Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 16139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic Sophos XG setup, online gaming.

Harmen

Hi Guys,

Build my own virtual XG on an older desktop (located Attic). (Intel desktopboard, i5, 8GB, 120GB SSG, Intel dual port NIC)

Running ESXi 6.5, gave the virtual machine 2 cores and 4GB ram. Network situation: Cisco modem bridge (groundfloor, utp cable going to attic (wan), lan going back downstairs to wifi ap and lan network.) Webbrowsing etc working fine, my family having no issues with browsing and streaming movies (Chromecast, Netflix)

At the moment have one rule for internet, doing basic webfiltering en simple IPS. Is there a way to improve gaming performance? Created a seperate rule for my laptop with no packet scanning.

Is there a way to troubleshooting gaming performance, when i ping the game server i get a steady ping of 30ms average. (login.p1.worldoftanks.eu)

During gaming the ping raises to approx. 60-80ms.

Let me know if you guys experienced this issue.



This thread was automatically locked due to age.
Parents
  • +1

    What type of latency/ping were you seeing before running Sophos XG? I guess I’m a bit confused as to how Sophos XG would impact your latency unless it was running on really slow hardware. I always thought latency was primarily a function of your ISP and distance from your location to the server you’re trying to reach. I’d be curious to hear what you find out though!

    Personally, I just have a separate firewall rule called “Bypass Policies” that I have my Xbox One assigned to which bypasses IPS and all policies to avoid having the traffic go through Snort (IPS engine) and the web proxy.

  • 0 in reply to shred

    Thanks for the replies, in the past they were pretty the same i think.

    Added a couple of firewall rules, one seperate for my laptop. Increased the DSCP to 1 and no filtering.

    The other devices are now using the other firewall rule with Web, ips, and Qos. (15 Mbit per user), gave it the DSCP rating of 3.

    With the latest firmware Qos values are broken somehow, when i set 2048 Kbps i get a speedtest of 15Mbit.

    Current firewall:

  • 0 in reply to Harmen

    Yeah, there’s nothing you’re really going to be able to do within Sophos XG to reduce latency (ping). That’s a function of the distance the packets are traveling from your computer to the server. For example, you’ll see a much higher ping from a server on the other side of the world versus a server in your same country. I’m assuming you’re running Sophos XG for a home setup but I would recommend leaving some of the settings like DSCP to their default unless you really understand what they do. I still haven’t figured out what they’re exactly for but based on the research I’ve done, they don’t seem like settings for a basic home network.

    As for your QOS bandwidth settings, these values are in KBps (KiloBytes per second) and not Kbps (Kilobits per second). Most internet speed tests show you results in Mbps (Megabits per second) but you can easily convert this to KBps using an online convertor such as on Google (search for ‘Mbps to KBps’ on Google). If you’re just getting started out with Sophos XG, you might find some of the guides I created in my blog useful for initial setup and explaination of some of the basics (link is below).

  • 0 in reply to shred

    Thanks, pings looks fine.

    Pinging 8.8.8.8 with 1024 bytes of data:

    Reply from 8.8.8.8: bytes=1024 time=12ms TTL=58
    Reply from 8.8.8.8: bytes=1024 time=11ms TTL=58
    Reply from 8.8.8.8: bytes=1024 time=19ms TTL=58

    Pinging woteu1.login.wargaming.net [92.223.1.123] with 1024 bytes of data:
    Reply from 92.223.1.123: bytes=1024 time=28ms TTL=49
    Reply from 92.223.1.123: bytes=1024 time=28ms TTL=49
    Reply from 92.223.1.123: bytes=1024 time=29ms TTL=49

    Looked at your guide, changed a couple of settings. Passed Sophos XG Architect exam last november, issues occur when you use it in production. ;)

     

     

     

  • 0 in reply to Harmen

    Your Service=ANY rules are potentially going to screw you up.  I cannot see inside your rules but I think your laptop's web traffic will fall under id=3 and will be antivirus scanned but will not have any policy applied.  Most other computers will hit id=2 and have a web policy applied in addition to the AV.

    Turning logging off (the last checkbox) might make things a titch faster.  

    I would use the Policy Tester (available beside the Log Viewer, link at top right) to confirm your traffic hits the rule you think it should.

     

     

Reply
  • 0 in reply to Harmen

    Your Service=ANY rules are potentially going to screw you up.  I cannot see inside your rules but I think your laptop's web traffic will fall under id=3 and will be antivirus scanned but will not have any policy applied.  Most other computers will hit id=2 and have a web policy applied in addition to the AV.

    Turning logging off (the last checkbox) might make things a titch faster.  

    I would use the Policy Tester (available beside the Log Viewer, link at top right) to confirm your traffic hits the rule you think it should.

     

     

Children
  • 0 in reply to Michael Dunn

    Hey Michael,

    When you say the "Service=ANY rules are potentially going to screw you up", are you referring to the fact that it's not a very "safe" way of running a firewall rule (since it obviously will allow devices behind that firewall rule to access any service/port)? I'm actually running it this way right now as well but I've been meaning to make my firewall rules more specific to increase security. Just wanted to make sure there's not something else I'm missing.

    Edit: Forgot to mention this is for a basic home network setup.

  • 0 in reply to shred

    shred said:

    When you say the "Service=ANY rules are potentially going to screw you up", are you referring to the fact that it's not a very "safe" way of running a firewall rule (since it obviously will allow devices behind that firewall rule to access any service/port)? I'm actually running it this way right now as well but I've been meaning to make my firewall rules more specific to increase security. Just wanted to make sure there's not something else I'm missing.

    Yes its not very safe (why buy a firewall if you are not going to use it) but my comment was more to something else.  The most common reason that someone comes in saying that the web filtering is not working even though they've configured it, is because before their web filtering rule they have an ANY rule.  The ANY rule basically is a bit of a trump card that often means all rules under it are never used.  You have some additional selection criteria around the Source Network, but just be aware that if something doesn't work the first thing to check is whether it is hitting the firewall rule you think it is hitting - knowing that ANY is a...  black hole that sucks packets towards it.  :)

  • 0 in reply to Michael Dunn

    Hi Michael,

    the any service is required for some rule when the XG does not function as expected eg if I don't want to scan imaps because outlook can't handle it even with certificate installed I have to use the general web access page unless you tick the imaps box in the mail rule. If the mail traffic went through the mail rule then I could select specific applications in the general web access.

    I do have the general access rule down the list after other rules, so it is not open slather.

    Ian

    Update:- I will leave my original post as is. I have since been through and tightened up my firewall rules, but had to remove https scanning, broke a number of sites with invalid certificate from the website. Added imaps to one of the general rules, for the mac with MS office.

     

    Further broke all mail access. Did a restore and will start more refinement test tomorrow.