Firewall Engreess Rule slows upload speed!



  • Hi,

    I have a rules setup to allow only ports (80,443,3389,21,53) outbound - this works perfectly and I get internet and my download speed is ok but my upload speed is cut in 1/2 and my ping times go up.

    Any Idea what's causing this?

    Test 1 speed test done with the rule to allow all traffic and any protocol to all destination and I get 100Mpbs/100Mpbs - Overhead

    Test 2 speed test done with the rules to allow only (80,443,3389,21,53) destination ports and I get 100Mpbs/50Mpbs - Overhead






  • I assume by egress rule, you mean an ingress rule on your LAN interface? Could you post the rules and other info about your network?


  • LAYER 8 Global Moderator

    Are you testing to the same server?  Why did you download jump to 121 vs 99, and your ping time went from 13 to 19??

    Traffic to speedtest is going to be 80, and icmp - so your also allowing icmp I take it ;)  So you ran these tests multiple times and they are repeatable? Because it makes no sense.  Do you have other traffic going on during your tests?  Be it allowed or blocked?



  • OK… Here's the breakdown and sorry I meant ingress.

    • I have 1Gbps WAN up/down
    • 10 VLAN on a 10Gbps

    Each VLAN is 100Mpbs up/down

    If I allow IPv4* * * * I get 100Mpbs up/down  with no issues

    If I only allow ports (80,443,3389,53 and 21), ICMP and I get 100Mpbs down but only 50Mpbs up

    I can reproduce this issue at all 10 Locations on the VLAN Interface, If there's no ingress filter I get 100Mpbs/100Mpbs - overhead.

    These tests were done during after hours and we have a Fiber connection between each sites, that can burst to 200Mpbs if needed.

    Thanks for the replies






  • Any help please


  • LAYER 8 Global Moderator

    And where are you testing to speedtest.net?  You do understand they normally use 8080 as the port for testing..  If you have only 80 open, then is prob using some other test method that maybe can not handle 100mbps up?

    And by the way your 3rd rule there is pointless..  Your allowing traffic to same network as your source..

    Add 8080 to your rule, what does it do now?  Also you say this is repeatable - so you get the same results at multiple test sites?  Lets see off the top of my head testmy.net speedof.me netalyzr.icsi.berkeley.edu plenty of others as well


Log in to reply