
Interface usage: not logged, as test packets would skew results
Hosts: 23 active
Total session snapshot: 135 (117 scanned, 18 bypassed)
Results (275.3 Mb/s down, 33.9 Mb/s up):
*****
Test (3), Time: 7:25 am, PDT
Conditions: Bypass rule applied and disabled Intrusion Prevention app, minimal streaming, Apps: Web Filter, Virus Blocker, Bandwidth Control, Application Control, Firewall, Ad Blocker, Reports, Config Backup, Directory Connector
Hosts: 23 active
Total session snapshot: 114 (70 scanned, 44 bypassed)
Results (272.2 Mb/s down, 34.6 Mb/s up):
*****
Test (4), Time: 7:30 am, PDT
Conditions: Bypass rule applied, disabled Intrusion Prevention and Bandwidth Control apps, minimal streaming, Apps: Web Filter, Virus Blocker, Application Control, Firewall, Ad Blocker, Reports, Config Backup, Directory Connector
Hosts: 25 active
Total session snapshot: 144 (81 scanned, 63 bypassed)
Results (215.4 Mb/s down, 36 Mb/s up):
*****
Test (5), Time: 7:33 am, PDT
Conditions: Bypass rule applied, disabled Intrusion Prevention and Bandwidth Control apps, minimal streaming, Apps: Web Filter, Virus Blocker, Application Control, Firewall, Ad Blocker, Reports, Config Backup, Directory Connector
Hosts: 25 active
Total session snapshot: 144 (81 scanned, 63 bypassed)
Results (215.4 Mb/s down, 36 Mb/s up):
*****
Test (6), Time: 7:37 am, PDT
Conditions: Bypass rule applied, disabled Intrusion Prevention and Bandwidth Control apps, disabled QoS, minimal streaming, Apps: Web Filter, Virus Blocker, Application Control, Firewall, Ad Blocker, Reports, Config Backup, Directory Connector
Hosts: 27 active
Total session snapshot: 134 (69 scanned, 65 bypassed)
Results (547 Mb/s down, 41.8 Mb/s up):
(1 of 2, Continued in next post, ran into image limits)
2 of 2:
*****
Test (7), Time: 7:40 am, PDT
Conditions: Bypass rule applied, disabled Intrusion Prevention, Bandwidth Control, and Application Control apps, disabled QoS, minimal streaming, Apps: Web Filter, Virus Blocker, Firewall, Ad Blocker, Reports, Config Backup, Directory Connector
Note: Had to do test twice after it dropped during first iteration
Hosts: 27 active
Total session snapshot: 132 (71 scanned, 61 bypassed)
Results (458.6 Mb/s down, 42.2 Mb/s up):
(Broken image, results at: ) http://www.dslreports.com/speedtest/65135533
*****
Test (8), Time: 7:47 am, PDT
Conditions: Bypass rule applied, disabled Intrusion Prevention, Bandwidth Control, Application Control, and Web Filter apps, disabled QoS, minimal streaming, Apps: Virus Blocker, Firewall, Ad Blocker, Reports, Config Backup, Directory Connector
Hosts: 27 active
Total session snapshot: 127 (80 scanned, 47 bypassed)
Results (624 Mb/s down, 40.8 Mb/s up):
(Broken image, results at: ) http://www.dslreports.com/speedtest/65135570
*****
Test (9), Time: 7:50 am, PDT
Conditions: Bypass rule applied, disabled Intrusion Prevention, Bandwidth Control, Application Control, Ad Blocker, and Web Filter apps, disabled QoS, minimal streaming, Apps: Virus Blocker, Firewall, Reports, Config Backup, Directory Connector
Hosts: 27 active
Total session snapshot: 135 (79 scanned, 56 bypassed)
Results (562 Mb/s down, 42.4 Mb/s up):
*****
Test (10), Time: 7:54 am, PDT
Conditions: Bypass rule applied, disabled Intrusion Prevention, Bandwidth Control, Application Control, Ad Blocker, Virus Blocker, and Web Filter apps, disabled QoS, minimal streaming, Apps: Firewall, Reports, Config Backup, Directory Connector
Hosts: 27 active
Total session snapshot: 165 (109 scanned, 56 bypassed)
Results (638 Mb/s down, 41.5 Mb/s up):
*****
Test (11), Time: 7:57 am, PDT
Conditions: Bypass rule applied, disabled Firewall, Intrusion Prevention, Bandwidth Control, Application Control, Ad Blocker, Virus Blocker, and Web Filter apps, disabled QoS, minimal streaming, Apps: Reports, Config Backup, Directory Connector
Hosts: 27 active
Total session snapshot: 133 (80 scanned, 53 bypassed)
Results (844 Mb/s down, 42.1 Mb/s up):
(Broken image, results at: ) http://www.dslreports.com/speedtest/65135706
*****
Test (12), Time: 7:57 am, PDT
Conditions: Set DSLReport Speed Test to Gigabit instead of Cable, Bypass rule applied, disabled Firewall, Intrusion Prevention, Bandwidth Control, Application Control, Ad Blocker, Virus Blocker, and Web Filter apps, disabled QoS, minimal streaming, Apps: Reports, Config Backup, Directory Connector
Hosts: 27 active
Total session snapshot: 133 (80 scanned, 53 bypassed)
Results (848 Mb/s down, 41.5 Mb/s up):
Hopefully that provides a decent snapshot, though it's of a rather small sample size. I'll try and find another good off-peak time when the teenagers are not only still asleep, but the rest of the neighborhood is as well.
