Yet again: Download Throttling

Simple explanation: Download throttling may not be working on its own... turn it off so it doesn't mess anything up in the future, unless you need either distributed limits, or ingress limiting, then fix your rules based on the following link, and (possibly) create dummy bandwidth pools that do nothing on each interface to force correct tc config on the backend:

community.sophos.com/.../119111

Elaboration: The bandwidth pool you created must be forcing tc to create the download throttling queues correctly on the backend. This might be fixed by now? Only assign bandwidth pools with upper limits, and throttling rules, to internal interfaces. You don't want to forcefully drop already received traffic on WAN interfaces, ever, for traffic flow management purposes.

You should always be using bandwidth pools with upper limits set, to limit traffic, be using bandwidth pools with upper limits for egress limiting, and download throttling rules for ingress limiting, respective to the interface on which the rule is assigned. Unless If you require the per rule bandwidth to be distributed in a per IP or per IP pair fashion, where these options only exist for download throttling rules, unless I'm missing something. Keep in mind, that as long as you leave Limit Downlink and Upload optimizer enabled on the interface the bandwidth pool(s) w/ limiting are assigned, you are already getting a result more or less identical to what a download throttling rule in shared mode would give you. Don't bother migrating / creating throttling rules just to use shared mode, you're probably already getting shared mode behavior and just don't realize it.

Revised 04/23/2017 - Per following discussion with Bob (thanks Bob!), and response from Bill (thanks Bill!)

Hi, Keith, and welcome to the UTM Community!

You said, "You don't want to forcefully drop already received traffic on WAN interfaces, ever, for traffic flow management purposes."  This is what the Download Throttling rule in the KB article does.  What is your reasoning behind this comment?

Cheers - Bob

Hi Bill, thanks for the reply. Definitely helpful as to the "why?" part of it all.

That leaves me with a few more questions, of course, and it relates to a good point Bob brought up...

When dealing with the issue of managing traffic of internal components like the web filter, that on their own pull in traffic, process it, then forward it on to the appropriate interface, what would be the "SUTM correct" way of implementing rules that accomplish managing these flows? Can we use either one of bandwidth pools or download throttling, as long as the rules are correct in terms of the final source / destination? Or do we have to use one or the other, or even specifically formatted rules, to effectively shape traffic flows "middle man'd" by internal SUTM services?

One more, just for clarification. Are the download throttling rules also applied at the "tc" level of the kernel as the bandwidth pools are, with some extra logic, or tc's ingress mode applied, to make sure they are applied correctly on the back end? Or are the download throttling rules applied by a different layer / mechanism that allows ingress shaping outside of tc?

Thanks again Bill!

At present, there is no way other than Download Throttling to handle "internal flows" in the UTM.  I don't know the answer to your "tc" question, but the difference is similar to the difference between a DNAT and an SNAT.  Download Throttling rules are applied to arriving traffic as soon as the packet is accepted by conntrack or a firewall rule, or maybe before, and definitely before anything else happens.  Bandwidth Pools are the last thing considered before the packet leaves the interface (just before SNAT/masq, is my guess).

Cheers - Bob

Are you sure about that order? I mean it seems logical, don't get me wrong. But both of the 2 types of shaping rules have visibility into the NAT layer.

If they didn't, you wouldn't be able to shape traffic on LAN interfaces by external address/port, nor would you be able to shape traffic on WAN interfaces by internal address/port. I have worked with firewall products like this in the past. They make QoS setup extremely mind numbing.

Given that we know the shaper has NAT visibility, I guess I'd like Sophos to chime in here again, I don't see many easy ways to determine internal order of operations with respect to the QoS layer and other parts of the routing layer.

Sophos has done a very good job as far as reflecting things as they are layered in the stack on the backend, in the WebGUI. QoS is (as it should be) grouped into the interfaces & routing section. We know its part of that layer, but (maybe you already know this) how do we know the order of this layer specifically?

I know, I know, most readers just went "who cares, it works". I'd like to know, because you never know when knowing might matter down the road.

If I had to guess, I would say the routing / NAT / QoS layer doesn't really have a set order, it's more of a "they all cross talk at multiple points in the chain" sort of deal. That's just a guess though...

Ironic as it is, this new ingress / egress information, has me moving all of my upload throttling rules, to the download throttling tab, away from the bandwidth pools tab, where they were doing absolutely nothing.

