Page 1 of 2

Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Tue Jan 31, 2017 3:13 pm
by Abusimbal
Hello, bought a RT2600ac saturday.
Was hoping the performance with Intrusion Prevention on would be better on the RT2600ac but isn't.
From my max of 200Mbit 70-80Mbit remains when IP is enabled.
Internet feels also very sluggish when IP is on.

To me a unusable feature at the moment.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Wed Feb 01, 2017 1:55 am
by Mcklain
Wow this is disapointing...

Was really looking forward to the 2600AC. Was waiting to get it since I read the 1900ac was not powerfull enought for those features... Guess I will be looking at another brand...

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Wed Feb 01, 2017 7:54 pm
by Abusimbal
Yes, I hoped also to get better performance but same as with RT1900ac.

See this detailed review: https://www.shadowandy.net/2017/01/syno ... view.htm/7

To other detailed reviews:
http://hexus.net/tech/reviews/network/1 ... -rt2600ac/
https://www.custompcreview.com/reviews/ ... iew/36855/

Surprisingly the RT2600ac consumes a little bit less power than the RT1900ac.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Wed Feb 01, 2017 7:56 pm
by styrofoamshotgun
Why would you ever expect halfway decent performance with intrusion prevention services on an ENTRY LEVEL multi-purpose router? Intrusion prevention is something that's generally going to be ran on a dedicated device with better overall hardware.
As for why the Synology devs thought it would be a good idea to have it available on their routers is beyond anyone's understanding, let alone considering it's geared towards home users.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Wed Feb 01, 2017 8:05 pm
by Abusimbal
Indeed. I see this as a "J" series not a "+" or XS+ to compare it to the NAS products.
Although very entry level business UTM (Unified Treat Management) devices from specialist brands offer the same kind of performance.
Decent (200Mbit+) throughput capable products cost 1000 or more dollar.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Thu Feb 02, 2017 12:47 am
by UGOTSERVED
What type of external storage was used? I wouldn't recommend slapping some slow USB flash drive you happen to have lying around. It would also help if Synology had some recommended storage specs to use for a heavy feature like their IPS, even if it is in beta.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Thu Feb 02, 2017 2:44 pm
by icbt_nl
I'm having the same issues.

Pages not loading, a 300Mbit line down to a max of 70Mbit. I won't say it's necessarily CPU related only. It's possibly even more of a RAM problem. Guess where the sensor was on:

Image

CPU is quite alright, although I have not found a clarification for these periods of very high IOwait%

Image

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Thu Feb 02, 2017 5:09 pm
by sims11
I have a Synology NAS that is connected to the internet so I thought that Intrusion Detection / Prevention would be a good idea.
Do you think that I should care about intrusion prevention / detection?

I currently have a stock Actiontec Verizion FIOS router, with the firewall on. I am guessing it does not have the IDS / IPS.
Do you think RS2600ac is worth it for its security features and likely updates to plug security holes?

Does look like it will not even support 100 Mbps FIOS line if IPS is on.
I don't care much about the NAS capabilities of the router because I already have a Synology NAS.

Thanks for sharing your thoughts.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Thu Feb 02, 2017 8:09 pm
by UGOTSERVED
I wouldn't use any wireless router at the border with the exception of having a guest network there, if needed, and away from your internal network. I would use the FiOS router as the border gateway with wireless disabled and let it drop most of the incoming junk and then have have something else processing (IPS) at the next hop.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Thu Feb 02, 2017 8:26 pm
by Abusimbal
UGOTSERVED wrote:What type of external storage was used? I wouldn't recommend slapping some slow USB flash drive you happen to have lying around. It would also help if Synology had some recommended storage specs to use for a heavy feature like their IPS, even if it is in beta.
Indeed, I agree. FYI I use a Samsung SD card.

FYI I also opened a ticket with Synology support.
They confirm the performance I and icbt_nl are seeing (arround 70Mbit) when IP is on.
They told me engineering team is looking for ways to improve the efficiency, and perhaps more bandwidth can be made available with Intrusion Prevention enabled in the future via firmware update.

So we have to wait.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Fri Feb 03, 2017 1:45 am
by UGOTSERVED
Abusimbal wrote:
UGOTSERVED wrote:What type of external storage was used? I wouldn't recommend slapping some slow USB flash drive you happen to have lying around. It would also help if Synology had some recommended storage specs to use for a heavy feature like their IPS, even if it is in beta.
Indeed, I agree. FYI I use a Samsung SD card.

FYI I also opened a ticket with Synology support.
They confirm the performance I and icbt_nl are seeing (arround 70Mbit) when IP is on.
They told me engineering team is looking for ways to improve the efficiency, and perhaps more bandwidth can be made available with Intrusion Prevention enabled in the future via firmware update.

So we have to wait.
Do you have a model number of the SD card? The speed reference would be helpful reference.

Everyone should expect a performance hit with an IPS feature (even VPN) but each device will have more of a hit than others. The better (read: more expensive) products will have less impact on performance.

