Download throttling for SSL VPN and WSUS Traffic

If you think about it, your clients are downloading and your server is uploading. Therefore, you will want to limit the upload. For that you will need a bandwidth pool in which you specify the destination as the remote ssl vpn network

Hey Louis,

but they download "from" my server. I don't want to reserve a bandwidth for WSUS because i only need it 2-4 days a month.

So the pool is the wrong approach.

Best regards

Stephan

Stephan, if you want to limit downloads from the WSUS server, add a Download Throttling rule on the Internal interface limiting '{WSUS Server} -> Any -> VPN Pool (SSL)'.  If this is a site-to-site VPN instead of Remote Access, replace "VPN Pool (SSL)" with the content of 'Remote Networks' in the SSL Connection.

Cheers - Bob

Hey Bob,

i've set it like you said. How can i check if these rules REALLY apply? Because the WSUS server says that the traffic is higher than the specified value.

Regards

Stephan

Please show pictures of the Edits of your Traffic Selector and Download Throttling rule.

Cheers - Bob

There isn't an easy way to check if these rules do apply other than running 3rd party speed tests or watching the bandwidth monitor. It's one thing that the UTM could do with eg pfsense has live bucket graphs etc to show how much QoS is being applied etc.

One for Bob here:

As the OP has full control of the network above, a download or an upload rule would work. Which is the preferred way? I know it's recommended to apply QoS etc to the closest interface in general but if the client was say 2 subnets further away, would it be better to apply the upload limiting at the server or the download throttling at the client?

In this case, Louis, there's no choice because there's no outbound interface object available on which one could use a Bandwidth Pool that limits uplink traffic.  If the traffic were IPsec instead of SSL VPN, you could do QoS on the External Interface on the outbound IPsec traffic as QoS knows how to look inside an IPsec tunnel.  I'm unaware of any real difference in performance or load on the UTM between limiting inbound traffic with a Download Throttling rule or the corresponding outbound traffic with a Bandwidth Pool that limits uploads, so I try to not use the latter.

Cheers - Bob

Here is the traffic selector:

And here is the throttling rule (which is not working btw - we had a "full" internet line so i restarted the WSUS server. the bandwidth was cut in half losing 50Mbit traffic) 

I could also do the other way. Create QoS Bandwith Pools for the important services and let the other "stuff" use the rest.

Best regards

Stephan

The service is WSUS-port to 1:65000? Otherwise your rule applies in the wrong direction since the clients download from WSUS, WSUS doesn't push the updates. So you have to control the clients traffic to the WSUS and not WSUS-to-client.

The service is WSUS-port to 1:65000? Otherwise your rule applies in the wrong direction since the clients download from WSUS, WSUS doesn't push the updates. So you have to control the clients traffic to the WSUS and not WSUS-to-client.

Everything else is correct, so Sherlock Holmes' (Kevin's) answer is the only remaining possibility!  The other solution would have been to use "Any" as I first suggested. ;-)

Cheers - Bob

Thanks Kevin.

This seems to fix the QoS. I have to think like the client and not the server ;)

The rules do now apply.