Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 25220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guaranteed Bandwidth of IPSEC tunnel.

AlexSmirnov

Hi,
I am quite new to Sophos and would need some help on QoS . We have Site-to-site IPSec VPN configured to our remote branch. WAN speed (in/out) in the main office - 20 Mbit/sec . WAN speed (in/out) in the branch - 10Mbit/sec
Is it possible to assign 10 Mbits of guaranteed Bandwidth to this tunnel
(Branch -> Main 10 mbit/sec, Main -> Branch 10 mbit/sec) ?
How can I do that step-by-step ?

p.s. Sorry for my English, if I do something wrong I wrote.



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Alex, and welcome to the UTM Community!

    You can guarantee  10mbps  to the outbound traffic, but the only way you can guarantee the same to inbound traffic is to restrict all other traffic to  10mbps.  Is that what you want to do?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson 
    A bit different...

    Branch office channel bandwidth is 10 mbit

    Main office channel bandwidth is 20 mbit

    Guaranteed bandwidth of IPSEC  (branch) is 10 mbit

    For example Ipsec channel uses 8 Mb  of  main office channel bandwidth (ipsec channel is not fully loaded). Main office channel  should use the remaining 12 Mbps.

    If ipsec channel required full guaranteed bandwidth (10 mbit), then the main office traffic will be restricted to 10 mbit. 

    I do not want to strictly limit the traffic to services.

    Is it possible ? 

  • 0 in reply to AlexSmirnov

    The problem is that a single Internet download can use up all 20mbps of your inbound bandwidth. Your UTM can determine what it sends outbound into your WAN connection, but it has no way of controlling what fills that pipe from the Internet.

    Only your ISP can guarantee 10mbps of inbound bandwidth to IPsec traffic from your remote site if you don't want to limit all other traffic to 10mbps.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Can i create 2 or more pipes in UTM ?
    1st pipe - IPSEC (priority 6, bandwidth 10mbit)
    2nd pipe - All traffic
    First traffic will pass through the first IPSEC pipe with precedence 6 and bandwidth 10 mbit, then traffic will be directed to a common channel with fixed perecedence 6.
    The UTM determines that traffic to come from IPSEC pipe and determine the channel loading.
    If the download does not complete the channel, then rest of the channel width will be used by other traffic
    This technology is used in dlink routers, from which i want to transfer settings to Sophos.

    I plan to set up a second Ipsec channel to 2-nd branch.
    If the channel is set up, it will be necessary to increase the width
    channel head office at 10 Mbps
    Besides two channels ipsec there are other services that need access to the main office
    (RDP, mail and other )

    Maybe it makes sense to configure ipsec traffic with higher priority than other traffic ?

    And not to use the guaranteed bandwidth ?

  • 0 in reply to AlexSmirnov

    No,  there is no way you can prevent the arrival of 20 Mbps from some other source.  

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Good. I understood.
    How can I limit other traffic to 10 Mbps ?

  • 0 in reply to AlexSmirnov

    Make two Download Throttling rules on the External interface, in order: (1) Limit 'Any -> IPsec -> Any' to 1000 Mbps and (2) Limit ' Any -> Any -> Any' to 10 Mbps.

    To guarantee 10 Mbps to outbound IPsec traffic, make a Bandwidth Rule on the External interface, guaranteeing 10 Mbps to 'Any -> IPsec -> Any'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you. And if I have to add a second channel ipsec (on condition, that the main office of the channel is 30 mbit) ? As in this case, the rules will look  ? 

    And one moment. The rules will work in two directions ? 

    Is it possible to add functionality , about which I wrote ? We need developers to write ?

  • 0 in reply to AlexSmirnov

    Bandwidth Pools work only on traffic leaving an interface.  Download Throttling rules work only on traffic arriving at an interface.  The Traffic Selectors I suggested can be used for either or both as they are valid in both directions.

    If you have two remote locations and you want to guarantee 10 Mbps inbound to each, you need two rules above the one labeled (2) above. Instead of 'Any -> IPsec -> Any', use '{Site #1} -> IPsec -> Any' in one rule and '{Site #2} -> IPsec -> Any' in the other.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you for your detailed answers.

    "(1) Limit 'Any -> IPsec -> Any' to 1000 Mbps " -  

    In this text, no typos ? 1000Mbps ?
    The functionality of which I wrote, can be added of the developers ?

  • 0 in reply to AlexSmirnov

    In any ordered list in WebAdmin, processing of the list ends after a rule matches.  The function of (1) is to avoid (2) for IPsec traffic.

    No, the developers can do nothing.  They can't control how much other traffic is sent to you - only your ISP could do that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to AlexSmirnov

    In any ordered list in WebAdmin, processing of the list ends after a rule matches.  The function of (1) is to avoid (2) for IPsec traffic.

    No, the developers can do nothing.  They can't control how much other traffic is sent to you - only your ISP could do that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML