*** Official Ubiquiti Discussion Thread ***

[the-evaluator]

With IDS and IPS off it'll cope fine, I'm running a 1000/100 line just fine through it's baby brother the 3P.

I can't remember what the throughput will be with IDS & IPS enabled but TBH I don't really see the point of them in a domestic environment. I had it enabled briefly and it told me absolutely nothing of use.

 

[ChrisD.]

I can't remember what the throughput will be with IDS & IPS enabled but TBH I don't really see the point of them in a domestic environment. I had it enabled briefly and it told me absolutely nothing of use.

Agreed, it's not worth it for home use.

 

[WJA96]

Hi chaps
I have got a USG PRO 4 off the MM, am I right in assuming it should handle our 600mbps down/40mbps up connection fine?
Will that be affected by IPS/IDS?
Happy to upgrade RAM if needs be
Thanks

The simple answer is ‘it depends’. I had an 8Gb RAM USG 4 Pro with extra fans and it would spike at 750Mbps (up and down) with IDS enabled or 600Mbps (up and down) with IPS enabled and the mean throughput figures were certainly over 450Mbps (up and down) with either enabled. QoS slows the USG line down a lot. But you won’t need it. As others have said you don’t need IDS/IPS at home unless you suspect you’re running a zombie machine somewhere in which case turn IDS on and it will tell you, then sort the problem if it exists and turn it off again.

 

[Rensin]

Hi,

For a couple of months I've noticed my connection is showing 100% usage and "please upgrade your ISP service plan" ... is this a bug? as from what I can see nothing is using the connection (VM 350MB down & 40ish up)

Also I have recently ran all firmware updates and have noticed my US-8-60W update is failing (hangs for about 10 mins than reboots) .. any ideas how to fix this please? (guessing it will be a manual update needed)

 

[the-evaluator]

Go to Settings -> Internet -> Click on the internet connection -> Advanced -> ISP capabilities. Check the upload and download numbers there, chances are it's set to default (I think that's 10Mbps both ways).

On occasion switches seem to like a clean boot before they'll take a firemware update. If a manual update is needed then find the download link (check here if you're going for v5.43.36) for the firmware and copy the link address to your clipboard SSH into the switch and do type upgrade and then paste your clipboard contents. Press enter and then the switch will download the firmware and install it.

If that doesn't work then do the same, but change the pasted link, change https to http. It's possible that the clock on the switch is wrong which would lead to SSL certificate errors and ultimately make the firmware update fail.

 

[Rensin]

Go to Settings -> Internet -> Click on the internet connection -> Advanced -> ISP capabilities. Check the upload and download numbers there, chances are it's set to default (I think that's 10Mbps both ways).

On occasion switches seem to like a clean boot before they'll take a firemware update. If a manual update is needed then find the download link (check here if you're going for v5.43.36) for the firmware and copy the link address to your clipboard SSH into the switch and do type upgrade and then paste your clipboard contents. Press enter and then the switch will download the firmware and install it.

If that doesn't work then do the same, but change the pasted link, change https to http. It's possible that the clock on the switch is wrong which would lead to SSL certificate errors and ultimately make the firmware update fail.

I just checked and I have them already set to 400Mbps & 40Mbps so wil increase them a bit more see if makes any difference.

I'll take a look at the switch tomorrow first trying a clean boot if not will follow your instructions for a manual update.

cheers for the reply.

 

[ShivP]

With IDS and IPS off it'll cope fine, I'm running a 1000/100 line just fine through it's baby brother the 3P.

I can't remember what the throughput will be with IDS & IPS enabled but TBH I don't really see the point of them in a domestic environment. I had it enabled briefly and it told me absolutely nothing of use.

Agreed, it's not worth it for home use.

The simple answer is ‘it depends’. I had an 8Gb RAM USG 4 Pro with extra fans and it would spike at 750Mbps (up and down) with IDS enabled or 600Mbps (up and down) with IPS enabled and the mean throughput figures were certainly over 450Mbps (up and down) with either enabled. QoS slows the USG line down a lot. But you won’t need it. As others have said you don’t need IDS/IPS at home unless you suspect you’re running a zombie machine somewhere in which case turn IDS on and it will tell you, then sort the problem if it exists and turn it off again.

Banging thanks chaps, quite excited for it which is a bit sad but finally can get rid of this AC87U

 

[the-evaluator]

I just checked and I have them already set to 400Mbps & 40Mbps so wil increase them a bit more see if makes any difference.

That's strange. If you're on a controller version that still has them listed, can you check those settings in the classic settings? I can't remember at which version they removed it.

Roughly what was the load on the internet connection at the time you got that warning, or is it always there?

 

[Vertigo]

Banging thanks chaps, quite excited for it which is a bit sad but finally can get rid of this AC87U

Recently retired my long-serving AC87U too - boxed up and in the loft as a spare/backup

 

[mikehhhhhhh]

Is anyone using a USG Pro with a Gigabit PPPoE service?

The Unifi controller has got me thinking about going all in on Unifi - upgrading the switch and router as well, but I went through three different routers before settling on a Mikrotik 4011 before I found something capable of routing gigabit over PPPoE

 

[WJA96]

Mikrotik RB4011 will significantly outperform any current UniFi device if configured correctly. It’s a beast of a router.

 

[mikehhhhhhh]

Mikrotik RB4011 will significantly outperform any current UniFi device if configured correctly. It’s a beast of a router.

Well yes it is, except it has archaic queueing algoritms which means I essentially have to give up around 10% of my available throughput to avoid packet loss when the connection is saturated.

Something like OpenWRT performs much better for having better queueing.

