Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 17740 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QOS - Still baffled after all these years

JeffCooper

Hi,

Every so often I delve into this then give up because my brain starts to hurt. The myriad of posts and articles seem to answer things then other ones seem to say something different. Maybe it has to do with how different people ask questions, so I guess I'll throw my phrasing into the mix and hopefully get to the bottom of how to maximize performance for the services I want.

I have an SG230 with a 50mbs internet connection. I want to guarantee 15mbs to each of these in either direction (to/from internet):

  • A file sharing website (https) we host
  • VPN access to our LAN for our staff
  • also of course regular internet stuff (email, web surfing, etc)

(I don't need 15 up + 15 down for each, I just want to be sure that our File Sharing site has 15 mbs available to it, and that our VPN users have at least 15 mbs (total shared) available to them.

I am right that the UTM settings are all from the point of view of the box, right? So "Downlink" refers to what's coming into the UTM whether from the WAN or the LAN?

Is is accurate than the UTM cannot control the traffic than comes into it from either the LAN or the WAN? So all I can do is guarantee bandwidth of what leaves it?

If that's the case, then should I use QOS on the WAN interface to guarantee bandwidth heading out to the internet (with a LAN->Internet Traffic selector), and one the LAN interface to guarantee bandwidth heading IN to the LAN?

Since the WAN is 50mbs and the GB, is there no point then in even trying to guarantee WAN-to-LAN traffic at all because there's no way enough WAN traffic would ever be enough to fill up all the bandwidth on the LAN side?

Should I turn off Automatic QOS (Download Equalizer, Upload Optimizer) on the Status tab if I'm doing any of this?

if all our incoming traffic is out of our control, is there nothing I can do to make sure, if someone is trying to upload a file, that client has priority on the WAN interface over someone who's streaming hi-def youtube videos (short of throttling which I don't want to do because I'm fine with someone watching videos as long as it gets cut down as soon as someone starts needing to upload real files)?

Please let me know if I can/should clarify all this.

Thanks,

Jeff

 



This thread was automatically locked due to age.
  • +1

    Hello Jeff,

    Indeed QOS is the most complex challenge with WAN connections.

    You'r right, you cannot complete "QOS" incoming packets, only outgoing. With "Download Throttling" the UTM tries to throttle the remote sender ("If packets are coming in faster than the configured threshold, excess packets will be dropped immediately without being listed in the firewall rules log file. As a result of TCP congestion avoidance mechanisms, affected senders should reduce their sending rates in response to the dropped packets.")

    Limit Uplink: Should be selected in most cases, because your WAN interface speed is not your real WAN Speed

    Limit Downlink (former Download Equalizer): Should be enabled to do a fair use ("If enabled, Stochastic Fairness Queuing (SFQ) and Random Early Detection (RED) queuing algorithms will avoid network congestion. In case the configured downlink speed is reached, packets from the most downlink consuming stream will be dropped.")

    Upload optimizer does nothing spectacular. Only to be shure that new TCP connections and DNS requests are possible, if the bandwith is full used.

    In your case i would recommend to build two Bandwith Pools with only one Traffic Selector:

    1. HTTPS Traffic from internal Webserver to the internet

    2. VPN Traffic (IPSec) to the internet/remote gateways.

    assign the Bandiwth Pools to your WAN interface in the right order (first Bandwith Pool reserved first).

    Use of upper bandwith limit should not be set.

    Then make a Download Throttling for Web Surfing/E-Mail (shared) that reserved 15+x Mbit/s (15 VPN incoming plus ACK Packets for Downloads from your webserver, maybe 15+2).

    So it looks like:

    - Outgoing: 15 + 15 reserved

    - Incoming: Websurfing/E-Mail is limited to 33 with fair use.

    I think, it won't help to "QOS" your internal interface.

     

    You can't control everything but maybe it helps.

     

    Good luck!

    CS

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    Thanks this is quite helpful.

    I'm just not quite clear on the last point. Wouldn't throttling downloads for web/email catch (and therefore throttle) files being uploaded (from the point of view of client out on the WAN) to our website? Or do I need to set the throttle rules very specifically so that traffic coming from the internet but going anywhere EXCEPT our website should be limited, to leave enough "space" for uploading files and incoming traffic over VPN?

    Jeff

  • +1 in reply to JeffCooper

    JeffCooper said:

    Wouldn't throttling downloads for web/email catch (and therefore throttle) files being uploaded (from the point of view of client out on the WAN) to our website? Or do I need to set the throttle rules very specifically so that traffic coming from the internet but going anywhere EXCEPT our website should be limited, to leave enough "space" for uploading files and incoming traffic over VPN?

    Yes. In this case you can add a download throttling rule ABOVE the rule for web/email with correct traffic selector (traffic to your webserver) with an higher limit.

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    CS, years ago, I developed a habit of not selecting any of the Interface check boxes on the 'Status' tab if I defined both Download Throttling and Multipath rules on an interface.  Are you saying that 'Upload Optimizer' has been "fixed" and no longer interferes with Multipath rules?

    As to limiting uplink/downlink, why select either of those if you're not paying for additional bandwidth?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    For anyone else who's interested, here's what I did. (Also, not a bad way to put it out there for someone with a better grasp of QoS to say "no, ninny, don't do that!").

    This is all only on the WAN Interface - 50mb/s. It's also admittedly more complicated than my original post let on, but a few things occurred to me as I was tinkering.

    Traffic Selectors

    Specified different selectors for inbound and outbound traffic of key ("important") services and also for a throttled guest wifi:

    Bandwidth Pools

    Traffic Out of important services guarantees bandwidth will be set aside them if needed. It doesn't show in this list, but Guest Limit has an upper limit of 2048kb/s.

    Throttling.

    I think this will allow "important inbound" to use all bandwidth if needed, but not allow web surfing to eat up more than 20mb/s. Order is important here.

    Like I said, if there's something colossally stupid about this configuration, I won't be offended if someone pointed it out.

    Thanks!

    Jeff

  • 0 in reply to JeffCooper

    If it works, it can't be stupid!

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to JeffCooper

    Hello Jeff, thank you for your post. I tinkered with the QoS settings until I arrived at the same results for Guest WiFi throttling. 

    My setup:

    • UTM 9.5
    • 3 NIC's:
      • WAN (Comcast cable)
      • Internal LAN
      • Guest (wired/wireless) LAN

    Once I found the magic combination, the only one that worked for me, the whole setup looked very strange and cumbersome. That's when I decided to look at this forum. :)

    Needless to say, the QoS interface and the terminology are very confusing in the UTM. My way of looking at the approach is that my equipment(LAN) is sending (UPLOAD) or receiving (DOWNLOAD) data from the WAN(Internet);

    IMHO: The following aspects require better documentation / better GUI

    • Download Throttling actually controls the UPLOAD speed; I need to limit how much of my Comcast upload bandwidth is used by the Guests.
      • QoS -> Download Throttling -> Bound to Interface Guest(up) -> Rule named "Guest Upload Speed"; btw, here I can select "shared" or per src/dst limit type
    • Bandwidth Pool is the only way to limit the download speed consumed by the Guests.
      • QoS -> Bandwidth Pool -> Bound to Interface Guest(up) -> Rule named "Guest Download Limit" ; I can NOT pick how to limit the bandwidth
      • The rule has 1kbps of guaranteed bandwidth with "Specify upper bandwidth limit" check-box checked and desired "Throttle" value entered.

    I have experimented with other combinations that led to not limiting either my DOWNLOAD or UPLOAD bandwidth. 

    Sites used to test the speed:

    http://speedof.me/

    https://fast.com/ (doesn't show the separate UP/DOWN values, but provides quite accurate measurements)

    http://www.speedtest.net/ 

    Other tasks I wish to confirm that are configured correctly are:

    • Skype's UP/DOWN WAN bandwidth guarantee for my voice/video calls initiated from the Internal LAN
    • VoIP (PAP) adapter UP/DOWN WAN bandwidth guarantee for my "hardwired" phones.

    But I will leave those for another topic.

    Your feedback is welcome and is greatly appreciated.

Unfiltered HTML