Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Sep 2022
    Posts
    2

    Question Sluggish internet experience

    Hello all,

    I'm very new to Untangle, and i'm just running for about 4 weeks now.

    Since having Untangle to replace my old Ubiquiti USG PRO 4, my internet doesn't feel that fast and snappy anymore.
    Especially, pages with lots of img files, they don't load them as instant as before anymore.
    Also, videofiles on Telegram will sometimes not start or need at least 3 or 4 tries.

    I was about to blame my ISP, but when i reverted back to my USG PRO 4, internet was again fast and snappy.
    Speedtests are OK, it always test around 990mbps download and upload.

    When running Puma6 cablemodem test (yes, old habit, but still a good tool to measure your connection), there are some red blocks (see attachment)
    Running Waveform Bufferbloat test, gives grade A result (used to be A+ on the USG)


    Is this just by design (as Untangle have to analyse a lot more compared to a fairly primitive router as USG), is my HW insufficient or does it needs some extra tweaking ?

    My spec's:

    Internet: 1000/1000 PON optical connection, using a passive mediaconverter to make 1000Base-T
    Connection by PPPOE and VLAN tagging.
    Server have 2 Ethernet ports, 1 dedicated as WAN, other dedicated for LAN.
    Interface screenshot in attachment.

    Untangle server:
    Home Protect Basic license

    HP Proliant Microserver G8
    CPU Count: 8
    CPU Type: Intel(R) Xeon(R) CPU E31260L @ 2.40GHz
    Architecture: amd64
    Memory: 8 GB (2x 4GB)
    120GB Samsung 850PRO SATA SSD
    HP Ethernet 1Gb 2-port 332T Adapter ( Broadcom NetXtreme BCM5720 chipset )

    Current dashboard information:
    Uptime: 13day
    Memory: 18.2% used ( 1.51GB )
    Swap: 0.9% used ( 27.53MB )
    Disk: 14.6% used ( 16.65GB )
    CPU Load, currently on 0.07, it never have peaked beyond 1.00

    The Untangle instance is fairly default, haven't changed much settings apart from interface, DHCP and 5 portmappings.
    Running Apps: Web Filter, Application Control, Firewall, Reports, Configuration Backup

    This server is 100% dedicated to Untangle, running on bare metal (no VM etc)

    What i tried so far to pinpoint the problem:

    I tried to use several DNS configurations (internal and external), seems no difference.
    Used different switches ( HPe1930, Aruba2530, Ubiquiti 24port ), no difference
    Swapped patch cables ( new Cat6A )
    Changed server memory
    Changed optical patch cable
    Disable all power saving settings in BIOS, server is at the moment on static high-performance profile (although i want this reverted back in the future, as energy prices are skyrocketing here)

    Any advise, or is this just inherent for using a much more advanced Firewall ?
    Attached Images Attached Images
    Last edited by Mitch76010; 09-19-2022 at 12:07 PM. Reason: Additional screenshot

  2. #2
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    134

    Default

    It's entirely possible that it's just the introduction of another link in the chain, not to mention that this new device is doing a lot more scanning & processing of traffic passing through it. I don't think you're under-specced; those numbers look roughly comparable to our z4 Plus appliance. Check the Dashboard Resources & CPU Load widgets to see if you're redlining, but I'd be surprised if it were insufficient hardware muscle.

    • How large is the network? How many devices passing traffic through the NG Firewall?
    • Which apps are you running and how much are they processing? Different apps have different overhead based on what they scan for & what they do.
    • What are your DNS server settings?


    You might try creating a Bypass Rule for a test device, in Config > Network > Bypass Rules. Anything bypassed isn't subject to any application processing, so that should help you rule out whether it's something in the Apps area or just the system as a whole.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  3. #3
    Untangler
    Join Date
    May 2008
    Posts
    592

    Default

    I would try a switch between the modem and untangle. Might not help but is easy.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    This is where you fire up the dreaded SSH.

    Once SSH'd into Untangle, you run
    Code:
    service untangle-vm stop
    Now run your speed tests. Do you see the performance problem? If yes, the issue is in your physical hardware, Linux itself cannot handle the packets at the performance value you want and you need updated hardware.

    If the performance issue goes away, then something in the UVM is causing the slowdown. This might be adjusted with QoS, or any number of other things. And may also indicate you've got hardware issues.