It's very much a first world problem with a 900/100 connection, but still. I've also wrestled with a weird VLAN issue with RouterOS all day (as well as downloading a windows 7 VM to configure my old Netgear switch) which presumably would have been about three clicks if I had UniFi gateway and switch.

 

[WJA96]

Well yes it is, except it has archaic queueing algoritms which means I essentially have to give up around 10% of my available throughput to avoid packet loss when the connection is saturated.

Something like OpenWRT performs much better for having better queueing.

It's very much a first world problem with a 900/100 connection, but still. I've also wrestled with a weird VLAN issue with RouterOS all day (as well as downloading a windows 7 VM to configure my old Netgear switch) which presumably would have been about three clicks if I had UniFi gateway and switch.

WTF? We have a 2Gbps symmetrical leased line in the Salford Quays office and our backup router is an RB4011 and it runs line speed no problem. What are you doing in your config that it won’t route 900/100 at line speed?

 

[mikehhhhhhh]

WTF? We have a 2Gbps symmetrical leased line in the Salford Quays office and our backup router is an RB4011 and it runs line speed no problem. What are you doing in your config that it won’t route 900/100 at line speed?

It will happily route 900/100 out of the box.

The issue is what happens when the line is saturated.

With no queues configured you’ll see bufferbloat and significant packet loss.

To solve the issue with the queues you need to set aside around 10% or more of your available throughput.

More modern queue algorithms like cake and fq_codel are coming in v7 to solve this without sacrificing a large amount of throughput. I’m just not sure about using beta software on a connection I rely on to earn a living!

 

[WJA96]

It will happily route 900/100 out of the box.

The issue is what happens when the line is saturated.

With no queues configured you’ll see bufferbloat and significant packet loss.

To solve the issue with the queues you need to set aside around 10% or more of your available throughput.

More modern queue algorithms like cake and fq_codel are coming in v7 to solve this without sacrificing a large amount of throughput. I’m just not sure about using beta software on a connection I rely on to earn a living!

I disagree. Well, not about running the ROS Beta software, and I think most RouterOS issues are caused by very smart people trying to over-configure their routers. By all means substitute an RB4011 for a USG and I suspect you’ll be mightily disappointed.

 

[the-evaluator]

Is anyone using a USG Pro with a Gigabit PPPoE service?

I'm running 930/110 (or whatever they market it at) FTTP through a USG-3P. Works fine.

 

[mikehhhhhhh]

I disagree. Well, not about running the ROS Beta software, and I think most RouterOS issues are caused by very smart people trying to over-configure their routers. By all means substitute an RB4011 for a USG and I suspect you’ll be mightily disappointed.

This comment reads like Yoda being passive agressive

Maybe I can change your mind.

Here is what a typical day's latency graph looks like with the default router config - each spike of packet loss is anything from running a few speed tests to a game updating on steam, anything that's able to saturate the connection;



It's a similar story for LAN to WAN which means buffering on videos, slow page loads etc.

Here's a simple queue setup with around 5% of the available throughput reserved - better, but not perfect;



And here is with my current setup - ~10% of throughput reserved;




You can avoid reserving so much capacity by using more advanced Queue trees but that along with the load from PPPoE seems to limit the total available throughput, I don't think the CPU is man enough to do old school QoS at those speeds. This is something cake or fq_codel in the newer kernel of v7 will solve.

The Mikrotik is an amazing piece of kit, but you don't get anything for free or out of the box. Stuff you take for granted on other routers generally needs configuring.

 

[mikehhhhhhh]

I'm running 930/110 (or whatever they market it at) FTTP through a USG-3P. Works fine.

That helps a lot, thanks

Any chance you could share a result from this speedtest via Ethernet? I suspect the USG has really good QoS out of the box, it'll be interesting to see what Bufferbloat score it gets - http://www.dslreports.com/speedtest

 

[the-evaluator]

That helps a lot, thanks

Any chance you could share a result from this speedtest via Ethernet? I suspect the USG has really good QoS out of the box, it'll be interesting to see what Bufferbloat score it gets - http://www.dslreports.com/speedtest

The download figure isn't great but I put that down to this particular test. This is much more representative:

[root@pihole2 ~]# wget -O /dev/null http://speedtest.tele2.net/10GB.zip
--2021-05-06 11:17:23--  http://speedtest.tele2.net/10GB.zip
Resolving speedtest.tele2.net (speedtest.tele2.net)... 90.130.70.73, 2a00:800:1010::1
Connecting to speedtest.tele2.net (speedtest.tele2.net)|90.130.70.73|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10737418240 (10G) [application/zip]
Saving to: ‘/dev/null’

/dev/null                   100%[=========================================>]  10.00G  98.1MB/s    in 98s    

2021-05-06 11:19:01 (104 MB/s) - ‘/dev/null’ saved [10737418240/10737418240]

 

[mikehhhhhhh]

The download figure isn't great but I put that down to this particular test. This is much more representative:

[root@pihole2 ~]# wget -O /dev/null http://speedtest.tele2.net/10GB.zip
--2021-05-06 11:17:23--  http://speedtest.tele2.net/10GB.zip
Resolving speedtest.tele2.net (speedtest.tele2.net)... 90.130.70.73, 2a00:800:1010::1
Connecting to speedtest.tele2.net (speedtest.tele2.net)|90.130.70.73|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10737418240 (10G) [application/zip]
Saving to: ‘/dev/null’

/dev/null                   100%[=========================================>]  10.00G  98.1MB/s    in 98s  

2021-05-06 11:19:01 (104 MB/s) - ‘/dev/null’ saved [10737418240/10737418240]

Thanks a lot. Great speeds and that's a useful little download for testing on headless clients I always find speedtest-cli a little unreliable and always slower than in the browser.

I'd be curious to see what BufferBloat result you get if you ran that test at the same time as the download test on your pihole.