Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 6794 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - QoS for NNTP/HTTPs/Streaming

Bastian Mueller

Hi there,

i switched from a Sophos UTM to a XG and actually, i'm trying to create the following QoS-Rules:

1) Guarantee min. 200 kb/s for HTTP/HTTPS (regular Surfing for all clients)

2) Priorize NNTP/S (Usenet) lower, so - if no one is browsing the web or streaming media, it should get all the available bandwith.

3) Priorize Streaming Media (Netflix, etc.) higher than 2), but lower than 1 - so, if someone wants to watch a movie and another one is downloading something via NNTP, it should restrict NNTP. 

I read the guides, searched the community and tried the howtos on my XG; but the QoS/restrictions won't work.

It's a virtual XG. I've a 6Mbit connection to the WAN (~7Mbit down, 2,5Mbit up), so i set System Services -> Traffic Shaping Settings -> Total WAN Bandwith to 8755.

Question here: Did Sophos means with "KBps" KBit or KByte? Tried both - didn't work.

 

Simple Example; i tried to limit NNTPS (Port 563) to 3000.

1) I created a Firewall-Rule (Source: LAN+DMZ/Any, Dest. WAN/Any, Services: created NNTPS/563 as Service); saved an checked in Log, that if a download is active, the rule is applied. 

2) I created a Traffic Shaping Definition:

3) I applied the "NNTP Limit 3000"-Definition to the Application-Group/Service "NNTP"

4) Created a application filter:

5) And edited the firewall rule to add the application filter:

 

Then i started a NNTPS-Download and - nothing; no Limit, Download-Speed at 800 kb/s. 

I mixed the steps for own services/applications; but i followed this howto:

community.sophos.com/.../123058



This thread was automatically locked due to age.
Parents
  • +1

    There is a bit of a learning curve with XG gui. All units are in KB as in Kilo Bytes. They have a few kilobits thrown in there but that is in network interface reporting. 

    So for your setup,

    1. Change bandwidth to kilobytes 6mb =750KB

    2. You actually have to apply the bandwith to the application that you are throttling. Under applications > traffic shaping default > look under infrastructure and NNTP is there. Edit NNTP and apply the application rule that you created, now NNTP will be throttled.

    3. Netflix traffic application probably won't throttle netflix correctly so you will have to find a way to either throttle the users using clientless user option or create firewall rules that are throttled with appropriate bandwidth.

    4. I would do something like create user firewall rule 1. Allow netflix fqdn option (v17 only https://community.sophos.com/kb/en-us/125061 ) and apply guaranteed qos to the actual firewall rule without using any appcontrol. User rule 2 to allow http/https and use 200 kb/s guaranteed firewall rule and then use firewall rule 3 with low priority qos to throttle NNTP as my last firewall rule. 

    Layer 7 is hit and miss in XG so you will have to work around the limitations. I generally only use application based qos on applications that use port 80 or 443 otherwise regular firewall or user rules work better for me. Keep us posted on your progress as you seem to have a very typical home usage case of someone prioritizing some traffic over other so one person doesn't choke the whole network. It would be interesting how you tackle the firewall rules[:D] 

Reply
  • +1

    There is a bit of a learning curve with XG gui. All units are in KB as in Kilo Bytes. They have a few kilobits thrown in there but that is in network interface reporting. 

    So for your setup,

    1. Change bandwidth to kilobytes 6mb =750KB

    2. You actually have to apply the bandwith to the application that you are throttling. Under applications > traffic shaping default > look under infrastructure and NNTP is there. Edit NNTP and apply the application rule that you created, now NNTP will be throttled.

    3. Netflix traffic application probably won't throttle netflix correctly so you will have to find a way to either throttle the users using clientless user option or create firewall rules that are throttled with appropriate bandwidth.

    4. I would do something like create user firewall rule 1. Allow netflix fqdn option (v17 only https://community.sophos.com/kb/en-us/125061 ) and apply guaranteed qos to the actual firewall rule without using any appcontrol. User rule 2 to allow http/https and use 200 kb/s guaranteed firewall rule and then use firewall rule 3 with low priority qos to throttle NNTP as my last firewall rule. 

    Layer 7 is hit and miss in XG so you will have to work around the limitations. I generally only use application based qos on applications that use port 80 or 443 otherwise regular firewall or user rules work better for me. Keep us posted on your progress as you seem to have a very typical home usage case of someone prioritizing some traffic over other so one person doesn't choke the whole network. It would be interesting how you tackle the firewall rules[:D] 

Children
No Data