Re: SRX5308 ProSafe Firewall - downstream running at slow speed, when Virgin Router in 'modem mode'

bluemercury · ‎2015-11-13

I'm aware that the issued listed for the current firmware (4.3.3-6) on our SRX5308 may be affecting us:

* Traffic is not following WAN upload or down load(higher one of them )speeds if the upload and down load speeds having large difference.

To summarise our problems, if the Virgin router connected to the WAN port is in router mode, we get a consistent 125 Mbps downstream speed. In modem mode, it drops to 15 Mbps. Up until 6 months ago, it was 125 Mbps downstream in both modes. I believe, post a firmware update, the problem came in. In both instances, the upsteam speed is 12 Mbps.

I have tested the Virgin router in modem mode with other firewalls and NICs, spoofing the MAC address used by the WAN port on the SRX5038. They work fine. I have reinstated our old FVX538v2 firewall as a stop gap, which is successfully downloading at 75 Mbps (I would guess its practical hardware limit) no issue, whilst maintaining the 12 Mbps upstream.

My question is, does anyone know of a beta firmware that might be fixing this problem, or indeed if Netgear support are reading, can you suggest where this problem resolution might be at?

Many thanks.

bluemercury · ‎2015-11-25

Hi DaneA.

Thanks again for your post.

Here is what I ultimately established (after doing all resets, etc, as promised).

I had been using the very commonly utilised speed test at www.speedtest.net in order to assess our broadband speeds. As you know, our Virgin line was connected up to our WAN2 port.

On visiting www.speedtest.net, it confirms you IP address and the ISP your connected with. This was coming up as the correct dynamic IP for our Virgin Line, and confirming that the broadband ISP was 'Virgin Media'.

On running the tests, typically on the SRX5308 I would get downstream speeds of no more than 17 Mbps, and upstream speeds of up to 12 Mbps. This indicated a great problem with our downstream bandwidth that should have been running at 125 Mbps. I have the ProSafe Firewall configured to forward all http (port 80) and https (443) to WAN2, no exceptions - so this should have been good enough.

What I discovered is that speedtest.net do not utilise port 80 or 443, but 8080 for at least their downstream tests. As there was no strict rule on the SRX5308 for this, the net result was the firewall actually forwarding the test traffic over our slower BT ADSL connection on WAN1, which tops out at about 17 Mbps. 99% of the time, it correctly sent the upstream test through WAN2 (giving us the 12 Mbps speed), but on very rare occasions it failed at this too, giving about 0.75 Mbps (this only happened very recently). For whatever reason, the load balancing on the SRX5308 must be slightly different to the FVX538, the latter largely sending the port 8080 traffic down WAN2, hence largely seeing correct readouts on this. Other tests I did had the Virgin line linked up as a single WAN option, so it always behaved, as it had nowhere else to send the traffic!

The red herrings along the way were:

1) When first noticing the test results, by coincidence the line was either running genuinely at a lower speed (perhaps some temp issues at Virgin) or the web server I was downloading files from was running at these lower speeds.

2) The issue listed in the SRX5308 change log file, which has turned out to not be relevant.

3) The FVX538 generally performing the test correctly, despite being configured identically to the SRX5308 (load balancing must just be tweaked differently internally).

4) speedtest.net not warning of the fact the actually Adobe Flash based test (you hit the 'begin test' button, and it does it's magic) doesn't inform you that the test is running on a different IP address to the one that the front end displays, i.e. it should have assessed the difference between the Virgin IP displayed, and the BT one it was actually testing (that would really make sense for them to implement).

5) Probably other things which I forget in the process!

Incidentally, the SRX5308 did not take well to applying the old firmware - had a lot of problems rebooting and getting it accessible successfully, and had to do many resets. I did manage it in the end, and upgraded it back to the most recent firmware as soon as it was playing ball. Might be advisable to tell people to be cautious when flashing an old version of the firmware, even if it was ultimately salvagable.

The speed test at www.thinkbroadband.com appears to use the conventional http ports, giving accurate speed test results everytime.

So basically, this is problem solved! I'm going to post my own answer as the answer, as it was something quite outside of anything being discussed on here - but I truly do appreciate your input and Bob's input in trying to help me solve this conundrum. Thank you both very much, and sorry to have wasted any of your time at all! 🙂

Many thanks,

Bobby

View solution in original post

DaneA · ‎2015-11-15

Hi @bluemercury,

Welcome to the community!

Let us isolate the problem. Kindly answer the questions below:

a. Have you tried using other WAN ports of the SRX5308 to isolate the problem?

b. Have you tried to perform a factory reset on the SRX5308 then reconfigure the settings from scratch?