    Then you run this to turn your filtration back on.
    Code:
    service untangle-vm start
    but before you go way off into the weeds, make sure that Untangle's WAN interfaces have strong responsive DNS servers to connect to. DNS being slow is an issue. Your ISP might also be mucking with the DNS queries to brightcloud, which will cause performance problems anytime you're using Threat Prevention, Web Filter, or Web Monitor.

    Finally, double NAT is very bad... don't do that. So whatever you do make sure you don't have two routers back to back.
    gravenscroft and Kyawa like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Sep 2022
    Posts
    2

    Default

    Quote Originally Posted by gravenscroft View Post
    It's entirely possible that it's just the introduction of another link in the chain, not to mention that this new device is doing a lot more scanning & processing of traffic passing through it. I don't think you're under-specced; those numbers look roughly comparable to our z4 Plus appliance. Check the Dashboard Resources & CPU Load widgets to see if you're redlining, but I'd be surprised if it were insufficient hardware muscle.

    • How large is the network? How many devices passing traffic through the NG Firewall?
    • Which apps are you running and how much are they processing? Different apps have different overhead based on what they scan for & what they do.
    • What are your DNS server settings?


    You might try creating a Bypass Rule for a test device, in Config > Network > Bypass Rules. Anything bypassed isn't subject to any application processing, so that should help you rule out whether it's something in the Apps area or just the system as a whole.
    Thank you for you reply.

    It is a fairly simple home network. 2 wired desktop clients, 2 TV's, gameconsoles, domotica controller. And a few wireless clients on WiFi6 (Unifi6 Pro AP) such as phones, tablets, smart home appliances such as dishwasher, washing machine (and dryer), oven and doorbell.
    Around 25 devices
    The apps that are running are Web Filter, Application Control, Firewall, Reports, Configuration Backup. I haven't touched the settings of these, they are all still in default.

    My current DNS setup is a PiHole running on a Intel 8th gen Core-i5 NUC computer, it is using Google, NextDNS, Quad9 and my ISP DNS servers as upstream server.
    However, to rule out any DNS issue, i made some tests without the local DNS, using my ISP and Google DNS servers.

    I will try the bypass rule, to see if that would improve the performance. Thank you


    Quote Originally Posted by donhwyo View Post
    I would try a switch between the modem and untangle. Might not help but is easy.
    There is no modem
    I have a optical line, that is connected to a passive media-converter, the media-converter is then directly connected to the WAN interface of my server.

    Quote Originally Posted by sky-knight View Post
    This is where you fire up the dreaded SSH.

    Once SSH'd into Untangle, you run
    Code:
    service untangle-vm stop
    Now run your speed tests. Do you see the performance problem? If yes, the issue is in your physical hardware, Linux itself cannot handle the packets at the performance value you want and you need updated hardware.

    If the performance issue goes away, then something in the UVM is causing the slowdown. This might be adjusted with QoS, or any number of other things. And may also indicate you've got hardware issues.

    Then you run this to turn your filtration back on.
    Code:
    service untangle-vm start
    but before you go way off into the weeds, make sure that Untangle's WAN interfaces have strong responsive DNS servers to connect to. DNS being slow is an issue. Your ISP might also be mucking with the DNS queries to brightcloud, which will cause performance problems anytime you're using Threat Prevention, Web Filter, or Web Monitor.

    Finally, double NAT is very bad... don't do that. So whatever you do make sure you don't have two routers back to back.
    My speedtests are fine, i can pull and put 980mbits on the connection, tested from a wired client, and also getting around 920mbit when testing on WiFi client.
    At night hours, i pull some backup's from my work servers at a datacenter, roughly 1.2TB each night, according to the graphs, those are done within 3 hours, that it within 97% of my available bandwidth. Larger transfers are not an issue here it seems.

    My issue is, i have a feeling my Untangle does a bit of hesitation when it comes to making new connections/sessions. For example, a crowded and bloated news page, lots of sections, lots of small images, it would take around 1.5 to 2 seconds to fully load, while it only takes half a second when using my old router.
    Same goes for video's, it takes a delay to start the video, or sometimes (especially on Telegram), it wont start after all, only after a few retries. Same here, when reverting to my old router, its all instant again.

