Traffic Shaping

Hello,

i have a problem with a traffic shapring policy. I would like to limnit the user for internet traffic So i created a rule

for LAN to WAN and placed a places the lightly limited policy as traffic shaping.

The traffic in dection to the LAN will be shaped but the traffic that goes from LAN to WAN is not be shaped. How can

i manage that the shaping is working in both directions or is cause of the statefull firewall the incomming traffic not

checked against thte rule ?

 

BR

Marco

  • Hi  

    Please refer the article to apply user-based traffic shaping, it should work for LAN to WAN traffic as well.

    https://community.sophos.com/kb/en-us/123061

  • In reply to Keyur:

    Hello Keyur,

     

    it not worked for me i created a new policy and limit it to 20Mbit/s up/down. Just

    downstream limit was working.

     

     

    BR

    Marco

  • In reply to marco_47d:

    Hi  

    As per the screenshot, it seems that you have created firewall rule-based traffic shaping policy.

    To apply it on the user profile, you required to create user-based traffic shaping policy.

    For testing purpose, please follow the below steps.

    1 Create source IP based firewall rule for LAN to WAN zone.

    2. Position the rule on the top so that traffic will not pass from any other firewall rule.

    3. Apply the same configuration as the current firewall rule where the user traffic is passing and verify the behavior.

  • In reply to Keyur:

    Hello Keyur,

     

    yes it should be a rule based policy and not user based- We not have a user authentification on the firewall for that kind of traffic i want to shape.

    I just created a rule for the user from Wifi  network to shaqpe the traffic to the internet so my idea is that they not use all the bandwith for youtube etc.

     

    I am sure that the correct rule is used i checked it in the log file it points to the rule that i use for internet traffic. I put all pictures in a pdf i hope its okay. The

    share is of my german email provider that should not make a problem.

    https://c.gmx.net/@330243110770573523/77bUpx_lSmugX-viLVeIOQ

     

    My IP is the 172.16.0.218 in the Wifi Zone and i go to WAN Zone. In the log the traffic points to rule nr.9

     

    My test showed again Download Speed 20 Mbit and Upload 50 Mbit

     

    BR

    Marco

  • In reply to marco_47d:

    Hi  

    The configuration seems to be correct, Can you please just verify the last step, when you check the packet capture in GUI, Please enable the packet capture >> Click on >> Show Additional Properties and select Application ID and verify if the same policy is applied on not, if you hover the mouse over it, it will give more details.

    If traffic shaping policy is applied the case required further investigation and I would recommend to contact technical support and open a service request.

  • In reply to Keyur:

    Hello Keyur

     

    here ist the output.

     

     

    BR

    Marco

  • In reply to marco_47d:

    Hi  

    I request you to contact technical support and open a service request to investigate the issue further.

  • In reply to Keyur:

    Okay thank you i will opnen a ticket.

     

    BR

    Marco

  • In reply to marco_47d:

    This may be related to how the XG enforces the limit and where the measurement is taking place.

     

    Website
    ^
    |  Not enforced.  XG will download the file at full speed.
    v

    XG

    ^
    |   Enforced.  XG will deliver the file to the client at restricted speed.
    v

    Client

     

    Just dealing with downloads as a example here.  When you put in a limit, the limit is not enforced at the XG to Website level.  Therefore from the perspective of the website, the download happens fast.  But the delivery to the file to the client is at the limited speed.  The perspective of the client, the download is limited.

     

    Let me give a more full example.  Lets say you have a WAN speed of 10MB/s, you are limiting the download speed to 1MB/s.

    User clicks on a 20MB file.

    XG downloads the 20MB at 10MB/s, taking 2 seconds.

    XG virus scans the files.

    XG sends the file to the client at 1MB/s, taking 20 seconds.

     

    If you ask the website, it took 2 seconds to download the file.  If you ask the client, it took 22 seconds to download the file.

  • In reply to Michael Dunn:

    Hello Michael,

    i think this is not what happening. We not using the firwall as a proxy server and the virus engine

    is not enabled.

    So there is about how traffic is handled. I checked now different Data that i had transfered and

    it looks like its shaped well. So for example client to dropbox or dropbox to client. Same like ftp server

    is working but my speed mesure tool on my cellphone seems to measure the traffic different ot better say

    it generates the traffic differennt not sure if its just udp packet but i will capture them with wirieshark if i

    have some time.

     

    So basicaly it looks like the traffic shaping is working. I will update my post when i examined the traffic and

    can say exactly what is the different in the testing tool

     

    BR

    Marco