You could always put a dedicated IPS in front of it and let that take the brunt of the beating and use this IPS as another layer.

Here's a product with good examples on what type of performance penalties you incur.

http://www.watchguard.com/wgrd-products ... /3592/3593

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Wed Feb 08, 2017 3:09 am
by sims11
UGOTSERVED wrote:I wouldn't use any wireless router at the border with the exception of having a guest network there, if needed, and away from your internal network. I would use the FiOS router as the border gateway with wireless disabled and let it drop most of the incoming junk and then have have something else processing (IPS) at the next hop.
Can you elaborate on what you are suggesting?
So double NAT - first the FIOS network and then another router (say Synology) with IPS enabled?

Thanks.

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Fri Feb 10, 2017 2:16 am
by UGOTSERVED
sims11 wrote:
UGOTSERVED wrote:I wouldn't use any wireless router at the border with the exception of having a guest network there, if needed, and away from your internal network. I would use the FiOS router as the border gateway with wireless disabled and let it drop most of the incoming junk and then have have something else processing (IPS) at the next hop.
Can you elaborate on what you are suggesting?
So double NAT - first the FIOS network and then another router (say Synology) with IPS enabled?

Thanks.
Unless you really want to see everything hitting your IP you could put an IPS at the edge but there will be lots of alerts...it's certainly educational but something I wouldn't want to spend time reviewing logs. Let the FiOS router take the brunt of the beating and let an IPS do the real work processing anything that gets through. I actually wouldn't stop there because it wouldn't be enough...add some centralized web filtering, application filtering, ad blocking, anti-virus and even SSL filtering since so much junk is being funneled over it.

In IDS mode you're just logging and alerting (if configured) and threats gets through. Many put an IDS in and think they're being "protected" but by default they're not. You need to make sure your signatures are updated at least daily and have to routinely view logs to determine what's legit and what's not. This would be a good start to get a baseline after x time and then you can go into IPS mode and get into trouble by blocking legitimate traffic which is part of the "fun".

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Fri Feb 10, 2017 6:36 am
by sims11
Unless you really want to see everything hitting your IP you could put an IPS at the edge but there will be lots of alerts...it's certainly educational but something I wouldn't want to spend time reviewing logs. Let the FiOS router take the brunt of the beating and let an IPS do the real work processing anything that gets through. I actually wouldn't stop there because it wouldn't be enough...add some centralized web filtering, application filtering, ad blocking, anti-virus and even SSL filtering since so much junk is being funneled over it.

In IDS mode you're just logging and alerting (if configured) and threats gets through. Many put an IDS in and think they're being "protected" but by default they're not. You need to make sure your signatures are updated at least daily and have to routinely view logs to determine what's legit and what's not. This would be a good start to get a baseline after x time and then you can go into IPS mode and get into trouble by blocking legitimate traffic which is part of the "fun".
Thank you for sharing your thoughts.

I have to admit that I have only partially understood what you are advising. May be because I am talking about a home network, and it is possible that you are describing a network that hosts company websites and databases (since you talks of signatures etc - not sure what that is referring to...).

Here is what I have understood:
- Best to let FIOS router be the first router with firewall on (but a DMZ going to the Synology router)
- Synology router will also provide NAT service to rest of the devices at home, and hence every device at home will face double NATing?
- And then on the Synology router to switch one IPS not just IDS

I suspect I have not got it all...

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Posted: Sun Feb 12, 2017 1:29 am
by UGOTSERVED
sims11 wrote:
Unless you really want to see everything hitting your IP you could put an IPS at the edge but there will be lots of alerts...it's certainly educational but something I wouldn't want to spend time reviewing logs. Let the FiOS router take the brunt of the beating and let an IPS do the real work processing anything that gets through. I actually wouldn't stop there because it wouldn't be enough...add some centralized web filtering, application filtering, ad blocking, anti-virus and even SSL filtering since so much junk is being funneled over it.

In IDS mode you're just logging and alerting (if configured) and threats gets through. Many put an IDS in and think they're being "protected" but by default they're not. You need to make sure your signatures are updated at least daily and have to routinely view logs to determine what's legit and what's not. This would be a good start to get a baseline after x time and then you can go into IPS mode and get into trouble by blocking legitimate traffic which is part of the "fun".
Thank you for sharing your thoughts.

I have to admit that I have only partially understood what you are advising. May be because I am talking about a home network, and it is possible that you are describing a network that hosts company websites and databases (since you talks of signatures etc - not sure what that is referring to...).

Here is what I have understood:
- Best to let FIOS router be the first router with firewall on (but a DMZ going to the Synology router)
- Synology router will also provide NAT service to rest of the devices at home, and hence every device at home will face double NATing?
- And then on the Synology router to switch one IPS not just IDS

I suspect I have not got it all...
You can do the same with home networks as long as you're willing and able to administer. The signatures were for the IPS where you should have them updated daily automatically.

To keep it simple yes, double NAT but don't set the Synology router on a DMZ port from the Verizon router.
You'll need to monitor what's getting blocked if you set to IPS because you'll probably have a lot of false positives