So what is your impression of that data?
I would have to structure it into a table/matrix to make sense of it, but it does look like there is a clear pattern.
You might be able to remove some of the variables that you don't control by converting into percentages of the full speed test at a given time.
(I went down the rabbit hole of QoS because test results originally appeared to be exactly 50% of advertised.)
I'm hesitant to draw any definitive conclusions from such a small sample size, especially when external factors like neighborhood activity on the the cable network may have impacted my admittedly ad hoc tests.
I do have some impressions that I'd like to examine with further testing, those being:
(1) I may have too many apps installed for a home-based install. Even though they are disabled, I should probably uninstall Spam Blocker and Phish Blocker since we don't have our own email server. Likewise, SSL Inspector is disabled after reading about all the issues it has, and how it's not really effective.
(2) I probably need to do some tuning. With a few exceptions, most settings are at their defaults. Exceptions being mainly "block rules" linked to a Grounded policy or during the Education policy period.
(3) QoS is definitely impacting speed tests when enabled... which is to be expected. I still may need to make adjustments after a longer period of observation - like through the end of September after the college kids have been back at school for a few weeks. I just did another impromptu test with QoS enabled:
And then with only QoS turned off (all apps enabled):
Again, a little adjustment on bandwidth levels may be in order there (more on the upstream side). To get the most out of it, I think I also need to go in and create some rules to prioritize clients / devices better. "Critical" clients like my work rig, wife's preferred streaming setup (because, I choose life), etc. as Very High, with less critical devices like the XBox as High (or maybe even Medium, lol!).
Does that sound about right for impressions, and a preliminary set of "next steps" to work through?
We didn't get the second screengrab up there.
Although I agree with you, I wouldn't install those apps I don't use, I wouldn't expect them to have much of an effect.
For video streaming services, especially Netflix, they initialize by testing the link, to determine bandwidth available, and scale by grabbing as much as possible. Unless 4k is required, I like to limit those sessions to enough bandwidth for HD, while leaving headroom for the rest of the household. Netflix discovers what they have allocated, and remain happy with it with reasonable quality; then it doesn't have to re-negotiate.
An unseen factor that can slow things down is the sheer number of sessions. Even if they are short-lived, if you have something unusual going on. Keep an eye on that count.
It possible that this boils down to hardware.
Thanks Jim, I'll leave the apps alone. There's plenty of space available on the SSD, so removing them was probably more an artifact of the "reduce the attack surface whenever possible" mindset from a previous role many years ago.
Unfortunately, we are a 4k household that's also cut cable service, so everything is online (fuboTV, wife's Amazon Prime & Netflix, and Disney+ for the kiddies). That's why I try and test while they're all sleeping or otherwise occupied, lol!
For sessions, I think getting a handle on that will also involve some tuning and adjustments. For example, when I took a quick glance at the dashboard today I noticed my Sonos speakers pinged a server in Argentina, then Zaire, Germany, etc. A quick search (and trip down the rabbit hole) showed the server in Argentina was for their national research company (innova-red.net), but I don't think my speakers need to contribute to their efforts. I tagged all the speakers with "Sonos," and now have a firewall rule that restricts all traffic to local, US, and US minor outlying islands.
Here's a look at sessions per hour over the past week (I tried to shrink it, apologies if it's still too large):
And corresponding CPU load over the same period (a load of 5 is the upper end of Green for my setup, and 8 is the upper end of yellow):
Alrighty, just about time to jump on another call - thanks again for your insights and advice, it's definitely helping as I work through this.
Start shopping for hardware.
Untangle Employee comment please?
Posting Permissions
LinkBack URL
About LinkBacks
