Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 3068 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do Hotspot and User Portal users consume their data allocations when using resources on the local network?

Heartwood Hub

I did not think that users logged into the network used up their data allocations when using resources on the local network.   I have a media streaming device streaming local data, and assumed that this would not use up users data, but some users have reported that it has.

Just attempting to get clarrification on this, and if so, is there a way to set up a resource so that it would not use their data?  So perhaps data from a certain IP would not consume a users data?   Better yet, is there a way to have all local data not affect their data consumption?

 

Not sure if I should ask this in firewall and policies or authentication, but this seemed like a good place to start.  

 

Thanks much :-)

Christopher.   



This thread was automatically locked due to age.
Parents
  • +1

    I am not an expert in this.

    It depends on how you have set up your firewall rules and your network setup.

    For example, if you have traffic that goes from one part of your LAN to another part of your LAN without going through the XG then of course no bandwidth is used.

    Lets say for a moment that it does traverse the XG.  Say you have a WiFi device downloading data from a LAN internal web server.

     

    Customer A config:

    Firewall rule:  From Zone LAN, Wifi.   To Zone Any.  Service HTTP/HTTPS. [ ] exclude this user activity from data accounting

     

    Customer B config:

    Firewall rule:  From Zone LAN, Wifi.  To Zone LAN, Wifi.  Service HTTP/HTTPS. [x] exclude this user activity from data accounting

    Firewall rule:  From Zone LAN, Wifi.  To Zone WAN.   Service HTTP/HTTPS. [ ] exclude this user activity from data accounting

     

    In Customer A from the Wifi to the LAN goes through the one rule and is counted.

    In Customer B from the Wifi to the LAN goes through the first rule and is not counted, while traffic out the WAN is counted.

     

    Depending on what type of bandwidth restriction it is,  you might need to look at

    [ ] Exclude this user activity from data accounting

    [ ] Apply web-category-based traffic shaping policies

    [ ] Apply application-based traffic shaping policies

    or there might be other options hiding somewhere, especially as you get into VPNs and other stuff.  But I think everything can be excluded somewhere.

     

    The important thing is having a separate firewall rule for internal traffic and for external traffic.  Once you separate the traffic you can apply different policies and accounting on them.

    If you wanted that only from a certain IP not consume data allocation, create a high level firewall rule that just applies to that IP.

     

    AFAIK, "Surfing quota" applies to HTTP/HTTPS service and "Network traffic" to all services.  But there is nothing inherent about the Source/Destination in those definitions.  It is the firewall rule that determines whether the data is counted for a specific source/destination.

  • 0 in reply to Michael Dunn

    So,  Still having some issues, I"ll try and explain how I have this setup.

     

    I have a VLAN that has a hotspot attached  (not a portal, but a wifi hotspot)  

    I have a LAN that has a service (video streaming) at 192.168.1.16

     

    I have a firewall rule that allows the VLAN access to the LAN resource 192.168.1.16   

    It is setup as this:

    Firewall rule:  From VLAN.  To Zone LAN.   Destination networks 192.168.1.16 Service Any [ ] exclude this user activity from data accounting

     

    This works fine and allows only access to 192.168.1.16 from the VLAN  (as I want it)  

     

    But, in order to set "exclude this user activity from data accounting"   I need to set "Match known users"   this causes the above firewall rule to not work, the resource at 192.168.1.16 cannot be reached.   

    I always assumed that "match known users" refers to the Captive portal, and not the hotspots.   So this would theoretically break my firewall rule.

     

    So I think the issue here, is the above solution, would work with the captive portal, but not hotspots.?

     

    Thanks :-) 

  • 0 in reply to Heartwood Hub

    I thought the problem was that you had users (eg User objects in XG) with either surfing quota or network traffic that was being counted when you did not want it to.

    If on the VLAN you have a mixture of IPs, some of which have users logged in and some of which do not and you want to allow access to both you need two rules.  First put the rule for match users that excludes them from data accounting, then the one without matching users (since the first rule matches all users the second one only matches no users) and there is no need to exclude from data accounting because there is no users to do data accounting at all.

    If your intention is that always have users logged in (eg no unauthenticated guest access) then you need to look at what authentication you are using, since you have IPs connecting without a user currently logged in.

     

    "Match known users" means that there must be a username associated with that IP for the firewall rule to match.  This is not web specific, it can apply to SSH traffic, FTP, telnet, etc.

    "Show captive portal to unknown users" means that in the case it is port 80/443 then when a connection comes in with no user associated, the rule will match.  But that the user will be sent to be authenticated (with AD SSO or captive portal) before the rest of the firewall rule will match.

     

  • 0 in reply to Michael Dunn

    Just to clarify, as perhaps I didn't explain well enough. 

     

    The VLAN is purely a hotspot, voucher based network.   There is nothing on that network, except users that connect to that network, and have to login in with a voucher.  It is on at 192.168.3.0 network.  I do want all users to login via the hotspot voucher. 

    The LAN is all my network equipment. switches, resources etc, and my media router at 192.168.1.16

     

    I have a firewall rule that allows the VLAN on 192.168.3.0 any user that logs on with a voucher, has WAN access.

    I have an additional firewall rule that allows traffic from the VLAN to the IP 192.168.1.6 (the media server)

    As expected the users log in via the hotspot, and have internet and access to the media server.  The hotspot performs as expected and the voucher is used up as the internet is used, but I also note that the voucher is used up even if they are not using the internet, and are just using the media server.  

    My VLAN to LAN 192.168.1.16 rule is above the VLAN to WAN rule, I would expect there to be a way to exclude this traffic from accounting.  But from what I can see, the "exclude the data from accounting" only pertains to "captive portals" on a network,  not hotspots on a network.   From what I can see even local traffic causes voucher data to be used up, and I don't see a way to exclude traffic that has a hotspot on it, the only thing I see is the ability to exclude traffic on a network that has a captive portal. 

    Does that make more sense? :-) 

     

    I see there is a way to add a IP/website to the "walled garden"  in the hotspot settings, it is perhaps a way to accomplish this?

  • 0 in reply to Heartwood Hub

    Ahhh...  you are talking about the data limit on a hotspot voucher, not the data limit on a user.

    Be very careful when you use the word "user".  I tried in my answer to say "user"=user object in XG.  When you say "users log in via the hotspot" you are not talking about people using vouchers, not people authenticating with a username and password so that they logged in as an active directory (or local) user object.

    I am not entirely sure what you mean when you say "captive portal" but I think we can both agree that the "exclude the data from accounting" only applies when you are an authenticated user and a user object.  You can be an authenticated user because you are using captive portal, Active Directory SSO, STAS, Sophos Authentication Client, etc.

    I know very little about hotspot vouchers, I do not know if/how you can do it.  All I can help with is defining the problem for the next person to try and solve.

    Would this be an accurate summary?

    "I am using a hotspot voucher with data volume limit of 500 MB.  I want the data volume to be limited for external (WAN) access but not when accessing internal (LAN) resources such as an internal media server."

  • 0 in reply to Michael Dunn

    "I am using a hotspot voucher with data volume limit of 500 MB.  I want the data volume to be limited for external (WAN) access but not when accessing internal (LAN) resources such as an internal media server."

     

    :-) exactly.

     

    Yeah, I'm still playing around, but I don't see any way to ensure that this can be accomplished for vouchers. 

  • 0 in reply to Heartwood Hub

    Hey  

    Apologies for this inconvenience. Currently the data volume setting behavior is to calculate all transmitted traffic.
    I would advise to please raise this as a suggestion on our Sophos Ideas page for visibility to our Product team.

    Regards,

Reply Children
No Data