This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BandwithLimit and IPSecVPN

Hi there!
Hopefully You survived christmas;-))

I've tried to use my time to plan QoS for a UTM, that manages a few IPSec-S2S-Tunnels.

Each S2S-Tunnel ends up in a UTM9.3xx.
In the central gateway are many "local" networks.
Each is reachable for one S2S-Tunnel.

My plan is, to limit each VPN-Tunnle to 2Mbit/s and limit the printing-traffic (Dest-Port 9100) within a tunnel form the central LAN to the remote sites to 1Mbit/s each.
I've read a lot in the forum.
I know, that QoS is for limitting outgoing traffic of an interface.
So my idea for the 2Mbit/s for each Tunnel is:

Create a TrafficSelector:
Source: WAN-IP of Central Gateway
Destination: WAN-IP of a Remote Gateway
ServiceType: IPSec-VPN (or Any?)

Create a 2Mbit/s-BandwithPool, using the TrafficeSelector I described above.
Is this a good idea?

And the next question:

How to limit the printing-traffic in the tunnel?
I've read about the QoS-Option "Keep classification after encapsulation".
But I don't know, how to use it for my scenario.

Or is the only chance, to limit the "outgoing" printing-traffic on the LAN-interface of the remote-UTM?

Thanks in advance!!!! Jochen

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago

I think I would not limit traffic in this situation, Jochen. At each Client, on the WAN Interface, guarantee 2Mbps up for 'Any -> IPsec -> {Central gateway IP}', and, in a lower-priority Bandwidth Pool, guarantee {95% of (total available - 2Mbps)} to 'Any -> Any -> Any'. Similarly, in the Central site, on the WAN interface, make a 2Mbps Bandwidth Pool for IPsec to each Client, and then a single Bandwidth Pool for {95% of (total available - 10Mbps)} for 'Any -> Any -> Any'.

I think this will distribute the bandwidth more efficiently than doing Download Throttling. If you didn't have all UTMs, I would have a different recommendation. Again, you cannot prefer/limit traffic inside the IPsec tunnel. If you feel you absolutely must do that, create separate tunnels for the printers - that is tricky, so please open a new thread if you decide you have to do that.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 jkontny over 10 years ago in reply to BAlfson

Hi BAlfson!
Thanks for your reply and sorry for my late answer.
Your idea seems suitable for me and I will try it.
In the meantime I created the WAN ANY-IPsec-Central/Client-GW-rules.
That way I limited the VPN-traffic between a client- and the central-GW.

In addition to that I choosed a dirty way to limit the printing-traffic from the central-GW to a client-LAN on the "wrong"/client-side:
I created a QoS-rule on the LAN-interface of the client-GW and choosed an traffic-selector "Central-LAN" - "Printing" - "Client-LAN" an limited the to 500kbit/s.
If "excessive" printing occurres I see more than 500kbit/s in the VPN-tunnel, but never more than ~700kbit/s.
So I'm shure that printing ist no affecting the RDP-traffic.

Thanky for your hints!! Jochen
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jkontny over 10 years ago in reply to BAlfson

Hi BAlfson!
Thanks for your reply and sorry for my late answer.
Your idea seems suitable for me and I will try it.
In the meantime I created the WAN ANY-IPsec-Central/Client-GW-rules.
That way I limited the VPN-traffic between a client- and the central-GW.

In addition to that I choosed a dirty way to limit the printing-traffic from the central-GW to a client-LAN on the "wrong"/client-side:
I created a QoS-rule on the LAN-interface of the client-GW and choosed an traffic-selector "Central-LAN" - "Printing" - "Client-LAN" an limited the to 500kbit/s.
If "excessive" printing occurres I see more than 500kbit/s in the VPN-tunnel, but never more than ~700kbit/s.
So I'm shure that printing ist no affecting the RDP-traffic.

Thanky for your hints!! Jochen
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data