Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 8401 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to prioritize SSL VPN tunnel in general among other WAN traffic?

JasonMiles

Hi, am using Sophos UTM 9.4 in a home environment.  Works well.  Have QoS enabled on my WAN interface.  Effectively using it to prioritize various traffic.  Simply have 2 interfaces defined:

1.) WAN

2.) LAN

However am unclear on how to prioritize the SSL VPN tunnel itself among other traffic selectors and bandwidth pools on my WAN.  Currently have my TRAFFIC SELECTOR setup as:

Source: VPN Pool (SSL)

Service: Any

Destination: Any

Wasn't sure whether Source should be LAN instead and Destination should be VPN Pool (SSL)?  Once I get this part figured out, I'll likely want to prioritize traffic within the VPN Pool itself.  Taking one step at at time.  Thanks.



This thread was automatically locked due to age.
  • 0

    Hi,

    to prioritize the traffic of the SSL VPN tunnel itself you can choose

    Source: your WAN interface

    Protocol: SSL

    Destination: Internet IPv4, or if all VPN clients behind the same public IP address or in the same IP range, you can also choose this.

    Bound to interface: WAN

     

    The traffic in the tunnel can prioritize like all other traffic. Choose the matching systems and/or protocol, and create a bandwith pool for the WAN interface.

    Or work with "Application Control" under "Web Protection". Choose the WAN interface, identify the traffic and click shape.

     

    Jas Man

  • 0 in reply to Jas Man

    Jas Man said:

    Hi,

    to prioritize the traffic of the SSL VPN tunnel itself you can choose

    Source: your WAN interface

    Protocol: SSL

    Destination: Internet IPv4, or if all VPN clients behind the same public IP address or in the same IP range, you can also choose this.

    Bound to interface: WAN

     

     

    Thanks very much for your input.  For protocol, do I want to choose TCP 443 (SSL).  If so, will this simply prioritize any and all SSL traffic that leaves me network over the WAN?  Regardless of whether it's CrashPlan, HTTPS web browsing, etc?

  • 0 in reply to JasonMiles

    Yup! TCP 443 (SSL) will prioritize any SSL traffic. That's why I mentioned to add an IP or IP range as destination to the traffic selector, to filter the traffic more accurately.

    I have no idea how to filter the VPN SSL traffic from the other SSL traffic, if you are not able to add a destination IP / IP range.

  • 0 in reply to JasonMiles

    Jason, when asking questions about QoS, it helps to explain what's causing a problem.  We might be giving right answers to the wrong interpretation of what you're asking.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    My apology, Bob.  I am using Sophos UTM 9.4's built-in SSL VPN option successfully.  Have OpenVPN client installed on mobile devices and connects great.  Like how I'm able to define whether traffic is TCP or UDP and specifically what port is used.  So am not using the default port of TCP 443 for SSL VPN in an attempt to differentiate my SSL VPN traffic from standard HTTPS traffic.

    What I was trying to do is prioritize my SSL VPN traffic when I'm away from home communicating back to my Sophos UTM box so that SSL VPN traffic receives priority over traffic on my home network and doesn't come to a crawl when there's uploading/downloading occurring.

    Hopefully that makes sense?

  • 0 in reply to JasonMiles

    Excellent description of the problem and the current situation, Jason, and congrats on changing the Service used by the SSL VPN.  I prefer using UDP as it results in significantly faster connections.

    On the WAN connection create a Bandwidth Pool guaranteeing upload bandwidth to 'Any -> {SSL VPN Service} -> Any'.  Also on the WAN connection make two Download Throttling rules, in order:

    1. Limit 'Any -> {SSL VPN Service} -> Any' to a gigabit.
    2. Limit 'Any -> Any -> Any' to 1Mbps less that your slowest download experience.

    In effect, #1 creates an Exception for #2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob.  Not following entirely.  Sorry for my confusion.  If you would please explain further, would appreciate it.  Here's what I've done thus far.

     

    1.) On my TRAFFIC SELECTOR tab, I've created 2 entries:

    a.) One called "Any" that has Any -> Any service -> Any

    b.) Another called "SSL VPN" that has Any -> SSL VPN service -> Any

     

    2.) I haven't created any entries on my BANDWIDTH POOLS tab yet?  Not sure what they should be?

     

    3.) On the WAN connection, under DOWNLOAD THROTTLING, I've had a few existing rules, so I've created the following:

    a.) A new Download Throttling rule called "SSL VPN Rule 1" for position 1, with a limit of 1048576 kbit/s (1 Gigabit).  Set the limit type: Shared.  And checked the "SSL VPN" Traffic Selector created in step #1.

    b.) Created another Download Throttle rule for position 2 called "SSL VPN Rule 2" with a limit of 49000 kbit/s (my ISP package is 50 Mbps, so this is 1 Mpbs less or 49 Mbps) and selected the "Any" traffic selector from step #1 above.

     

    PS - I noticed you're in Oklahoma.  Small world.  I am not far from you east in NW AR!

  • 0 in reply to JasonMiles

    Hey, neighbor!

    2. The bandwidth you want to guarantee depends on what you're doing.  If you're not downloading files from a server behind the UTM, you don't need to guarantee much.

    3b. Check your SLA with your ISP to see the minimum they guarantee instead of the average.

    All rules must be on the External interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML