Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 9217 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shared shaping rule for hotspot with separate up/down limits

jamesharper

I'm really struggling to get QoS right. It seems really hard to come up with something that doesn't end up overloading the uplink and rendering the WAN link unresponsive.

Total WAN bandwidth is around 20mbit/second down, 1mbit/second up.

If I put all LAN -> WAN traffic in one rule I can put a shared limit of 2800kbit/second down and 120kbit/second up, which is just below the point where the link is saturatedand that keeps the uplink queues to a minimum and responsiveness is good, but then if I want to put different rules for different traffic it gets really hard to micromanage.

I can tolerate the LAN -> WAN thing for now as the result gives tolerable latency, but we also have some wireless hotspots that we want to manage too. I want to give them a chunk of the available bandwidth, but when it comes to choosing a shaping rule I can only choose a shaping policy that has "Individual" limits, and does not have separate limits for upload and download. I can modify the resulting firewall rule directly and choose the shaping policy I want, but that seems like i'm breaking some rule somewhere.

But even after that, i would like LAN->WAN traffic to be able to borrow from unused hotspot bandwidth, but that just doesn't seem possible.

Is Sophos XG unsuitable for a network with an asymmetric WAN link? (or multiple WAN links for that matter)?

Thanks

James



This thread was automatically locked due to age.
Parents
  • 0

    Before I begin, please note that all bandwidth rules and traffic shaping policies use Kilo BYTE and not Kilo Bit. So if you have your bandwidth in Mega Bit or Kilo Bit just divide it by 8 to get the Kilo Byte value.

    XG works great with both symmetric and asymmetric connections, even if its default traffic shaping policy makes it seem a symmetric WAN manager. What the XG does is use TCP window sizing and acks to make sure how much bandwidth it has available and then adjust its bandwidth dynamically. For example if you go to System Services and then go to Traffic shaping settings and you set your Total available bandwidth as 10 Mbps (1280 KBps), the XG will detect that it has more bandwidth available to it and will adjust its bandwidth dynamically. However if you wish to disable that you can Enable the Enforce Guaranteed Bandwidth, which will give you two options, to enforce a guaranteed bandwidth and to limit the bandwidth to something.

    Secondly for all types of user/application/rule based traffic shaping (regardless that you are applying it to your hotspot or to a user group or an entire subnet) you go to System Services-> Traffic Shaping. In here you can create a new traffic shaping policy. If you wish to apply this policy to an AD group, create a user traffic shaping policy. If its for hotspots or any subnet, create a rule based traffic shaping policy. And if its for an application then create an application policy. In your case, for hotspots, create a rule based policy. Rule type can guarantee or limit. Guarantee rules will still give you an option to limit the maximum bandwidth for the users. To apply different upload and download bandwidth to the hostspot group Enable the Limit Upload/Download separately option and enter the bandwidth you want (again you can just limit the bandwidth or guarantee AND limit the bandwidth). So it would be something like this on the traffic shaping policy (I am guaranteeing : 8kbps up and 80 kbps down and limiting them to 120 kbps up and 2800kbps down

    Then go to hotspot settings (Wireless -> Hotspots) and in their select this traffic shaping policy as the policy for the hotspot.

  • 0 in reply to Muhammad Osama

    Did you skip over the bit where I said that in the hotspot definition you can only choose a policy with "individual" (not "shared") bandwidth, and only with separate upload/download disabled? Any other policy is not available for selection in a hotspot definition. You can choose a different policy in the resulting firewall rule, but that just gets reset later.

    My experience with XG shaping is the opposite to what you describe about TCP window and ack etc. Unless I limit the WAN bandwidth to lower than the actual upstream, I see ping times go up over 5 seconds and the internet becomes unusable. Can you point me to some documentation where this behavior is described, because I couldn't see anything about it in any of the online documentation I have read.

    Thanks

    James

Reply
  • 0 in reply to Muhammad Osama

    Did you skip over the bit where I said that in the hotspot definition you can only choose a policy with "individual" (not "shared") bandwidth, and only with separate upload/download disabled? Any other policy is not available for selection in a hotspot definition. You can choose a different policy in the resulting firewall rule, but that just gets reset later.

    My experience with XG shaping is the opposite to what you describe about TCP window and ack etc. Unless I limit the WAN bandwidth to lower than the actual upstream, I see ping times go up over 5 seconds and the internet becomes unusable. Can you point me to some documentation where this behavior is described, because I couldn't see anything about it in any of the online documentation I have read.

    Thanks

    James

Children
  • 0 in reply to jamesharper

    I dont know what you are talking about when you say that in the hotspot definition you can only choose a policy with "individual" (not "shared") bandwidth, and only with separate upload/download disabled?

    I made this traffic shaping policy and applied and it did it just fine:

    Yeah the default policies already created in XG are for individual users and do not give the option to select individual bandwidth for upload and download, but you can create new traffic shaping policies and then apply them to the hotspot definition as I explained earlier in my previous reply.

    About the shaping I am not quite sure, but I was speaking from my own experience and from what the sophos engineering team had conveyed to me. We use burstable speeds for our customers (we are a satellite internet provider), so we needed to fully understand how it determines when to go for burstable and this was what their answer was.