Sophos UTM 9 : QoS best practices

Hi,

 

Here is a quick network diagram :

 

 

Our context / goal : 

  • Some users are experiencing slow Internet. 
  • So we would like to optimize our outgoing Internet traffic. 

Questions :

  1. If we do not host any service internally, only outgoing traffic to Internet. Should we set QoS on internal interfaces ?
    • For example : on internal vlan interfaces (users, servers, network…)
    • Because this will have an impact on internal bandwidth between users and servers.

  2. If we should set QoS internally to optimize our outgoing internet traffic, should we have a total of all QoS for internal interfaces under a total of external interface ?
    • For example :
      • Interface server : 10 Mbps (QoS)
      • Interface user : 20 Mbps (QoS)
      • Interface external (internet) : 30 Mbps (QoS)

  3. If we configure a RED tunnel, should we configure the QoS with the same bandwidth QoS on both sides ?

  4. Could we configure a bandwidth pool without any QoS interface enabled ? Is is useless ?

  5. What are the best practices to configure bandwidth pool or download throttling ?
    • From a specific rule to a global one ?
  • Hi  

    1. I would advise applying QoS on the external interface, given that you will be downloading webpages or content from the Internet. I would suggest going through this external article: https://www.fastvue.co/sophos/blog/limit-youtube-traffic-sophos-utm-qos/ which should help you configure this.

    2. On the external interface, you should only specify the bandwidth you have from ISP for both Upload and Download.

    3. Do you want to apply QoS for the devices behind RED? 

    4. You will require to Enable the Interface on which you'd apply QoS.

    5. The external article I mentioned earlier should help you with that.

  • In reply to Jaydeep:

    Thank you for your reply Jaydeep.

    -------------

    Scenario 1 : guarantee web surfing

    So from your link, to guarantee a web surfing bandwidth for example for vlan users, I will do the following :

    • Enable the QoS on the WAN interface with the Internet speed
      • We have 30 Mbps symetric, so to be conservative, I will set 10 % less. 27 Mbps downlink / 27 Mbps uplink

    • I will configure a traffic selector
      • Source : VLAN Users
      • Destination : Internet
      • Protocol : HTTP/HTTPS
    • Then a bandwidth pool on the WAN interface
      • Bandwidth : 6 Mbps
      • Traffic selector : Web surfing

    Scenario 2 : limit bandwidth for Microsoft updates

    I would like to limit the bandwidth used for Microsoft updates from our WSUS server.

    First, I was thinking about download throttling, but this is not the right tool for that, I think.

     

    Questions :

    1. So with scenario 1, internal users (from VLAN users) will have at least 6 Mbps for web surfing. Am I right ?
    2. So with scenario 2, how can I limit the banwitdh used for Microsoft updates ? Should I configure a bandwidth pool with a upper bandwidth limit ?

     

    Thanks a lot for your help !

  • Salut Denis,

    I have a different approach, but your question is, in fact, many questions at once.  Normally here, the rule is "one topic per thread."

    Set External for 30/30.  Don't select either limit as that should only be used for an ISP connection that has variable cost based on volume.  If you're going to put any Bandwidth Pools on External, don't select 'Upload optimizer'.

    I don't understand why you would limit internal traffic between your WSUS server and the clients, nor why you would want to limit traffic to it unless you wanted to use a Time Event to limit the blocking to during working hours.

    1. No.  A Bandwidth Pool guarantees only outbound bandwidth.  Web surfing won't be affected by your Bandwidth Pool.

    You may want something like 'Internet -> HTTP/S -> Internal (Network) : guarantee 6Mbps' on the Internal interface, but it may be too early to tell.  When you have confirmed a problem, please start a new thread and ask about it.

    A Bandwidth Pool is ineffective if it's on an Interface that's not enabled for QoS.

    Cheers - Bob

  • In reply to BAlfson:

    Thank you for your reply Bob

     

    BAlfson

     

    Set External for 30/30.  Don't select either limit as that should only be used for an ISP connection that has variable cost based on volume.  If you're going to put any Bandwidth Pools on External, don't select 'Upload optimizer'.

     

    Ok we have an internet speed 30/30 Mbps, so I should set 30/30 directly with no margin

     

    BAlfson

    I don't understand why you would limit internal traffic between your WSUS server and the clients, nor why you would want to limit traffic to it unless you wanted to use a Time Event to limit the blocking to during working hours.

     

    I do not want to limit internet traffic between our WSUS and the clients, but I would like to prioritize some outgoing traffic (web surfing, zoom meetings...) and limit the outgoing trafic not so important like our WSUS server downloading Microsoft updates.

     

    BAlfson

    1. No.  A Bandwidth Pool guarantees only outbound bandwidth.  Web surfing won't be affected by your Bandwidth Pool.

    You may want something like 'Internet -> HTTP/S -> Internal (Network) : guarantee 6Mbps' on the Internal interface, but it may be too early to tell.  When you have confirmed a problem, please start a new thread and ask about it.

    A Bandwidth Pool is ineffective if it's on an Interface that's not enabled for QoS.

     

    Hum I do not understand, from my perspective, if bandwidth pool is only outbound bandwidth, that's correct. So I can set a bandwidth pool with 6 Mbps from VLAN users to Internet for web surfing, nope ?

     

    I will check that, because that's our biggest question. Depending how we can prioritize our traffic, we will do differentes rules and bandwidth pools.

     

    Thank you :)

  • In reply to Denis Chatenay:

    Until you have an observed problem, Denis, I wouldn't configure QoS.

    "So I can set a bandwidth pool with 6 Mbps from VLAN users to Internet for web surfing, nope ?"

    If all users surf using UTM Web Filtering, you cannot make separate QoS rules for different LAN/VLANs.

    Cheers - Bob

  • In reply to BAlfson:

    Thank you Bob.

     

    I would like to setup the QoS, because we have some issue with slow Internet.

    So I would like to be sure some traffic have enough traffic (zoom meetings, web surfing...) and for all other traffic they will use the remaining bandwidth only.

     

    Thank you,

     

    Denis.