To add to the irony, my download throttling rules, have to stay under the bandwidth pools tab, or they would cease to work. Lol indeed...

To be honest, I have not tested what tc output is when using bandwidth pools vs download throttling and would be interested in the results myself. You can turn off all your rules temporarily and then add a bandwidth pool on LAN interface and then test the tc rules created against download throttling rules for the same port etc. If I had to guess, I think there is no difference but I could be wrong.

As far as I can tell, you are correct Bill.

After a little more research after I posted that question, I found that "tc" absolutely does have an "ingress" mode you can apply, on a per rule basis, using raw tc commands.

So it would seem all QoS rules are implemented in tc (which is a good thing), the difference being that rules created under the download throttling tab, have the ingress option applied to them. Where rules created under the bandwidth pools tab, do not have the ingress option applied to them.

tc rules are egress only by default, and tc does not support (as far as I have read) bidirectional (both egress and ingress at the same time) rules, like ALTQ does on FreeBSD. And no, that is not a feature request. I very much prefer single direction only QoS rules, helps to keep things sorted, and issues from malformed rules to a minimum ;-)

So, Keith and Bill, do your last posts indicate that the sequence I surmised may not be correct but that it doesn't matter as thinking of QoS in that way leads to a "correct" configuration?

Cheers - Bob

I'm honestly still not sure on this. Hopefully Sophos can weigh in on it specifically.

My guess is, that your resulting rules would be correct, as long as you think of them in an egress vs. ingress manner.

Which, if I understood you right Bob, is the overall way you are looking at them, so yes, your rules would be correct.

Again, I had to move 2 of my QoS rules to the download throttling tab to correct them. I was still thinking in an ALTQ manner, after migrating my config to SUTM from a FreeBSD based system.

Hi bob, keith is right on all counts as far as the mechanism and the engineering aspect. Only thing I would change on your earlier post is that as keith pointed out, we are mostly playing with egress (outgoing packets). There is a lot more flexibility where we can assign different priorities, delay the packets and apply bandwidth limits etc on the queues when the traffic is leaving the firewall. With ingress policing, you really don't have much choice and the only option is dropping traffic to then let tcp/ip builtin controls to slow that traffic down.

So yes there are actual differences and throttling doesn't just drop packets in all cases. Also, the throttling is done on kernel level so ingress/egress shouldn't have any influence on proxies or other daemons as that should technically come after kernel has already sorted through all the traffic. A proxy cache may give you skewed results by caching/scanning some of the traffic and then releasing to the client in one chunk making it seem like you have a higher bandwidth than what is really available, but the actual throttling has already been done.

Of course, I have not written any iptables rules since i found shorewall and definitely don't even remember the syntax since jumping on astaro[:$] so my knowledge is outdated and limited.

EDIT: I know the confusion that you are describing in some of the earlier versions where the proxy seemed like it was doing its own thing while QoS was not having any effect. I think that has been fixed since later v8/ early v9 releases. The reason for that wasn't the proxy but they way rules were written for QoS. So for example a rule like 

QoS any traffic coming from internet with port 80 to ANY LAN got bypassed when proxies dnatted that traffic. That was not the shortcoming of QoS but the implementation and the complexity of applying that rule correctly for proxies with different configurations and profiles.

I will chip in here:

Download throttling does work even with "web filtering on"

The trick is to select "Application selector" and NOT "traffic selector" under Traffic selectors.

I have tried this successfully this morning using the following:

DOWNLOADS:
Traffic selector = application (http)
Download throttling = Bound to WAN > select above traffic selector and enter limit in kb/s

UPLOADS:
Same as above but you need to use Bandwidth Pools and ensure "Upper limit" is selected with appropriate kb/s

Doing both of the above limited my download and upload using http with web filtering enabled.

I will chip in here:

Download throttling does work even with "web filtering on"

The trick is to select "Application selector" and NOT "traffic selector" under Traffic selectors.

I have tried this successfully this morning using the following:

DOWNLOADS:
Traffic selector = application (http)
Download throttling = Bound to WAN > select above traffic selector and enter limit in kb/s

UPLOADS:
Same as above but you need to use Bandwidth Pools and ensure "Upper limit" is selected with appropriate kb/s

Doing both of the above limited my download and upload using http with web filtering enabled.

Bill and Louis, consider https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/73340/can-not-apply-qos-when-enable-web-filtering/331211#331211.

Cheers - Bob