One often-overlooked limiter of Internet connection speeds is the firewall. When you test your connection speed, you’re doing it through the firewall, of course, but unless you take a close look at the firewall itself, you won’t know whether the limitation is your ISP, or the firewall itself. To make matters even more confusing, your firewall’s capacity varies with the type of Internet traffic.
You probably looked at the firewall’s specs when you bought it, and picked a firewall that had plenty of overhead compared to your Internet connection. I do that, too. In fact, I did a thorough evaluation of the Sonicwall 250M’s specs when I upgraded my Internet connection to a 50 Mb/s AT&T IPFlex one, and thought that I had plenty of capacity. Turns out, I have only enough capacity to support 20 or 3o Mb/s either up or down, and half that when I’m doing both.
Why are the specs do misleading? To start with, they probably don’t reflect your situation. As the saying goes, “There are lies, damn lies, and benchmarks.” Also, it looks like in Sonicwall’s case, the specs are pretty optimistic — downhill with a tailwind, so to speak. That’s probably because the marketing folks think that prospective customers will be using the specs to decide whether to purchase a Sonicwall or a competing product. I’m not sure that’s the case for most people; I know that I’ve only looked at the specs to see which Sonicwall to buy.
Another thing to know about the specs is that the capacities for each type of traffic are measured with no other traffic present. Therefore, you can’t add up the specified performance numbers. In fact, probably because of context-switching overhead, the Sonicwall firewalls’ performance carrying a mix of traffic seems to be less than you’d think by looking at each type of traffic in isolation.
Most Internet users find that their traffic is asymmetrical: there’s a lot more downloading than uploading. However, adding cloud backup to the mix changes that, since its traffic is also asymmetric, but with a reverse bias. So now you have to think of your 50 Mb/s connection as a 100 m/s connection, with half of the capacity down, and half up.
At this point, I don’t trust the Sonicwall specs at all, in any absolute sense. I do trust that they are a reasonable way to compare two Sonicwall firewalls. Perhaps my confidence is misplaced, but I don’t think that Sonicwall is actually lying about the capacity of their devices, just presenting them is the best possible light.
From the above numbers, you can see that my current NSA 250M is under the capacity that I need to fully use my Internet connection by a factor of three.
Sonicwall provides the following comparison chart on their website:
The left circled column is for the NSA 250M, and the right circled column is for the NSA 3600. You can see that the 3600 provides on average three or four times the performance of the 250M. You can also see how much bigger than 50 Mb/s all the numbers are. The firewall in the column between the two circled columns, the NSA 2600, might have done my job, but I didn’t want to take the chance.
I ordered a NSA 3600. Dell gave me a discount since I’d originally ordered a device that wouldn’t cut the mustard. I’ll have it next week, and I’ll report on how the instillation goes, and whether it fixes my capacity limitations.
Let me finish this post by looking at the performance of my present firewall, the NSA 250M. The Sonicwall OS for this device provides some nice graphical performance monitoring tools, and I’ll show you some screen shots. You may not have a Sonicwall produce, but I suspect that competing firewalls from other manufacturers have similar displays.
Here’s a graph that shows how download speed can affect upload speeds. There is an upload taking place at a little over 3 Mb/s to Dropbox, and a download from Microsoft Windows update comes along, uses up all the CPU cycles, and slow down the upload. In Sonicwall terms, for the interface that I’ve told it to monitor, Egress traffic is uploading, and Ingress traffic is downloading. 
You can see that I don’t get all 50 Mb/s from Microsoft. That’s because the CPU load is pinned. That’s not to say that I’d get 50 Mb/s from them if the CPU weren’t maxed out, but the only way to find that out is to try again with a more capable firewall.
You might wonder why I think I’m getting the full 50 Mb/s from AT&T. I have a sacrificial computer, appropriately named Lamb, that I use on the WAN side of the firewall from time to time. When I use that machine to go to the Verizon speed test site, I always get 49+ Mb/s up and 49+Mb/s down.
Leave a Reply