Thanks for your idea. I have added an FTP server in the diagram for
illustration. There is no doubt that http proxy will affect performance to
some extend. Here is a summary of the policy on Watchguard FB3 1000:
1. HTTP Proxy - for outbound only; created on the advice of WG technical
support to secure internal LAN
2. HTTP - for inbound; NAT to webserver in DMZ
3. Outgoing - from internal LAN to any
4. FTP - outbound from internal to any
The rest of them are quite standard. We have different WG technicians
review it at different time. No problems found. Let's look at the network
set up and some findings:
FTP Server (using a public IP for
testing)
|
Internet -- DSL Modem -- Mini-Sswitch -- Watchguard Firebox III model
1000 -- LAN1 (very slow!!!)
|
Netgear/Linksys/DLink Router --
LAN2 (very fast)
1. An FTP server is set up for trouble-shooting this performance issue. It
is connected to the same mini-switch as the external interfaces of WG and
Netgear.
2. FTP server, WG ext interface, Netgear ext interface all have public IP's.
3. Users at LAN1 found that when they use WG as DG to go to the Internet,
performance is not good. Using FTP to log on to any Internet site and
download files,
you can get 240Kb/sec at most. We have tried both FTP & HTTP for
downloading, results are consistent. By FTP, I mean going to the command
prompt and starting up FTP session.
4. Users at LAN2 found that when they use Netgear as DG to go to the
Internet, performance is much better. Using FTP for downloading files, they
can get over 450Kb/sec of transfer speed.
5. Surprisingly, LAN1 get a very good download speed when they FTP to the
FTP Server attached on the mini-switch. They get over 8,000Kb/sec of
throughput. LAN2, using Netgear, can go up to 800Kb/sec only. Maybe
because the Netgear ext interface is only a 10-based port.
What I don't understand is why FTP transfer between LAN1 and the Internet is
much slower than the Netgear. However, if it does not go out to the
Internet but just connect to the test server - the FTP server set up before
DSL modem, LAN1 can get a good performance. I don't see proxy filtering can
be an issue here. First of all, we have not applied the filter for
outgoing. Secondly, even if filtering exists, when it has no adverse effect
for the traffic to the test server.
Cheers,
Joe
> It all depends on what rules you are using. The performance of a Proxy
> filter is going to be slower than a non-proxy filter. The Proxy filter
> does much more than just NAT.
>
> Setup a test using routed mode - 1:1 mapping, like your router would,
> and you'll find that it's just as fast. Each rule that you use takes a
> little horse power, and Proxy rules take the most.
>
> I have a 3mbps/2mpbs connection to the internet, I use a Firebox II
> unit, and I use the Proxy filters for security reasons. I get about
> 380KBytes/sec on HTTP connections.
>
> You should include what port/protocol you used when testing - was it
> HTTP?
>
> --
> --
> (E-Mail Removed)
> (Remove 999 to reply to me)
Similar Threads
Linear Mode
