Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

The general discussion room of Synology Router RT1900ac.
Do not post support questions in this room, please refer to one of the rooms below for further assistance.
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
Abusimbal
Rookie
Rookie
Posts: 37
Joined: Tue Aug 19, 2008 8:05 am
Location: Belgium

Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by Abusimbal » Tue Jan 31, 2017 3:13 pm

Hello, bought a RT2600ac saturday.
Was hoping the performance with Intrusion Prevention on would be better on the RT2600ac but isn't.
From my max of 200Mbit 70-80Mbit remains when IP is enabled.
Internet feels also very sluggish when IP is on.

To me a unusable feature at the moment.
Last edited by Abusimbal on Wed Feb 01, 2017 7:55 pm, edited 1 time in total.
DS1010+
Firmware: DSM 5.2-5967 Update 2
HDD: 5x Samsung EcoGreen F3 2TB HD203WI in RAID5

DS1812+
Firmware: DSM 6.1.1-15101-3
HDD: 8x Western Digital Red WD30EFRX 3TB in RAID6

RT2600ac with SRM 1.1.4-6509

Mcklain
Experienced
Experienced
Posts: 110
Joined: Tue Oct 02, 2012 9:33 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by Mcklain » Wed Feb 01, 2017 1:55 am

Wow this is disapointing...

Was really looking forward to the 2600AC. Was waiting to get it since I read the 1900ac was not powerfull enought for those features... Guess I will be looking at another brand...
| DS918+ | DSM 6.1.6 | WD6001FFWX x3 (SHR) |

Abusimbal
Rookie
Rookie
Posts: 37
Joined: Tue Aug 19, 2008 8:05 am
Location: Belgium

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by Abusimbal » Wed Feb 01, 2017 7:54 pm

Yes, I hoped also to get better performance but same as with RT1900ac.

See this detailed review: https://www.shadowandy.net/2017/01/syno ... view.htm/7

To other detailed reviews:
http://hexus.net/tech/reviews/network/1 ... -rt2600ac/
https://www.custompcreview.com/reviews/ ... iew/36855/

Surprisingly the RT2600ac consumes a little bit less power than the RT1900ac.
Last edited by Abusimbal on Wed Feb 01, 2017 7:56 pm, edited 1 time in total.
DS1010+
Firmware: DSM 5.2-5967 Update 2
HDD: 5x Samsung EcoGreen F3 2TB HD203WI in RAID5

DS1812+
Firmware: DSM 6.1.1-15101-3
HDD: 8x Western Digital Red WD30EFRX 3TB in RAID6

RT2600ac with SRM 1.1.4-6509

styrofoamshotgun
Rookie
Rookie
Posts: 33
Joined: Tue Sep 06, 2016 5:52 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by styrofoamshotgun » Wed Feb 01, 2017 7:56 pm

Why would you ever expect halfway decent performance with intrusion prevention services on an ENTRY LEVEL multi-purpose router? Intrusion prevention is something that's generally going to be ran on a dedicated device with better overall hardware.
As for why the Synology devs thought it would be a good idea to have it available on their routers is beyond anyone's understanding, let alone considering it's geared towards home users.

Abusimbal
Rookie
Rookie
Posts: 37
Joined: Tue Aug 19, 2008 8:05 am
Location: Belgium

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by Abusimbal » Wed Feb 01, 2017 8:05 pm

Indeed. I see this as a "J" series not a "+" or XS+ to compare it to the NAS products.
Although very entry level business UTM (Unified Treat Management) devices from specialist brands offer the same kind of performance.
Decent (200Mbit+) throughput capable products cost 1000 or more dollar.
DS1010+
Firmware: DSM 5.2-5967 Update 2
HDD: 5x Samsung EcoGreen F3 2TB HD203WI in RAID5

DS1812+
Firmware: DSM 6.1.1-15101-3
HDD: 8x Western Digital Red WD30EFRX 3TB in RAID6

RT2600ac with SRM 1.1.4-6509

User avatar
UGOTSERVED
Beginner
Beginner
Posts: 21
Joined: Wed Feb 01, 2017 5:04 am

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by UGOTSERVED » Thu Feb 02, 2017 12:47 am

What type of external storage was used? I wouldn't recommend slapping some slow USB flash drive you happen to have lying around. It would also help if Synology had some recommended storage specs to use for a heavy feature like their IPS, even if it is in beta.

icbt_nl
Novice
Novice
Posts: 40
Joined: Fri May 10, 2013 7:40 am

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by icbt_nl » Thu Feb 02, 2017 2:44 pm

I'm having the same issues.