@bluemercury wrote:

My question is, does anyone know of a beta firmware that might be fixing this problem, or indeed if Netgear support are reading, can you suggest where this problem resolution might be at?

With regard to this, I encourage you to contact NETGEAR Support then open a case to let them know about your experience with your SRX5308. System logs might be requested by NETGEAR Support to be anlyzed and your case might be escalated to the engineering team.

I look forward to your response.

Regards,

DaneA

NETGEAR Community Team

bob5244 · ‎2015-11-22

I am running this firmware on my SRX5308 with virgin media and get 150mbps down and 12mbps up with the super hub 2 in modem mode.

if you want to confirm settings with me I can let you know what I've got on my router if it helps

bluemercury · ‎2015-11-22

Hi Bob.

Really appreciate you sharing your experience. I believe our version of the SuperHub is version 1, so perhaps there is something in this? I have also wondered whether the SuperHub needs a firmware update, but then I wouldn't know and this doesn't seem to be an end user option (guessing Virgin push them out remotely). I was looking at buying our own cable modem, but I understand it is only Virgin modems that will work on the network.

I do have an older Virgin modem (that can't go higher than 100 Mbps), so I think I might connect this back up, and see what happens. I'm also going to get in touch with Virgin. Our SuperHub worked fine at full speed in modem mode up until earlier this year - with your info shared I'm now wondering whether it is partially faulty, and the Netgear firmware bug listed was a red herring....

Perhaps you could confirm the firmware version of your SuperHub, in case this information correlates with ours (even if they are different models). I'm going to see if Virgin can give us the latest hardware, and also will be talking to them about changing the service and getting a static IP as part of their business service now in our area. We have accepted their high price and not negotiated in a long time, so they owe us!

Many, many thanks for sharing 🙂

bluemercury · ‎2015-11-22

Hi DaneA,

Apologies - the Netgear forum doesn't appear to be informing me when people post replies. Is there a way I can switch that setting on?

Thanks for the welcome 🙂

In response to your questions, yes I believe (in the last few months) I have tried both of these. Certainly I've set the firewall up from scratch multiple times; I'm not 100% sure on trying the other WAN port, but I THINK I tried it in WAN3 instead of WAN2 (where it normally resides) some time back.

For completeness, I will attempt to repeat this excercise again tomorrow, outside of working hours.

I have also wondered whether it is worth downgrading the firmware to a time when this wasn't a problem - will the device allow me to do this? (I thinking of jumping back as far as a version 3 firmware, like that which is on the old FVX538 that is running for us at present).

Also, the issue I quoted from the current firmware warning - have I misunderstood what this means? Can you get tech support to qualify the issue further?

Many thanks 🙂

DaneA · ‎2015-11-23

Hi @bluemercury,

@bluemercury wrote:

Apologies - the Netgear forum doesn't appear to be informing me when people post replies. Is there a way I can switch that setting on?

You may do these steps:

a. Click your username then click on My Settings. Refer on the image below:

b. Click on Subscriptions & Notifications. Then, on the Notifications Settings page, kindly set the notifications you want and click Apply. Refer to the image below:

@bluemercury wrote:

In response to your questions, yes I believe (in the last few months) I have tried both of these. Certainly I've set the firewall up from scratch multiple times; I'm not 100% sure on trying the other WAN port, but I THINK I tried it in WAN3 instead of WAN2 (where it normally resides) some time back.

For completeness, I will attempt to repeat this excercise again tomorrow, outside of working hours.

This will help isolate the problem. Kindly post your observations and results.

@bluemercury wrote:

I have also wondered whether it is worth downgrading the firmware to a time when this wasn't a problem - will the device allow me to do this? (I thinking of jumping back as far as a version 3 firmware, like that which is on the old FVX538 that is running for us at present).

I think you may downgrade the firmware. I recommend that you perform a factory reset after a successful downgrade of the firmware then reconfigure it from scratch.

@bluemercury wrote:

Also, the issue I quoted from the current firmware warning - have I misunderstood what this means? Can you get tech support to qualify the issue further?

With regard to this, I encourage you to contact NETGEAR UK Support on this hotline number at anytime: 0843-4538000. Let them know your concerns with your SRX5308. System logs might be requested by NETGEAR Support to be anlyzed and your case might be escalated to the engineering team.

