Lets talk about Raw speed vs Security, Safety and QOS

[BreakingDad]

So I have now 500 down / 36 up from my ISP. I can just about achieve this with Skynet / Trend Micro and QOS all disabled. But now i'm not as safe and my bufferbloat goes up, with the possibility of lag when the family is watching Netflix or Torrenting.

I put them all back on, speed now varies, even as low as 250/36, usually around 280 sometimes higher up to 360 maybe, safer though, when my son clicks on a bad gaming site it gets blocked. No noticeable lag when gaming, static ping around 35-41 on my game of choice. Firewall is blocking those nasty port scans. All good. I assume the missing bandwidth is still "there" for others to use on the network.

Let's discuss the pros and cons and your own experiences or advice? I think I'm prefering the network with all the safety and qos on with the raw speed reduction. Cat 8's on order to replace Cat 6 soon.

 

[OzarkEdge]

So I have now 500 down / 36 up from my ISP. I can just about achieve this with Skynet / Trend Micro and QOS all disabled. But now i'm not as safe and my bufferbloat goes up, with the possibility of lag when the family is watching Netflix or Torrenting.

I put them all back on, speed now varies, even as low as 250/36, usually around 280 sometimes higher up to 360 maybe, safer though, when my son clicks on a bad gaming site it gets blocked. No noticeable lag when gaming, static ping around 35-41 on my game of choice. Firewall is blocking those nasty port scans. All good. I assume the missing bandwidth is still "there" for others to use on the network.

Let's discuss the pros and cons and your own experiences or advice? I think I'm prefering the network with all the safety and qos on with the raw speed reduction. Cat 8's on order to replace Cat 6 soon.

Security first and always. If it works, use it and forget about it. Solve the problems you have to solve.

OE

 

[Mark070]

I have a 200/10 plan. My router is the Dream Machine (Base). I have QOS enabled. For Threat Management I have IDS turned on at level 3 (a balance between performance and security). IDS mode just alerts rather than blocks. The Dream Machine should have no problem even at max security keeping up with my 200/10 plan, its rated for 850+.

I am still experimenting with setting the QOS limits and balancing the A/A+ on buffer bloat, however, I typically will still hit the maximum of my plan when downloading large files (games).

There are only two people in my house, so performance is not the concern. The bigger concern is having a stable connection, as the better half of me always alerts me to when the network drops for whatever reason.

 

[cptnoblivious]

It's a lot to unpack.

First, what's the problem you're trying to solve (I always ask this). Are any of your services degraded? Doesn't sound like it, even with everything 'on'.

Second, when it comes to 'security and privacy' that's a huge topic, it's pretty much all 'grey' there is no black and white. It's a sliding scale.
What are you trying to be secure from first of all? What is enough? Does skynet alone significantly reduce your performance? Which of the services do you feel provide the right level of 'security' for you? Are the other options, such as DNS servers that filter results based on blacklists, that could get you to a point where your performance is higher, and security is still acceptable, without putting everything on the router? What about adding a pihole to your network?

Finally, price vs. performance. If your on a consumer product (we can argue about 'pro-sumer' etc) what is a reasonable expectation for price vs. performance. The same goes for you internet upper limit. I hardly ever hit mine, even though I could with my setup. Does that actually mean I have a problem?

If everything works the way I want, and the throughput is lower than the possible max, but it's not impacting what I actually want to do, how much time am I willing to deal with the 'problem'?

Big topic, much of it is subjective, but certainly an interesting discussion that a lot of folks are dealing with.

My hope is that some of the questions will help lead in the direction of an acceptable setup for you

Best of luck!

 

[BreakingDad]

It's a lot to unpack.

First, what's the problem you're trying to solve (I always ask this). Are any of your services degraded? Doesn't sound like it, even with everything 'on'.

Second, when it comes to 'security and privacy' that's a huge topic, it's pretty much all 'grey' there is no black and white. It's a sliding scale.
What are you trying to be secure from first of all? What is enough? Does skynet alone significantly reduce your performance? Which of the services do you feel provide the right level of 'security' for you? Are the other options, such as DNS servers that filter results based on blacklists, that could get you to a point where your performance is higher, and security is still acceptable, without putting everything on the router? What about adding a pihole to your network?

Finally, price vs. performance. If your on a consumer product (we can argue about 'pro-sumer' etc) what is a reasonable expectation for price vs. performance. The same goes for you internet upper limit. I hardly ever hit mine, even though I could with my setup. Does that actually mean I have a problem?

If everything works the way I want, and the throughput is lower than the possible max, but it's not impacting what I actually want to do, how much time am I willing to deal with the 'problem'?

Big topic, much of it is subjective, but certainly an interesting discussion that a lot of folks are dealing with.

My hope is that some of the questions will help lead in the direction of an acceptable setup for you

Best of luck!

There is no problem firstly, I just enjoy optimising I guess. Services degraded - No, even with everything on just a loss of Max Speed on speed tests. I've given up some privacy, based on security just by using Trend Micro. I think it is impossible to have both; if a company is providing security then in exchange they are taking some privacy.

What am I trying to be secure from - just the usual, scams, virus, any/other malicious attacks. I primarily use the ISP DNS for the kids, as it has the full adult blocking, I use 9.9.9.9 for the adults in my house so they are free to gamble or look at any other sites that may be considered adult. I have 2 young teenage children and 1 adult child and a pet dragon, sorry wife. I understand 9.9.9.9 to be fairly safe on the privacy issue. I already have pi hole, and what a great tool that is. I use skynet as a firewall as it's blocking all those scans before they even get to the router, I'm also using all the trend Micro tools for Malicious websites etc.

You say you hardly ever hit your peak performance, I guess that feels to me like you are not getting what you pay for, even though I know if I connect 1 device only or turn off all the security and qos I hit the max. Overall I agree with you, there is no problem, just an interesting discussion.