Pages not loading, a 300Mbit line down to a max of 70Mbit. I won't say it's necessarily CPU related only. It's possibly even more of a RAM problem. Guess where the sensor was on:

Image

CPU is quite alright, although I have not found a clarification for these periods of very high IOwait%

Image

sims11
Rookie
Rookie
Posts: 30
Joined: Fri Jul 01, 2011 2:47 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by sims11 » Thu Feb 02, 2017 5:09 pm

I have a Synology NAS that is connected to the internet so I thought that Intrusion Detection / Prevention would be a good idea.
Do you think that I should care about intrusion prevention / detection?

I currently have a stock Actiontec Verizion FIOS router, with the firewall on. I am guessing it does not have the IDS / IPS.
Do you think RS2600ac is worth it for its security features and likely updates to plug security holes?

Does look like it will not even support 100 Mbps FIOS line if IPS is on.
I don't care much about the NAS capabilities of the router because I already have a Synology NAS.

Thanks for sharing your thoughts.

User avatar
UGOTSERVED
Beginner
Beginner
Posts: 21
Joined: Wed Feb 01, 2017 5:04 am

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by UGOTSERVED » Thu Feb 02, 2017 8:09 pm

I wouldn't use any wireless router at the border with the exception of having a guest network there, if needed, and away from your internal network. I would use the FiOS router as the border gateway with wireless disabled and let it drop most of the incoming junk and then have have something else processing (IPS) at the next hop.

Abusimbal
Rookie
Rookie
Posts: 37
Joined: Tue Aug 19, 2008 8:05 am
Location: Belgium

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by Abusimbal » Thu Feb 02, 2017 8:26 pm

UGOTSERVED wrote:What type of external storage was used? I wouldn't recommend slapping some slow USB flash drive you happen to have lying around. It would also help if Synology had some recommended storage specs to use for a heavy feature like their IPS, even if it is in beta.
Indeed, I agree. FYI I use a Samsung SD card.

FYI I also opened a ticket with Synology support.
They confirm the performance I and icbt_nl are seeing (arround 70Mbit) when IP is on.
They told me engineering team is looking for ways to improve the efficiency, and perhaps more bandwidth can be made available with Intrusion Prevention enabled in the future via firmware update.

So we have to wait.
DS1010+
Firmware: DSM 5.2-5967 Update 2
HDD: 5x Samsung EcoGreen F3 2TB HD203WI in RAID5

DS1812+
Firmware: DSM 6.1.1-15101-3
HDD: 8x Western Digital Red WD30EFRX 3TB in RAID6

RT2600ac with SRM 1.1.4-6509

User avatar
UGOTSERVED
Beginner
Beginner
Posts: 21
Joined: Wed Feb 01, 2017 5:04 am

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by UGOTSERVED » Fri Feb 03, 2017 1:45 am

Abusimbal wrote:
UGOTSERVED wrote:What type of external storage was used? I wouldn't recommend slapping some slow USB flash drive you happen to have lying around. It would also help if Synology had some recommended storage specs to use for a heavy feature like their IPS, even if it is in beta.
Indeed, I agree. FYI I use a Samsung SD card.

FYI I also opened a ticket with Synology support.
They confirm the performance I and icbt_nl are seeing (arround 70Mbit) when IP is on.
They told me engineering team is looking for ways to improve the efficiency, and perhaps more bandwidth can be made available with Intrusion Prevention enabled in the future via firmware update.

So we have to wait.
Do you have a model number of the SD card? The speed reference would be helpful reference.

Everyone should expect a performance hit with an IPS feature (even VPN) but each device will have more of a hit than others. The better (read: more expensive) products will have less impact on performance.

You could always put a dedicated IPS in front of it and let that take the brunt of the beating and use this IPS as another layer.

Here's a product with good examples on what type of performance penalties you incur.

http://www.watchguard.com/wgrd-products ... /3592/3593

sims11
Rookie
Rookie
Posts: 30
Joined: Fri Jul 01, 2011 2:47 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by sims11 » Wed Feb 08, 2017 3:09 am

UGOTSERVED wrote:I wouldn't use any wireless router at the border with the exception of having a guest network there, if needed, and away from your internal network. I would use the FiOS router as the border gateway with wireless disabled and let it drop most of the incoming junk and then have have something else processing (IPS) at the next hop.
Can you elaborate on what you are suggesting?
So double NAT - first the FIOS network and then another router (say Synology) with IPS enabled?

Thanks.