Regards,

DaneA

NETGEAR Community Team

bob5244 · ‎2015-11-24

Hi,

As I previously mentioned, I have the Superhub 2ac (in itself a Netgear product!) These are the versions:

Cable Modem EuroDOCSIS 3.0 Compliant

Boot Code Version PSPU-Boot 1.0.20.1391

Software Version V1.01.11

Hardware Version 1.03

General Configuration Network Access Allowed

Maximum Number of CPEs 1

Baseline Privacy Enabled

DOCSIS Mode EuroDOCSIS 3.0 Config File

Primary Downstream

Max Traffic Rate 168960000 bps

Max Traffic Burst 10000 bytes

Min Traffic Rate 0 bps

Primary Upstream

Max Traffic Rate 12600000 bps

Max Traffic Burst 16320 bytes Min Traffic Rate 0 bps

Max Concatenated Burst 16320 bytes

Scheduling Type Best Effort

In terms of my SRX5308 settings, on the WAN ISP page, I have:

Does Your Internet Connection Require a Login? No

Which type of ISP connection do you use? Blank, greyed out

IP address: Get dynamically

DNS Servers: OpenDNS servers

Connection reset: unticked

On the WAN ISP advanced page I have:

MTU Size: 1500 bytes

Port speed: autosense

Routers MAC address: Default

Failure detection method: none

Upload/Download Settings:

WAN Connection Type: Other

WAN Connection Speed Upload: 1Gbps

WAN Connection Speed Download: 1Gbps

Hope this helps in some way.

bluemercury · ‎2015-11-25

Hi Bob.

Many thanks indeed for so genourously sharing this info.

I have worked out the problem this evening and it is a laughable resolution, caused along the way by a number of Red Herrings.

I shall post this info now - it is neither Netgear or Virgin's fault!

Really appreciate you trying to help me 🙂

Bobby

bluemercury · ‎2015-11-25

Hi DaneA.

Thanks again for your post.

Here is what I ultimately established (after doing all resets, etc, as promised).

I had been using the very commonly utilised speed test at www.speedtest.net in order to assess our broadband speeds. As you know, our Virgin line was connected up to our WAN2 port.

On visiting www.speedtest.net, it confirms you IP address and the ISP your connected with. This was coming up as the correct dynamic IP for our Virgin Line, and confirming that the broadband ISP was 'Virgin Media'.

On running the tests, typically on the SRX5308 I would get downstream speeds of no more than 17 Mbps, and upstream speeds of up to 12 Mbps. This indicated a great problem with our downstream bandwidth that should have been running at 125 Mbps. I have the ProSafe Firewall configured to forward all http (port 80) and https (443) to WAN2, no exceptions - so this should have been good enough.

What I discovered is that speedtest.net do not utilise port 80 or 443, but 8080 for at least their downstream tests. As there was no strict rule on the SRX5308 for this, the net result was the firewall actually forwarding the test traffic over our slower BT ADSL connection on WAN1, which tops out at about 17 Mbps. 99% of the time, it correctly sent the upstream test through WAN2 (giving us the 12 Mbps speed), but on very rare occasions it failed at this too, giving about 0.75 Mbps (this only happened very recently). For whatever reason, the load balancing on the SRX5308 must be slightly different to the FVX538, the latter largely sending the port 8080 traffic down WAN2, hence largely seeing correct readouts on this. Other tests I did had the Virgin line linked up as a single WAN option, so it always behaved, as it had nowhere else to send the traffic!

The red herrings along the way were:

1) When first noticing the test results, by coincidence the line was either running genuinely at a lower speed (perhaps some temp issues at Virgin) or the web server I was downloading files from was running at these lower speeds.

2) The issue listed in the SRX5308 change log file, which has turned out to not be relevant.

3) The FVX538 generally performing the test correctly, despite being configured identically to the SRX5308 (load balancing must just be tweaked differently internally).

4) speedtest.net not warning of the fact the actually Adobe Flash based test (you hit the 'begin test' button, and it does it's magic) doesn't inform you that the test is running on a different IP address to the one that the front end displays, i.e. it should have assessed the difference between the Virgin IP displayed, and the BT one it was actually testing (that would really make sense for them to implement).

5) Probably other things which I forget in the process!

Incidentally, the SRX5308 did not take well to applying the old firmware - had a lot of problems rebooting and getting it accessible successfully, and had to do many resets. I did manage it in the end, and upgraded it back to the most recent firmware as soon as it was playing ball. Might be advisable to tell people to be cautious when flashing an old version of the firmware, even if it was ultimately salvagable.

The speed test at www.thinkbroadband.com appears to use the conventional http ports, giving accurate speed test results everytime.

So basically, this is problem solved! I'm going to post my own answer as the answer, as it was something quite outside of anything being discussed on here - but I truly do appreciate your input and Bob's input in trying to help me solve this conundrum. Thank you both very much, and sorry to have wasted any of your time at all! 🙂

Many thanks,

Bobby