Unusably slow Internet on Sunday mornings

(Jeremy Hein) #1

Our Internet connection slows to an unusable crawl on Sunday mornings when our 200+ guest devices get connected. I think it may be the router, but I’m not sure. I’d like any suggestions to troubleshoot our Internet sluggishness to verify if it is in fact the router, and/or suggestions for replacing our SonicWall NSA 250M. I’m leaning toward the Watchguard M370 as it seems to offer a lot more performance at a much lower price than competitors like SonicWall and Fortinet, but there are lots of options and my experience is limited. Thanks!

(Chris Green) #2

What speed is your connection? The 250M is quite old and was never really built for today’s super-fast connections. It can definitely crumble under the load. The speed of your connection would be pretty important information in choosing the right firewall.

(Jeremy Hein) #3

100 down 20 up. It seems like it should be able to handle it.

(Joe Benson) #4

I would bet it’s the Sonicwall. Unlikely the links are saturated, but good likelihood that the CPU is getting bogged down if you have lots of security services turned on. It should handle routing and ACLs in hardware but things like IPS and AV usually happen in software on the CPU. I’d log in at your time of highest usage and go to the diagnostics page and check the CPU usage, and maybe the list of processes. https://www.sonicwall.com/en-us/support/knowledge-base/170505343601558

If you need to resolve the issue right away, you could try turning off all services except the firewall: Gateway AV, IPS, DPI, SSL decryption, whatever is turned on. If you’re CPU bound that should significantly improve performance. According to the spec sheet, you can only expect 130mbps throughput with DPI features on, and that’s the best-case laboratory conditions number. Real world could be a good bit slower.

(Jason Powell) #5

Recently, our old sonicwall at the remote campus dropped the live stream. Upon inspection, it showed we were hitting 10,002 connections when it’s max rating was 10,000 :slight_smile:
So like Joe, I’d suspect you could just be hammering your SW.

(Greg Brenneman) #6

The posts could be right about the processor overload, rather than bandwidth itself. Something to try in the interim is to block OS updates during service times. We have done that and it greatly relieved bandwidth and firewall load. We have an NSA 3600 with 50 x 50 fiber internet, and up to 500 devices combining wired and wireless, and still have good performance.
You could have 100 or more phones start running OS updates when arriving on the network.

Another thing, we installed Sonicwall Analyzer to assess network usage. If your pastors think everyone is sitting there using You Version, I have news for them. Snapchat is our 5th highest user of bandwidth on a typical Sunday morning. We also block proxy servers with firewall app rules to prevent users bypassing our filter. The wireless controller also turns off the wifi during the night, so someone does not get on public wifi during the night and try causing us trouble.

  • Greg

(Jeremy Hein) #7

Thank you everyone for your feedback. I made a few changes according to SonicWall’s performance recommendations on their website including disabling all UTM services except for content filtering which is all I think we really need. I also downloaded Speed Test Loggger and had it download a 20MB file every minute from our web host and although the speed wasn’t always great, it didn’t seem all that bad either.

(Russ Taylor) #8

Simple quick solution - implement a Squid proxy onsite. This will off-load much of the 200 user traffic load as they will be accessing much of the same sites and content while on site. Should give you about a 10x performance boost (equivalent to a 1Gbit WAN connection) and will also give you the ability to limit the kind of content accessed if you add-in Dan’s Guardian.

(Norman Ho) #9

We use Watchguard M300 with 1 Gb internet fibre for one of our locations and works very well.

(Jeremy Good) #10

We had similar issues when we had an NSA240 and it couldn’t handle the increased internet speed. It would get pegged at 100%. We switched to an NSA3500 and the CPU dropped to under 10% with everything on. The pricing does go up quite a bit though but you need what you need. The other option we tried before the upgrade was using two firewalls but that just got difficult.