This summer Fibre To the Premises (FTTP) sometimes known as Fibre To The Home (FTTH) arrived in my rural area of Wales (also sometimes known as Full Fibre). This was a hotly anticipated rollout, which is all part of BT Openreach’s plan to get Full Fibre out to homes across the UK.
Quite why my part of rural Wales was prioritised over the higher density areas nearby is a mystery to me, but in any event, I was keen to place an order for upgrade. After an incredibly brief pause for reflection, I opted for the highest rated line available from Openreach in the area – 1Gbps. This particular offering includes removal of the old copper (POTS) line providing VDSL, and replacing it with the new FTTP line.
The main changes in this installation were:
The installation went very smoothly and was completed in under 3 hours.
Back in 2021 I started introducing Unifi equipment into my home network to provide a greater level of sophistication to network management and performance. At the time I felt Unifi’s Security Gateway and Access Point made the network more stable and performant, though, admittedly, since then my impression of the engineering quality of the Unifi solution has declined significantly.
Since that time I’ve switched back to the provider router in lieu of the Draytek VDSL modem, and tasked the Draytek 2862 as a multi-homed WAN connection offering resilience between VDSL (now FTTP) and Vodafone 4G.
Much to my initial horror, I was not able to achieve any speed above 70Mbps on download tests once the FTTP line went active. This was very puzzling as the PHY data rates were in the region of 600Mbps down and 700Mbps up for my smartphone when connected to the Unifi AP. Assuming a roughly 50% throughput, I should have been able to achieve around 300Mbps speed test data rate on download.
Clearly it would be beneficial to use as much of the download bandwidth available as possible for any device, though there are obvious limitations over 802.11.
Therein began the task of diagnosing the bottleneck. All of the physical equipment in terms of Ethernet connectivity checked out OK as being at 1Gbps for the critical path between the AP, SG, Draytek and supplier router.
The first bottleneck was Quality of Service configuration on the Draytek. When enabled it puts in place a bandwidth reservation for the total data rate in both directions (by default 25%/25%/25% across the three QoS groups). Disabling this was necessary but didn’t solve the problem fully.
Reconfiguring the Unifi expected data rates for the WAN connection was also necessary, but still the limitations in performance persisted.
For the Security Gateway, the most significant factor was the inability to enable Hardware Offloading (Unifi Devices > Security Gateway > Settings >Services). In order to enable Hardware Offloading, a number of features have to be disabled - Deep Packet Inspection, IDS/IPS functions, and Smart Queues have to be OFF to enable the selector, allowing Hardware Offloading to be enabled.
With these changes made, plus disabling any residual bandwidth throttles on the Unifi Switch for various ports, performance was considerably improved, delivering a maximum of 576Mbps down and 107 Mbps up over 5Ghz to a WifiMan speed test off my mobile.
Obviously the downside here is that IPS, IDS and DPI functions are disabled on the Security Gateway, which is the trade-off. Forums seem to suggest this is down to the hardware specs of the Security Gateway, which can, at a push, only really implement these functions to a maximum throughput of 130Mbps. This is a shame as these are useful features - the USG is able to perform country-level traffic blocking in addition to Botcc, Worm, Malware, Mobile Malware, Exploit, Shellcode, DNS threats, User agent threats, DShield (IPs with a bad reputation), Dark Web and Malicious Website blocking (Unifi Real Time Database).
If you have other capabilities on endpoints and devices that offer similar benefits, the overall cost is probably not that significant, but the loss of interleaved controls (defence in depth) is a concern.
That said, things have moved on considerably since the Security Gateway was launched, particularly in the UK. Most mainstream Internet connectivity providers now offer in-network content controls, which offer a wide range of content blocking including for malware and phishing. The NCSC Share and Defend initiative is a great example of how these capabilities are developing. I’ll be looking into these and their impact on throughput soon and will put a quick write up here if I get some time.
July 06, 2024