QOS - Still baffled after all these years

Question

Hi, 
 Every so often I delve into this then give up because my brain starts to hurt. The myriad of posts and articles seem to answer things then other ones seem to say something different. Maybe it has to do with how different people ask questions, so I guess I'll throw my phrasing into the mix and hopefully get to the bottom of how to maximize performance for the services I want. 
 I have an SG230 with a 50mbs internet connection. I want to guarantee 15mbs to each of these in either direction (to/from internet): 
 
 A file sharing website (https) we host 
 VPN access to our LAN for our staff 
 also of course regular internet stuff (email, web surfing, etc) 
 
 (I don't need 15 up + 15 down for each, I just want to be sure that our File Sharing site has 15 mbs available to it, and that our VPN users have at least 15 mbs (total shared) available to them. 
 I am right that the UTM settings are all from the point of view of the box, right? So "Downlink" refers to what's coming into the UTM whether from the WAN or the LAN? 
 Is is accurate than the UTM cannot control the traffic than comes into it from either the LAN or the WAN? So all I can do is guarantee bandwidth of what leaves it? 
 If that's the case, then should I use QOS on the WAN interface to guarantee bandwidth heading out to the internet (with a LAN->Internet Traffic selector), and one the LAN interface to guarantee bandwidth heading IN to the LAN? 
 Since the WAN is 50mbs and the GB, is there no point then in even trying to guarantee WAN-to-LAN traffic at all because there's no way enough WAN traffic would ever be enough to fill up all the bandwidth on the LAN side? 
 Should I turn off Automatic QOS (Download Equalizer, Upload Optimizer) on the Status tab if I'm doing any of this? 
 if all our incoming traffic is out of our control, is there nothing I can do to make sure, if someone is trying to upload a file, that client has priority on the WAN interface over someone who's streaming hi-def youtube videos (short of throttling which I don't want to do because I'm fine with someone watching videos as long as it gets cut down as soon as someone starts needing to upload real files)? 
 Please let me know if I can/should clarify all this. 
 Thanks, 
 Jeff

CS · Accepted Answer

Hello Jeff, 
 Indeed QOS is the most complex challenge with WAN connections. 
 You'r right, you cannot complete "QOS" incoming packets, only outgoing. With "Download Throttling" the UTM tries to throttle the remote sender ("If packets are coming in faster than the configured threshold, excess packets will be dropped immediately without being listed in the firewall rules log file. As a result of TCP congestion avoidance mechanisms, affected senders should reduce their sending rates in response to the dropped packets.") 
 Limit Uplink: Should be selected in most cases, because your WAN interface speed is not your real WAN Speed 
 Limit Downlink (former Download Equalizer): Should be enabled to do a fair use ("If enabled, Stochastic Fairness Queuing (SFQ) and Random Early Detection (RED) queuing algorithms will avoid network congestion. In case the configured downlink speed is reached, packets from the most downlink consuming stream will be dropped.") 
 Upload optimizer does nothing spectacular. Only to be shure that new TCP connections and DNS requests are possible, if the bandwith is full used. 
 In your case i would recommend to build two Bandwith Pools with only one Traffic Selector: 
 1. HTTPS Traffic from internal Webserver to the internet 
 2. VPN Traffic (IPSec) to the internet/remote gateways. 
 assign the Bandiwth Pools to your WAN interface in the right order (first Bandwith Pool reserved first). 
 Use of upper bandwith limit should not be set. 
 Then make a Download Throttling for Web Surfing/E-Mail (shared) that reserved 15+x Mbit/s (15 VPN incoming plus ACK Packets for Downloads from your webserver, maybe 15+2). 
 So it looks like: 
 - Outgoing: 15 + 15 reserved 
 - Incoming: Websurfing/E-Mail is limited to 33 with fair use. 
 I think, it won't help to "QOS" your internal interface. 
 
 You can't control everything but maybe it helps. 
 
 Good luck! 
 CS

CS · Answer

JeffCooper said: 
 Wouldn't throttling downloads for web/email catch (and therefore throttle) files being uploaded (from the point of view of client out on the WAN) to our website? Or do I need to set the throttle rules very specifically so that traffic coming from the internet but going anywhere EXCEPT our website should be limited, to leave enough "space" for uploading files and incoming traffic over VPN? 
 
 Yes. In this case you can add a download throttling rule ABOVE the rule for web/email with correct traffic selector (traffic to your webserver) with an higher limit.