Guaranteed Bandwidth of IPSEC tunnel.

Hi, Alex, and welcome to the UTM Community!

You can guarantee  10mbps  to the outbound traffic, but the only way you can guarantee the same to inbound traffic is to restrict all other traffic to  10mbps.  Is that what you want to do?

Cheers - Bob

A bit different...

Branch office channel bandwidth is 10 mbit

Main office channel bandwidth is 20 mbit

Guaranteed bandwidth of IPSEC  (branch) is 10 mbit

For example Ipsec channel uses 8 Mb  of  main office channel bandwidth (ipsec channel is not fully loaded). Main office channel  should use the remaining 12 Mbps.

If ipsec channel required full guaranteed bandwidth (10 mbit), then the main office traffic will be restricted to 10 mbit. 

I do not want to strictly limit the traffic to services.

Is it possible ? 

The problem is that a single Internet download can use up all 20mbps of your inbound bandwidth. Your UTM can determine what it sends outbound into your WAN connection, but it has no way of controlling what fills that pipe from the Internet.

Only your ISP can guarantee 10mbps of inbound bandwidth to IPsec traffic from your remote site if you don't want to limit all other traffic to 10mbps.

Cheers - Bob

Can i create 2 or more pipes in UTM ?
1st pipe - IPSEC (priority 6, bandwidth 10mbit)
2nd pipe - All traffic
First traffic will pass through the first IPSEC pipe with precedence 6 and bandwidth 10 mbit, then traffic will be directed to a common channel with fixed perecedence 6.
The UTM determines that traffic to come from IPSEC pipe and determine the channel loading.
If the download does not complete the channel, then rest of the channel width will be used by other traffic
This technology is used in dlink routers, from which i want to transfer settings to Sophos.

I plan to set up a second Ipsec channel to 2-nd branch.
If the channel is set up, it will be necessary to increase the width
channel head office at 10 Mbps
Besides two channels ipsec there are other services that need access to the main office
(RDP, mail and other )

Maybe it makes sense to configure ipsec traffic with higher priority than other traffic ?

And not to use the guaranteed bandwidth ?

Can i create 2 or more pipes in UTM ?
1st pipe - IPSEC (priority 6, bandwidth 10mbit)
2nd pipe - All traffic
First traffic will pass through the first IPSEC pipe with precedence 6 and bandwidth 10 mbit, then traffic will be directed to a common channel with fixed perecedence 6.
The UTM determines that traffic to come from IPSEC pipe and determine the channel loading.
If the download does not complete the channel, then rest of the channel width will be used by other traffic
This technology is used in dlink routers, from which i want to transfer settings to Sophos.

I plan to set up a second Ipsec channel to 2-nd branch.
If the channel is set up, it will be necessary to increase the width
channel head office at 10 Mbps
Besides two channels ipsec there are other services that need access to the main office
(RDP, mail and other )

Maybe it makes sense to configure ipsec traffic with higher priority than other traffic ?

And not to use the guaranteed bandwidth ?

No,  there is no way you can prevent the arrival of 20 Mbps from some other source.  

Cheers - Bob

Good. I understood.
How can I limit other traffic to 10 Mbps ?

Make two Download Throttling rules on the External interface, in order: (1) Limit 'Any -> IPsec -> Any' to 1000 Mbps and (2) Limit ' Any -> Any -> Any' to 10 Mbps.

To guarantee 10 Mbps to outbound IPsec traffic, make a Bandwidth Rule on the External interface, guaranteeing 10 Mbps to 'Any -> IPsec -> Any'.

Cheers - Bob

Thank you. And if I have to add a second channel ipsec (on condition, that the main office of the channel is 30 mbit) ? As in this case, the rules will look  ? 

And one moment. The rules will work in two directions ? 

Is it possible to add functionality , about which I wrote ? We need developers to write ?

Bandwidth Pools work only on traffic leaving an interface.  Download Throttling rules work only on traffic arriving at an interface.  The Traffic Selectors I suggested can be used for either or both as they are valid in both directions.

If you have two remote locations and you want to guarantee 10 Mbps inbound to each, you need two rules above the one labeled (2) above. Instead of 'Any -> IPsec -> Any', use '{Site #1} -> IPsec -> Any' in one rule and '{Site #2} -> IPsec -> Any' in the other.

Cheers - Bob

Thank you for your detailed answers.

"(1) Limit 'Any -> IPsec -> Any' to 1000 Mbps " -  

In this text, no typos ? 1000Mbps ?
The functionality of which I wrote, can be added of the developers ?

In any ordered list in WebAdmin, processing of the list ends after a rule matches.  The function of (1) is to avoid (2) for IPsec traffic.

No, the developers can do nothing.  They can't control how much other traffic is sent to you - only your ISP could do that.

Cheers - Bob