I decided it was time to look at upgrading my home broadband, mostly to get better-than-128KB upload speeds.
After the ISP-side change had eventually wound its way through, I was interested to see that while my upload speeds had improved, my download speeds still seemed capped at about 25Mbits/s (rule of thumb: divide by 8 to get megabytes per sec, so about 3MBytes/sec), despite a new modem and speeds that should've been "up to 100Mbit/sec".
Before launching a tirade at the ISP, I re-plugged my laptop directly into the cable modem, and got around 120MBit/sec test results from speedtest.net, so knew it wasn't the ISP-side plan itself rate-limiting me any more. And thus began the investigation.
A packet walks into a bar
My setup looks basically like this:
(regular internal networks on 10.x subnets) -> [ TMG -> DMZ -> Smoothwall ->] Cable
With a "side path" for the Xbox, which goes (10.x) -> Smoothwall -> Cable, to benefit from the UPNP mapping feature of Smoothwall.
Technically, any UPnP device or app can use the same side path, but "regular" browsing by WPAD-enabled stuff can benefit from TMG's web proxy cache to some extent.
Any testing I performed through Smoothwall led me back to the 25MBit capped rate. I checked QoS was off, which it was, and then decided I'd eliminate Smoothwall and try pushing the laptop through TMG directly (bypassing the Smoothwall) as a test.
The test gave me ~115MBit/sec+. Good enough!
Leaping to conclusions
The complicating factor is that everything to the right of the internal networks above is virtualized on my WS2012 R2 Hyper-V box, and I guessed that the rate limiting might have something to do with the legacy network adapters in the Smoothwall VM (one each for internal and external, plus a perimeter NIC for fun). My TMG VM uses synthetic NICs only, so I assumed that it was probably the key performance improvement when using it. The CPU on the router VM didn't seem to be breaking 0% (externally; 4% is 100% of one core), so I guessed that was a sign the cause might've been semi-external, or in the hypervisor.
Rather than work out what performance counters I could use to prove this, I figured I'd try to get the legacy NICs upgraded to the new Hyper-V synthetic NICs instead.
And after reading the vast array of "here's how you compile XYZ into your kernel" articles on it, I figured that it sounded way too hard (especially as I was using a now-legacy copy of SmoothWall Express 3.0) and finding some kind of distro which worked with Hyper-V enlightenments was probably the easiest route! No pun intended.
How do you test that? Easy, you just leave a VM at default settings – which include a new NIC – and see if it can detect the adapter. If it can, great! If it can't, try another!
My Little Firewall
First, I did a little research as to what might support Hyper-V natively, and found pfSense 2.2, based on FreeBSD 10.2, which has inbuilt Hyper-V integration services. I installed it, it found the new NICs, and after minimal faffing around, I had a working firewall, which speed tested up around 115-120MBit/sec. Boosh!
pfSense looks really capable and has lots of new options to explore, but I wondered whether upgrading to SmoothWall 3.1 (which I'd been putting off) would have yielded similar results? I don't have a huge rule set to migrate, so I started building a fresh Smoothwall Express 3.1 VM from the 200MB ISO, and after configuring my networks from scratch, tried that… also a nice, fast result with synthetic NICs.
So I now have a choice of external firewall (and whether to bridge the cable modem again, which I like: fewer moving parts to manage), with speedy integrated networking components, and I'm generally quite happy that non-Windows distros seem to be integrating the Hyper-V components for faster-than-legacy networking!