RT2600ac AT&T Fiber Gigabit Ethernet--Massive Upload Speed Loss

[johntdavis]

Hello!

I just got AT&T Fiber 1 gigabit/sec internet installed. With my computer connected directly to the internet, I'm getting amazing speeds with the Google Fiber Speed Test.
DOWNLOAD
944 Mbps

UPLOAD
1245 Mbps

When I add the RT2600ac to the mix, things do not go so well. I've got Threat Prevention and Traffic Control disabled on the RT2600ac.
DOWNLOAD
930 Mbps

UPLOAD
581 Mbps

That upload number is high. Usually it's around 550 Mbps.
I should mention as well that before I switched, I had 35Mbps down provisioned from Spectrum (cable internet) and routinely hit that without a problem. Whatever throttling is going on appears to only be an issue with upload speeds in excess of 500 Mbps or so.

I'm certainly not freaking out about this--I have plenty of upload right now, but I'm curious: Is this a known issue? Is there something I need to tweak in SRM? Or is it just a limitation of the hardware? (I mean, Synology would have been perfectly reasonable to assume no one in their customer pool had upload speeds in excess of 500 Mbps in 2017 when this thing was new...)

Thanks!

 

[fredbert]

Do you have any other features enable on the router? Safe Access; anything that may apply inspection to outbound requests. Logging and system DB to slow storage? I don't have any answers but this is what I'd look at.

 

[johntdavis]

Do you have any other features enable on the router? Safe Access; anything that may apply inspection to outbound requests. Logging and system DB to slow storage? I don't have any answers but this is what I'd look at.

Safe Access and logging (for purposes of bandwidth usage reports) are both enabled.

It had not occurred to me that these could be a problem. Thanks, @fredbert !

(I'd be surprised if those were the culprits. I didn't imagine them being such intensive scans as to slow uploads down that much. Curious that it doesn't also impact downloads, as well.)

How valuable do you consider Safe Access? I wouldn't be opposed to turning it off permanently. It only ever seems to give me a warning on sites I know are safe that are just having SSL certificate issues. More often than not, the sites it flags aren't ecommerce sites or ones where I'd have a login/password, so the status of the SSL certificate doesn't matter to me.

 

[fredbert]

How effective Safe Access is at blocking unwanted content is somewhat difficult. It may be silent for some things but I haven't fully looked.

More generally these features can include various mechanisms:

• User/device specific access control to stop requesting unwanted content: e.g. URL filtering and download blocking
• Malware interception
• Potential malware sandboxing
• Domain reputation tracking: e.g. reputation can be affected by rapid DNS server reassignments, reputation of other domains on the same DNS servers, registration records of other owned domains... basically, reputation based on the company it keeps and how it behaves.
• Shared info on 'good' domain/site/shared server having served compromised content.

There's other things but there're many mechanisms that protect the user/client from accessing content that should otherwise be seen as safe. Consider them like this:

1. The URL filter and anti-malware features set what's permitted just like a firewall that sets the basic ingress/egress policy of permitted traffic.
2. The sandboxing of items and reputation analysis of domains is like adding Threat Prevention to the firewall so that what would normally pass the policy will now be blocked.

How much of this is done by Safe Access? Not sure. But it does integrate Threat Intelligence Database and Google Safe Browsing to whatever level of URL [Web] filtering you've set.

It only ever seems to give me a warning on sites I know are safe that are just having SSL certificate issues

Mostly I get these warnings from the web browser than Safe Access.

When it comes to Safe Access raising an alert to the user it responds with a warning page. Here the user has to set trust of the router's SSL certificate for all domains because the web browser gets a mismatch of domain requested and secured by SSL cert. for a different domain. Maybe this is what you have experienced?

One thing we've seen is small e-commerce web sites being hosted in virtualised cloud services. Sometimes there must have been a dodgy site that has also been hosted in this environment and then that gets picked up in the threat/reputation databases and affects the other shops. I've had to whitelist a few of these small shops in Safe Access.

 

[johntdavis]

Thanks for that detailed reply, @fredbert . I'm still studying it.

Slight update: I've disabled Safe Access and Threat Prevention via Package Center on the RT2600ac. No improvement.

Tonight, I'm going to remove the router from the equation but leave my switch in place. If I get the correct speeds at that point, I'll have confirmed it is indeed the router.

I'm pretty confused; I saw some reddit posts from a couple years ago indicating people were having no problem with synchronous 1Gbps up/down connections.

 

[fredbert]

Tonight, I'm going to remove the router from the equation but leave my switch in place. If I get the correct speeds at that point, I'll have confirmed it is indeed the router.

You'll be the go-to expert

Could check that the switch isn't the problem. I found what I think is your equivalent thread in Reddit which has more info. regarding using 10 Gbps between Mac Mini and switch. The MM can be used with 1 Gbps so could be directly connected to the router to test.

I'm pretty confused; I saw some reddit posts from a couple years ago indicating people were having no problem with synchronous 1Gbps up/down connections.

I'm rubbing along at 200/20Mbps so can't help on that score.


It hasn't been too long ago that expensive business-grade firewalls couldn't handle (reliably) 1 Gbps, well not without a 5 figure price tag before adding maintenance subscriptions. The rule being to take the vendor figures and assume 30% is the real world performance.