 

[cptnoblivious]

There is no problem firstly, I just enjoy optimising I guess. Services degraded - No, even with everything on just a loss of Max Speed on speed tests. I've given up some privacy, based on security just by using Trend Micro. I think it is impossible to have both; if a company is providing security then in exchange they are taking some privacy.

What am I trying to be secure from - just the usual, scams, virus, any/other malicious attacks. I primarily use the ISP DNS for the kids, as it has the full adult blocking, I use 9.9.9.9 for the adults in my house so they are free to gamble or look at any other sites that may be considered adult. I have 2 young teenage children and 1 adult child and a pet dragon, sorry wife. I understand 9.9.9.9 to be fairly safe on the privacy issue. I already have pi hole, and what a great tool that is. I use skynet as a firewall as it's blocking all those scans before they even get to the router, I'm also using all the trend Micro tools for Malicious websites etc.

You say you hardly ever hit your peak performance, I guess that feels to me like you are not getting what you pay for, even though I know if I connect 1 device only or turn off all the security and qos I hit the max. Overall I agree with you, there is no problem, just an interesting discussion.

I do enjoy these discussions, even though they hardly lead to any 'consensus'.

It does sound like we have similar setups. I run 2 piholes that are also pointed at a DNS that filters malicious sites utilizing DoT for privacy (I am trusting the DNS provider in this case). And then Skynet on the router as a SPI with blacklists.

As for throughput, I use it all _at times_ but more important to me is that I have headroom. Given the current situation, with 2 people in IT roles who are working from home, on calls, video calls, screen sharing, watching stuff online (we don't always work the same hours), it's important that I have the capacity I need at peak time.
This is basically the 'mall parking lot at Christmas' situation, i.e. I only need that capacity now and then, but when I need it I'm not willing to sacrifice.

Long way to get here, but the key thing for me is: Where to utilize VPN.

1. It's the highest impact on my router performance
2. I'm leaving it on the endpoint and using it when I need to, instead of an 'always on' VPN through the router
3. There are apps that are not going through VPN (Roku, playstation) and I'm not worried about them or my provider seeing that I watch Netflix or log into the playstation network

I think the VPN piece is actually the most interesting because I know some providers filter traffic or use traffic shaping more than others, and VPN is key for some folks to get good usage out of their purchased package. Mine doesn't seem to, and my throughput over VPN from inside my network is within 10% of my max throughput, so I just run it from there and it works great _for me_

Interesting discussion, will be watching to see if you hear something from others in this thread that would make you change your setup in any way.

 

[BreakingDad]

I do enjoy these discussions, even though they hardly lead to any 'consensus'.

It does sound like we have similar setups. I run 2 piholes that are also pointed at a DNS that filters malicious sites utilizing DoT for privacy (I am trusting the DNS provider in this case). And then Skynet on the router as a SPI with blacklists.

As for throughput, I use it all _at times_ but more important to me is that I have headroom. Given the current situation, with 2 people in IT roles who are working from home, on calls, video calls, screen sharing, watching stuff online (we don't always work the same hours), it's important that I have the capacity I need at peak time.
This is basically the 'mall parking lot at Christmas' situation, i.e. I only need that capacity now and then, but when I need it I'm not willing to sacrifice.

Long way to get here, but the key thing for me is: Where to utilize VPN.

1. It's the highest impact on my router performance
2. I'm leaving it on the endpoint and using it when I need to, instead of an 'always on' VPN through the router
3. There are apps that are not going through VPN (Roku, playstation) and I'm not worried about them or my provider seeing that I watch Netflix or log into the playstation network

I think the VPN piece is actually the most interesting because I know some providers filter traffic or use traffic shaping more than others, and VPN is key for some folks to get good usage out of their purchased package. Mine doesn't seem to, and my throughput over VPN from inside my network is within 10% of my max throughput, so I just run it from there and it works great _for me_

Interesting discussion, will be watching to see if you hear something from others in this thread that would make you change your setup in any way.

Although I have a VPN service locally on this PC, and could connect it to my router, I don't. I only ever switch it on when I am downloading off torrent so I don't get one of those letters from my ISP informing me that piracy is illegal. Not that I would ever download a copy of a Movie ! Purely freeware stuff off course ! Oh I have also used it to open accounts overseas for certain online services that are cheaper in another country like India or Turkey than they are in the UK grey area that one.

Right now I am getting 333 download tested directly on my router, with all the services I use on. Upload is maxed out. I did get 465 out of it last night by turning everything off, and 505 when it was just me on a laptop. I also get triple A on dsl reports. I can do A+ A A+ by disabling trend and skynet. I've had no complaints about the dreaded lag from the kids though, and everyone is safe so going to leave as it for now.

 

[BreakingDad]

So I did some more testing last night, doing speed tests with individual services on and off. It turns out that CakeQOS was root cause of my speed drop. Despite I set it to 500 / 36 it made no difference I was only getting about 250/36 download. Not much better than when I was paying for a 200/36 services. I uninstalled Cake and put flex back on and boom, I'm now getting 465-520/36. My bufferbloat test is worse, but I can live with that. I had no lag whatsoever last night while gaming, again it remains to be seen if I will lag when the kids start downloading with flex.

 

[cptnoblivious]

@breakdad I read in another thread where people were suggesting leaving QOS off completely for faster connections. Have you tried just running without?

 

[degrub]

run QOS in a different, more capable box if you need it.

 

[BreakingDad]

@breakdad I read in another thread where people were suggesting leaving QOS off completely for faster connections. Have you tried just running without?

I used to do that on my RT-N66U, but every time my son downloaded on the xbox my ping went up. All good rightnow with flex, so going to see how it goes.