    You have a VERY good point at the DNS of the Untangle server. While all my clients are using a PiHole with multiple upstreams, my Untangle just uses only my ISP DNS servers. This might indeed the root cause of all.

    Luckely, i don't have a double-NAT, the WAN port connection is directly connected to my optical line (using a passive mediaconverter), my Untangle WAN IP address is my public IP address.

  6. #6
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    134

    Default

    Quote Originally Posted by Mitch76010 View Post
    There is no modem
    I have a optical line…
    I find that 'modem' can often be understood as shorthand for 'the ISP termination device' and could be abstracted to refer to an ONT as well.

    Quote Originally Posted by Mitch76010 View Post
    My issue is, i have a feeling my Untangle does a bit of hesitation when it comes to making new connections/sessions. For example, a crowded and bloated news page, lots of sections, lots of small images, it would take around 1.5 to 2 seconds to fully load, while it only takes half a second when using my old router.
    Your old router didn't run every one of those connections through an engine that processed & filtered them. When you go to a website, you're not just accessing that website alone: you're pulling content from a number of other sites & services like CDNs, ad servers, &c. All those connections have to be filtered, not just the 'main' website itself.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    Ok so you don't have bandwidth issues, you have latency issues.

    That's either CPU, or DNS resolution times generally.

    I would try to bypass that backup traffic, it'll likely help. There's not much sense in putting all that through the UVM when you know it's safe.

    Finally, don't make your DNS a loop! You want Untangle using public DNS! You do NOT want it using your pihole!

    What happens then is you have a DNS resolution path that can't work until the Internet is up, but the Internet isn't up because the DNS pathway is down. And the DNS pathway cannot work because the Internet isn't up. It's NOT a fun condition.

    But what you can do is kick Untangle to use Google / five 9s / OpenDNS... something other than the ISP and see if that helps. It's normal to feel a little latency because it takes time to run all the checks on a new page load. This also applies to video loads. It's NOT normal to have things fail to load, or for that delay to be much more than barely noticeable.

    P.S. If you haven't bypassed DNS traffic leaving the PiHole you should do that.
    Last edited by sky-knight; 09-21-2022 at 08:24 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untanglit
    Join Date
    Nov 2020
    Posts
    20

    Default

    Quote Originally Posted by sky-knight View Post
    Ok so you don't have bandwidth issues, you have latency issues.
    Finally, don't make your DNS a loop! You want Untangle using public DNS! You do NOT want it using your pihole!
    Care to elaborate?

    Do you mean you'd set it like:
    LAN (Interface settings; override DNS with pihole) ->
    Pihole (set to Untangle for getting webfilter) ->
    WAN (override with whever public dns you want?)

    Now to hijack this for my DNS setup.I use an opnsense VM for DNS over TLS, and some other tinkering.
    Is this "correct" or have I done this backwards.
    LAN (Default DNS)
    WAN (Override DNS with opnsense)
    OPNsense (DNS over TLS)

    Personally I'd ditch pihole altogether and just tweak webfilter to your liking.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    Do not create dependency loops. That's all.

    DNS servers inside Untangle can use Untangle for DNS (this is NOT required for Web Filter to work by the way). But it's just as valid to have a DNS server inside Untangle using public servers to resolve. Though for performance and security reasons it helps to really understand the default DNS bypass rule, and how to use it.

    What you do not want to do is have Untangle using a DNS server inside itself. When you do this, you create a loop. The DNS server cannot work until the Internet is up, and the Internet (Untangle) cannot be up until DNS works. It's a great way to make strange problems that will cause your hair to fall out.

    No, give Untangle DNS servers on the Internet some place, use the domains feature to redirect specific queries to your internal DNS if you need to support AD or something and move on.

    Finally, once again none of Untangle's modules need Untangle to be used as DNS to work. Web Filter uses DNS to get the data it needs to do its job, but it works on the client's HTTP/HTTPs sessions. If a client bypasses your DNS infrastructure, the web traffic is STILL FILTERED as it transits Untangle. There is no bypassing it short of using a VPN.
    ccdmnk likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,964

    Default

    Quote Originally Posted by Mitch76010 View Post
    There is no modem
    I have a optical line, that is connected to a passive media-converter, the media-converter is then directly connected to the WAN interface of my server.
    Nice. I have fiber at home, and I'm wondering about getting a fiber NIC and doing something similar.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2