User avatar
UGOTSERVED
Beginner
Beginner
Posts: 21
Joined: Wed Feb 01, 2017 5:04 am

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by UGOTSERVED » Fri Feb 10, 2017 2:16 am

sims11 wrote:
UGOTSERVED wrote:I wouldn't use any wireless router at the border with the exception of having a guest network there, if needed, and away from your internal network. I would use the FiOS router as the border gateway with wireless disabled and let it drop most of the incoming junk and then have have something else processing (IPS) at the next hop.
Can you elaborate on what you are suggesting?
So double NAT - first the FIOS network and then another router (say Synology) with IPS enabled?

Thanks.
Unless you really want to see everything hitting your IP you could put an IPS at the edge but there will be lots of alerts...it's certainly educational but something I wouldn't want to spend time reviewing logs. Let the FiOS router take the brunt of the beating and let an IPS do the real work processing anything that gets through. I actually wouldn't stop there because it wouldn't be enough...add some centralized web filtering, application filtering, ad blocking, anti-virus and even SSL filtering since so much junk is being funneled over it.

In IDS mode you're just logging and alerting (if configured) and threats gets through. Many put an IDS in and think they're being "protected" but by default they're not. You need to make sure your signatures are updated at least daily and have to routinely view logs to determine what's legit and what's not. This would be a good start to get a baseline after x time and then you can go into IPS mode and get into trouble by blocking legitimate traffic which is part of the "fun".

sims11
Rookie
Rookie
Posts: 30
Joined: Fri Jul 01, 2011 2:47 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by sims11 » Fri Feb 10, 2017 6:36 am

Unless you really want to see everything hitting your IP you could put an IPS at the edge but there will be lots of alerts...it's certainly educational but something I wouldn't want to spend time reviewing logs. Let the FiOS router take the brunt of the beating and let an IPS do the real work processing anything that gets through. I actually wouldn't stop there because it wouldn't be enough...add some centralized web filtering, application filtering, ad blocking, anti-virus and even SSL filtering since so much junk is being funneled over it.

In IDS mode you're just logging and alerting (if configured) and threats gets through. Many put an IDS in and think they're being "protected" but by default they're not. You need to make sure your signatures are updated at least daily and have to routinely view logs to determine what's legit and what's not. This would be a good start to get a baseline after x time and then you can go into IPS mode and get into trouble by blocking legitimate traffic which is part of the "fun".
Thank you for sharing your thoughts.

I have to admit that I have only partially understood what you are advising. May be because I am talking about a home network, and it is possible that you are describing a network that hosts company websites and databases (since you talks of signatures etc - not sure what that is referring to...).

Here is what I have understood:
- Best to let FIOS router be the first router with firewall on (but a DMZ going to the Synology router)
- Synology router will also provide NAT service to rest of the devices at home, and hence every device at home will face double NATing?
- And then on the Synology router to switch one IPS not just IDS

I suspect I have not got it all...

User avatar
UGOTSERVED
Beginner
Beginner
Posts: 21
Joined: Wed Feb 01, 2017 5:04 am

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by UGOTSERVED » Sun Feb 12, 2017 1:29 am

sims11 wrote:
Unless you really want to see everything hitting your IP you could put an IPS at the edge but there will be lots of alerts...it's certainly educational but something I wouldn't want to spend time reviewing logs. Let the FiOS router take the brunt of the beating and let an IPS do the real work processing anything that gets through. I actually wouldn't stop there because it wouldn't be enough...add some centralized web filtering, application filtering, ad blocking, anti-virus and even SSL filtering since so much junk is being funneled over it.

In IDS mode you're just logging and alerting (if configured) and threats gets through. Many put an IDS in and think they're being "protected" but by default they're not. You need to make sure your signatures are updated at least daily and have to routinely view logs to determine what's legit and what's not. This would be a good start to get a baseline after x time and then you can go into IPS mode and get into trouble by blocking legitimate traffic which is part of the "fun".
Thank you for sharing your thoughts.

I have to admit that I have only partially understood what you are advising. May be because I am talking about a home network, and it is possible that you are describing a network that hosts company websites and databases (since you talks of signatures etc - not sure what that is referring to...).

Here is what I have understood:
- Best to let FIOS router be the first router with firewall on (but a DMZ going to the Synology router)
- Synology router will also provide NAT service to rest of the devices at home, and hence every device at home will face double NATing?
- And then on the Synology router to switch one IPS not just IDS

I suspect I have not got it all...
You can do the same with home networks as long as you're willing and able to administer. The signatures were for the IPS where you should have them updated daily automatically.

To keep it simple yes, double NAT but don't set the Synology router on a DMZ port from the Verizon router.
You'll need to monitor what's getting blocked if you set to IPS because you'll probably have a lot of false positives

Locked

Return to “Synology Router”