100Mbit firewall capping us at 10Mbit?

[BrinkGG]

Hello forum, 

So we finally gave up on our old isp, and switched to a 30/3 plan from 6/0.5...

Now, the problem is, we have a firewall on our network that is capping our speed at around 10mbit. (Netgear fvs318) 

When reading about the firewall, it claims that it can handle 100mbit throughput. I've updated the firmware, and it stays at the same speed. 

Help?

[rtpb5642]

Depends on the cable and the NIC.

 

If your getting 6/.5 then i dont see why it matters anyway. Its less than 10.

[Smite]

Depends on the cable and the NIC.

 

If your getting 6/.5 then i dont see why it matters anyway. Its less than 10.

he said from 6/.5 to 30/3

 

 

So we finally gave up on our old isp, and switched to a 30/3 plan from 6/0.5...

 

 

Anyways, what are you inspecting? Wirewalls loose performance based on what they have to inspect. The more traffic you inspect the harder the firewall has to work in order to do so. Capping at 10 doesnt sound like this. it sounds like there is a bandwidth limit set in the firewall. I am not familiar with Netgear specifically but more most it is called "BWM" or bandwith management. This is typically used to control flow such as streams limited to 10mb downloads to 20% so on and so forth. According to a 10 sec google search looks like something called bandwith profile. See Reference: https://community.netgear.com/t5/VPN-Firewalls/FVS318G-MAC-bandwidth-limit/td-p/398494

[InVis]

Oh my god that is old! I installed some of those about 10 years ago.. Its almost like seeing an old floppydisk

 

Change it to a ubiquiti edgerouter or a Juniper SRX or even a Dell SonicWall - you dont want your firewall to be slowing your traffic down too much.. 

 

Also - it might just be that the WAN port is set to 10mbit - try checking that in the GUI or the CLI. 

[Zergom]

I think I'd toss the firewall and get some new gear. But before blaming the firewall, if you connect a computer directly to your ISP's POP, do you achieve the full 30mbps?

[BrinkGG]

Oh my god that is old! I installed some of those about 10 years ago.. Its almost like seeing an old floppydisk

 

Change it to a ubiquiti edgerouter or a Juniper SRX or even a Dell SonicWall - you dont want your firewall to be slowing your traffic down too much.. 

 

Also - it might just be that the WAN port is set to 10mbit - try checking that in the GUI or the CLI. 

The WAN port is set at factory default (100Mbit), nothing there.

 

I think I'd toss the firewall and get some new gear. But before blaming the firewall, if you connect a computer directly to your ISP's POP, do you achieve the full 30mbps?

Yes. 

Wired test from the firewall. http://www.speedtest.net/my-result/4669116907

Wired test on the ISP's box. http://www.speedtest.net/my-result/4671168035

[BrinkGG]

he said from 6/.5 to 30/3

 

 

Anyways, what are you inspecting? Wirewalls loose performance based on what they have to inspect. The more traffic you inspect the harder the firewall has to work in order to do so. Capping at 10 doesnt sound like this. it sounds like there is a bandwidth limit set in the firewall. I am not familiar with Netgear specifically but more most it is called "BWM" or bandwith management. This is typically used to control flow such as streams limited to 10mb downloads to 20% so on and so forth. According to a 10 sec google search looks like something called bandwith profile. See Reference: https://community.netgear.com/t5/VPN-Firewalls/FVS318G-MAC-bandwidth-limit/td-p/398494

The firewall is at factory defaults except for site and IP blocking. So "BWM" is not being used. I checked the console to confirm. 

[Zergom]

The WAN port is set at factory default (100Mbit), nothing there.

 

Yes. 

Wired test from the firewall. http://www.speedtest.net/my-result/4669116907

Wired test on the ISP's box. http://www.speedtest.net/my-result/4671168035

 

Yeah, I'd look at a new router at that point. Something like a Netgear R7000 might feel strangely familiar and give you the performance you need.

[BrinkGG]

Yeah, I'd look at a new router at that point. Something like a Netgear R7000 might feel strangely familiar and give you the performance you need.

