Was lucky enough to snag a Cloud Gateway Ultra on launch day and I’m messing around with different levels of IDS (Intrusion Detection System aka “Suspicious Activity” on the router).
Even though the marketing materials list this router as one that can do IDS at full gigabit speeds, I’m seeing slightly lower than that in real life. Even with minimal Detection Sensitivity, I’m still seeing a performance hit:
Not that I need the extra 50-150mbps down/up, but it woulda been nice to be able to leave this turned on and still get full ISP provided line rate. Anyone else experiencing this?
*Edit: I am using PPPoE so that might explain the perf hit. That being said, the router doesn’t ever go about 30% cpu or 50% mem during my speed tests.
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
Are you using PPPoE as WAN? PPPoE uses more resources and slightly lowers the performance. I only have 500mbps fiber and I get the full 500 with the UCG Ultra over PPPoE and with suspicious activity on high. That wasn’t possible with my UDR before. The UDR, officially rated for 700mbps, only gave me around 400 with PPPoE, regardless of wether suspicious activity was on or not.
/u/mactelecomnetworks made a review of it with full IDS/IPS (notify and block, high), and he did a local speed test and got ~930 Mbps, which is about what you can expect from 1G with TCP/IP overhead.
I haven’t gotten around to setting mine up yet (need to go to the summerhouse to replace my UDM), so can’t really comment on my own devices performance.
I agree with this. I am comparing the UCG-Ultra against my UXG-Lite. Identical settings for network, IDS/IPS, etc, when doing a large file transfer via torrent (Rocky Linux ISO) using a wireguard tunnel on an internal client to a public VPN provider:
UCG-Ultra - speeds cap at 35MBps and latency for everything else on the network spikes to 1000ms
UXG-lite - speeds hit 100MBps and latency spikes to 23ms.
Interesting information, thanks.
We need more such technical details.
My RB5009 with many firewall rules has absolutely the same speed 950Mpbs and no lags even cpu has never utilized more than 40%
This all seems correct but also realize that there are always some bugs on early launch firmware - if this is an issue in 2 or 3 months i would be more concerned
I am indeed using PPPoE. That being said, looking at my system resources on the UCG-Ultra, I’m only 50% mem and <30% cpu during these tests. So there’s definitely headroom on the CPU still.
Considering that getting a TLS certificate is extremely easy, and using that essentially voids the packet inspection part of IDS, it seems like an awful lot of effort for very little gains.
Where it still holds true is with suspicious activity though. Even encrypted traffic will leave traces that goes to suspicious hosts or in suspicious patterns/ports.
But enabling full IDS/IPS is probably not worth it unless you have a TLS decrypting proxy somewhere in there.
As for nobody in the target market needing it, I disagree. NAT Traversal exists, and while the linked description is from tailscale, there is nothing stopping malicious actors from implementing the same, effectively bypassing your firewall.
Sorry if this is obvious, but does that mean the UXG-Lite with a controller is the better option for performance?
The other day someone asked if about running a CKG2+ with Protect and a UCG-Ultra with Network for best performance. I suggested running both apps on the CKG2+ (since it’s an 8-core with a higher clock) and using a UXG-Lite, and I was told that was wrong. That the UCG-Ultra would be faster.