Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 4 subscribers
  • Views 1964 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QoS limit uplink rules not working on UTM

Mast_01

Hello,

i'm having an issue with an UTM 9.703 in which there's forwarded custom port(in a group) maxes out a WAN uplink.

The interface has the QoS limits set according to the correct BW(and turned on), and limit uplink/downlink and equalizer are all set.

In the network monitor, that traffic appears as "uncategorized" so i can't shape from there (it's a custom port).

 

i've created the QoS rules like this:

traffic selector any to any, using the service group

i also made the same rule using the specific port for testing.

 

then i go to BW pool, select the interface and create a rule using the aforementioned traffic selector and then a guaranteed BW of 2mbit and a limit of 5mbit.

Just to be safe i made the same rule but using the specific selector.

 

yet it's still maxing out the upload (10mbits) at 9.5mbps continously.

 

also tried a download throttle rule, nothing works



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    QOS don't work stateful.

    So for traffic coming from external web server the service definition must be something like this...

    HTTP_SERVER  SrcPort TCP80 DstPort ANY

    BW pool is used for outgoing traffic, download throttling is used to reduce inbound bandwidth.

     

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    it's not an external web server, it's an incoming port forward.

     

    as i've said, i've tried both outgoing and downloading throttling and it's not working

  • 0 in reply to Mast_01

    Hola Mast,

    Please show pictures of the Edits of your Traffic Selectors and QoS rules.  Also, please confirm whether the problem is inbound or outbound saturation and whether the problem is one person, one website or ???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    it's uplink being saturated, it's a DNAT rule (port forward), it's not a person or website, here's the maxed out outbound:

    As an aside, the flow control is bugged as it shows outbound traffic as download(flow monitor on the WAN interface), the gui should be fixed to show outbound and inbound to be clear, as right now "download and upload" are NOT useful(for example, to limit the download traffic to a VLAN interface -as for example a public wifi- i have to limit the UPLOAD(as upload from the interface is download from the client), it's extremely misleading(and has made me waste time with bw issues before) :

    Here's the traffic selector showing the group and services(all TCP):

    and the bw rule:

  • 0 in reply to Mast_01

    I'm still confused about what's happening.  Please also show a picture of the Edit of the DNAT and of one of the DVR services.  Is this someone out on the internet getting a feed from a DVR behind the UTM or ???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes, it's someone getting a DVR feed from the internet from the dvr behind the utm

    One of the ports is simply TCP 8000 (you can see the port in the flow monitor screenshot i pasted), that is dnatted from the public IP to the internal IP

Reply Children
  • +1 in reply to Mast_01

    so your traffic selector should look like this:
    SrcIP (IP of your DVR) - SrcPort any - DstIP any - DstPort any
    or
    SrcIP any - SrcPort 8000 - DstIP any - DstPort any


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to Mast_01

    The other thing to consider is that a request on port 8000 is a Service definition 1:65535->8000.  That means that a response to such a request requires a Service definition of 8000->1:65535.  I would use a group of such DVR Response Services in a Download throttling rule on the Internal interface instead of a Bandwidth Pool on the External interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to dirkkotte

    So instead of mucking around with port definitions i just nuke whatever is coming from that IP, hadn't thought of that method, will have to test.

     

    Bob,

    that's insane, for each shaping you need to redefine services and invert the rules?!?!, and i'd need to enable QoS on the internal interface as well.

    for the selector i'm using the port any-8000-any, it should not matter the source or destination port(after all the traffic is on the port 8000, regardless).

    To shape well-known ports be it up or down i never had to make manual inverse services.

     

    BAlfson said:

    The other thing to consider is that a request on port 8000 is a Service definition 1:65535->8000.  That means that a response to such a request requires a Service definition of 8000->1:65535.  I would use a group of such DVR Response Services in a Download throttling rule on the Internal interface instead of a Bandwidth Pool on the External interface.

    Cheers - Bob

     

  • 0 in reply to Mast_01

    QoS is difficult to master.  Dirk's first suggestion won't work on the External interface as the IP of the DVR is lost after the response packet reaches the SNAT or masq rule.  The second one also requires defining the response Services as I suggested or you'll have the same problem you've been having.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Well,

    i did the method Dirk suggested, using a selector with source: DVR  (as i have more than 1 i made a 2nd selector)

    then a bw pool associated with both selectors(i wasn't sure selecting both in the same pool would work, but it does) and worked perfectly so far.

    it's not perfect as it always goes far beyond the limit, but nowhere near what it was

Unfiltered HTML