We already have a router, and wireless AC. This only needs to be a firewall. So getting a r7000 wouldn't make much sense. What about the gigabit version of the 318?  (Fvs318g)

[Zergom]

We already have a router, and wireless AC. This only needs to be a firewall. So getting a r7000 wouldn't make much sense. What about the gigabit version of the 318?  (Fvs318g)

 

What router do you have? Have you tried using that thing?

 

The FVS318 or the FVG318 are poor firewalls from a security perspective as they're not stateful, and are limited in terms of NAT configurations, and other features you'd expect in a dedicated firewall appliance. I'd imagine that an off the shelf router would perform the same task without increasing security risk. 

[brwainer]

Most off the shelf consumer and small business routers I've seen have a stateful firewall built in anyway, on top of the fact that NAT is decent protection in and of itself.

[dzonidev]

-snip-

 

That's a really big investment, especially Juniper and Dell. As for the FVS, I've had one before and that thing could run 100 Mbps without a sweat.

First thing that comes to mind is the interface speed.

 

@Brink2Three elaborate on the setup you are running. Do you have any rules setup?

[BrinkGG]

That's a really big investment, especially Juniper and Dell. As for the FVS, I've had one before and that thing could run 100 Mbps without a sweat.

First thing that comes to mind is the interface speed.

 

@Brink2Three elaborate on the setup you are running. Do you have any rules setup?

                                                              Wired 100Mbit switch > storage server, 2 Desktops, 1 Laptop

ISP router > Netgear Fvs318 (Split) <>

                                                              Netgear N600 (http://www.netgear.com/home/products/networking/wifi-routers/WNDR3400.aspx) to 10 or so devices

[dzonidev]

                                                              Wired 100Mbit switch > storage server, 2 Desktops, 1 Laptop

ISP router > Netgear Fvs318 (Split) <>

                                                              Netgear N600 (http://www.netgear.com/home/products/networking/wifi-routers/WNDR3400.aspx) to 10 or so devices

 

Backup the config and reset the FVS. Setup only basic stuff and make sure all interfaces are on auto negotiation. Test the speeds. If you get speeds near what you pay for, then the rebuild the config. If not, it's time to upgrade. Most firewalls that are in the FVS318 range cost $200+. For a low cost replacement, consider Mikrotik hEX. If you are willing to spend more, consider @InVis's suggestion.

[Zergom]

Try passing all your traffic through the N600 directly, get rid of the FVS318. From a firewall perspective, the FVS318 doesn't do anything additional, not already included in the N600.

 

 

Most off the shelf consumer and small business routers I've seen have a stateful firewall built in anyway, on top of the fact that NAT is decent protection in and of itself.

 

 

I don't think you're correct on most small business and consumer routers having a built in stateful firewall. Jumping up to a UTM appliance by Juniper, SonicWall, Cisco, Palo Alto, and then you get those features, but not a $200 consumer router. Also, NAT has very little to do with security, just how information flows.

[brwainer]

Try passing all your traffic through the N600 directly, get rid of the FVS318. From a firewall perspective, the FVS318 doesn't do anything additional, not already included in the N600.

 

 

 

 

I don't think you're correct on most small business and consumer routers having a built in stateful firewall. Jumping up to a UTM appliance by Juniper, SonicWall, Cisco, Palo Alto, and then you get those features, but not a $200 consumer router. Also, NAT has very little to do with security, just how information flows.

I might be wrong about what things do or don't have a stateful firewall, but if you can get DD-WRT running on something, then that will include a stateful firewall But my understanding is that most consumer routers use iptables, which is capable of stateful packet inspection (that's how DD-WRT and Mikrotik do it).

 

While NAT isn't something designed for security, it does add a layer of security. Say you get a virus/trojan/etc that listens on a port on your computer - outside traffic from a CnC server won't be able to reach a computer behind NAT (unless it's also running UPnP). I'm not saying it is a replacement for a firewall, but there is actually similarities between a properly configured stateful firewall and NAT in that with NAT doesn't allow inbound packets that aren't part of an existing socket or bound for a service that the administrator wants to be public.