I decided it was time to look at upgrading my home broadband, mostly to get better-than-128KB upload speeds.
After the ISP-side change had eventually wound its way through, I was interested to see that while my upload speeds had improved, my download speeds still seemed capped at about 25Mbits/s (rule of thumb: divide by 8 to get megabytes per sec, so about 3MBytes/sec), despite a new modem and speeds that should've been "up to 100Mbit/sec".
Before launching a tirade at the ISP, I re-plugged my laptop directly into the cable modem, and got around 120MBit/sec test results from speedtest.net, so knew it wasn't the ISP-side plan itself rate-limiting me any more. And thus began the investigation.
A packet walks into a bar
My setup looks basically like this:
(regular internal networks on 10.x subnets) -> [ TMG -> DMZ -> Smoothwall ->] Cable
With a "side path" for the Xbox, which goes (10.x) -> Smoothwall -> Cable, to benefit from the UPNP mapping feature of Smoothwall.
Technically, any UPnP device or app can use the same side path, but "regular" browsing by WPAD-enabled stuff can benefit from TMG's web proxy cache to some extent.
Any testing I performed through Smoothwall led me back to the 25MBit capped rate. I checked QoS was off, which it was, and then decided I'd eliminate Smoothwall and try pushing the laptop through TMG directly (bypassing the Smoothwall) as a test.
The test gave me ~115MBit/sec+. Good enough!
Leaping to conclusions
The complicating factor is that everything to the right of the internal networks above is virtualized on my WS2012 R2 Hyper-V box, and I guessed that the rate limiting might have something to do with the legacy network adapters in the Smoothwall VM (one each for internal and external, plus a perimeter NIC for fun). My TMG VM uses synthetic NICs only, so I assumed that it was probably the key performance improvement when using it. The CPU on the router VM didn't seem to be breaking 0% (externally; 4% is 100% of one core), so I guessed that was a sign the cause might've been semi-external, or in the hypervisor.
Rather than work out what performance counters I could use to prove this, I figured I'd try to get the legacy NICs upgraded to the new Hyper-V synthetic NICs instead.
And after reading the vast array of "here's how you compile XYZ into your kernel" articles on it, I figured that it sounded way too hard (especially as I was using a now-legacy copy of SmoothWall Express 3.0) and finding some kind of distro which worked with Hyper-V enlightenments was probably the easiest route! No pun intended.
How do you test that? Easy, you just leave a VM at default settings - which include a new NIC - and see if it can detect the adapter. If it can, great! If it can't, try another!
My Little Firewall (packets are magic)
First, I did a little research as to what might support Hyper-V natively, and found pfSense 2.2, based on FreeBSD 10.2, which has inbuilt Hyper-V integration services. I installed it, it found the new NICs, and after minimal faffing around, I had a working firewall, which speed tested up around 115-120MBit/sec. Boosh!
pfSense looks really capable and has lots of new options to explore, but I wondered whether upgrading to SmoothWall 3.1 (which I'd been putting off) would have yielded similar results? I don't have a huge rule set to migrate, so I started building a fresh Smoothwall Express 3.1 VM from the 200MB ISO, and after configuring my networks from scratch, tried that... also a nice, fast result with synthetic NICs.
So I now have a choice of external firewalls (and whether to bridge the cable modem again, which I like: fewer moving parts to manage), with speedy integrated networking components, and I'm generally quite happy that non-Windows distros seem to be integrating the Hyper-V components for faster-than-legacy networking!
[Update and aside 2017-03-03 - I eventually added a scooter computer to the lineup as an always-on low-power host, and put PfSense onto it "bare metal". But it quickly became apparent that the Realtek NIC driver included in the box was pretty suboptimal, and would drop out under mild load. So I'm now running Server 2016 on the tiny host, and PfSense in a VM on it, and it's fast and reliable using the Windows Realtek NIC driver virtualized through Hyper-V. Ironic fun!]