Hi all, We have recently upgraded our office internet connection to a 10Mbps connection with unlimited transfers. The ISP's modem connects to a simple Linksys EF3116 switch which in-turn connects the feed to our Sophos UTM425 (the internal network). Within this network, we are hosting some web services (on one server connected to the DMZ interface, specifically) that need to be reliably available and since our upgrade, I've noticed that other traffic is sometimes maxing out our bandwidth pipe. (ie. FTP uploads/downloads to a separate FTP server within the network) In short, I am trying to use QoS to ensure that web traffic in & out from the web server always has some reserved bandwidth to use. I have attached screenshots of my setup, and am wondering if this is the correct way to achieve a reserved bandwidth pool. [:S] There were a couple of the steps in this setup that confused me: [LIST=1] on the "Traffic Selectors" tab, I did not define any records that had the source or the destination as the "internal" LAN IP (host) of the web server. Is this correct? My thought here is that the in/out traffic is tied to the "Internet" interface and thus should use Traffic Selector rules based on the WAN IP I defined a reverse service definition for web traffic (as in screenshot), the one labeled HTTP Traffic out (80 --> 1:65535). Is this required? And correct? I am wondering whether the QoS feature is smart enough to shape reverse traffic for a connection (ie. the returning HTTP data, from an inbound request on port 80). If not, it would seem quite cumbersome to need to define the reverse ports configuration for every single service that you want to control through QoS [/LIST] With this configuration, I am trying to allocate 5Mbps for the web traffic. Does anyone have example of similar configurations, done on clients and or NATed servers that need reserved bandwidth? Or am I missing anything here? Thanks in advance!

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Correct QoS configuration for a NATed web server

Hi all,

We have recently upgraded our office internet connection to a 10Mbps connection with unlimited transfers. The ISP's modem connects to a simple Linksys EF3116 switch which in-turn connects the feed to our Sophos UTM425 (the internal network). Within this network, we are hosting some web services (on one server connected to the DMZ interface, specifically) that need to be reliably available and since our upgrade, I've noticed that other traffic is sometimes maxing out our bandwidth pipe. (ie. FTP uploads/downloads to a separate FTP server within the network) In short, I am trying to use QoS to ensure that web traffic in & out from the web server always has some reserved bandwidth to use.

I have attached screenshots of my setup, and am wondering if this is the correct way to achieve a reserved bandwidth pool.

[:S] There were a couple of the steps in this setup that confused me:
[LIST=1]

on the "Traffic Selectors" tab, I did not define any records that had the source or the destination as the "internal" LAN IP (host) of the web server. Is this correct? My thought here is that the in/out traffic is tied to the "Internet" interface and thus should use Traffic Selector rules based on the WAN IP
I defined a reverse service definition for web traffic (as in screenshot), the one labeled HTTP Traffic out (80 --> 1:65535). Is this required? And correct? I am wondering whether the QoS feature is smart enough to shape reverse traffic for a connection (ie. the returning HTTP data, from an inbound request on port 80). If not, it would seem quite cumbersome to need to define the reverse ports configuration for every single service that you want to control through QoS

[/LIST]

With this configuration, I am trying to allocate 5Mbps for the web traffic. Does anyone have example of similar configurations, done on clients and or NATed servers that need reserved bandwidth? Or am I missing anything here?

Thanks in advance!

This thread was automatically locked due to age.

0 BarryG over 10 years ago

Hi,

1. in your 2nd picture, try setting the bandwidth on the Servers DMZ to 10,000

2. in the 3rd picture, the traffic selectors should have the Web Server's internal IP, not the firewall's Internet interface IP.

3. you may need to create selectors to limit the FTP traffic as well.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 r3gan over 10 years ago in reply to BarryG

Hi,

1. in your 2nd picture, try setting the bandwidth on the Servers DMZ to 10,000

2. in the 3rd picture, the traffic selectors should have the Web Server's internal IP, not the firewall's Internet interface IP.

3. you may need to create selectors to limit the FTP traffic as well.

Barry

Thanks, Barry, for the advice. I've made the suggested changes and will monitor going forward.

Based on your 2. point, is it true then that all QoS on the UTM devices happens "after" NAT? An inbound web request on port 80 from a remote client machine would have the internet-facing IP address... but does the UTM do all of the NAT conversions first, and then start evaluating QoS rules? If this is the case, how would a QoS scenario work with traffic originating from within the internal network and going outbound to the internet? (ie. if I were to try and limit internal FTP uploads to a remote server somewhere?)

Cheers!
Cancel
Vote Up 0 Vote Down

Cancel