Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 39 subscribers
  • Views 1600 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic Shaping - Upload vs. Download

Joshua Drost

For reference: firmware version 18.0.4 MR-4

I'm a bit confused on Traffic Shaping on Sophos XG, as it pertains to upload vs. download limits and Traffic Shaping tied to Firewall Rules. My main question is, does the XG consider download to always be traffic from the WAN, or does it consider it to be traffic that originates from the destination side of the rule?

For clarity, say I had two rules: One for traffic out to the internet ("LAN to WAN"), and one for a port forward from the internet ("P.F. WAN to LAN"). If the XG always considers the "upload" side of the traffic shaping rule to be traffic going out to the internet, then it would shape traffic as follows:

"LAN to WAN": Upload is traffic from LAN going to WAN, download is return traffic from WAN going to LAN.

"P.F. WAN to LAN": Download is traffic from WAN going to LAN, upload is return traffic from LAN going to WAN.

However, if the XG always considers the "upload" side of the traffic shaping rule to be traffic going from the source to the destination, then it would shape traffic as follows:

"LAN to WAN": Upload is traffic from LAN going to WAN, download is return traffic from WAN going to LAN.

"P.F. WAN to LAN": Upload is traffic from WAN going to LAN, download is return traffic from LAN going to WAN.

As you can see, depending on what the XG considers upload vs. download, the "P.F. WAN to LAN" rule would end up getting traffic shaping flipped around. This is mostly important because I'm trying to use a shared pool for all my bandwidth, and my WAN link is not symmetrical. I want to be able to give my VoIP VLAN a guaranteed amount of bandwidth, and I want all my other rules to use a shared bandwidth pool that has a limit imposed. If the XG handles upload vs. download using the first example, then I'm in business. If it uses the second example, then I have to "carve out" portions of my bandwidth for each group of firewall rules that flow in the same direction.

Thanks in advance.



This thread was automatically locked due to age.
  • 0

    Hi,

    you need to set the bandwidth policy in each firewall rule, not on an interface, Also you can set the priority of the VLAN VoIP traffic, but that is not neccessairlay recognised by your ISP.

    I have my VoIP traffic set to 

    Which is applied in

    And I have created my own VoIP home policy.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I understand that the policy is set in each rule. I'm trying to do exactly that. I just need to know which direction the XG considers to be "upload" and "download" when traffic is initiating on the WAN.

    For reference, here's my policies on a 25/25 Mb link (3200/3200 KB)

    VoIP Policy

    Non-VoIP Policy

    The policies are then applied to different firewall rules based on the local VLAN. As you can see, they both use a Shared pool type. Therefore, when I make additional firewall rules for other non-VoIP VLANs (I haven't yet), they will share that pool across firewall rules.

    My main issue is, I'll be making some port forwarding rules. I want to share that Non-VoIP bandwidth pool if possible. However, if the XG flips upload and download (because traffic will be initiating in the opposite direction for port forwards), I won't be able to share those pools across all my rules.

  • 0 in reply to rfcat_vk

    Side note: SIP is just the messaging protocol used for call construction. You actually want to QoS RTP traffic if you're doing it at the Application level instead of the Rule level. Unfortunately, the XG's (unlike the UTM's) don't seem to be able to differentiate RTP traffic. (They classify it as "Other".) Also unfortunately, RTP traffic can be (usually) anywhere between UDP 10000-50000, so creating your own custom rules for that large of a port range is a challenge.

  • 0 in reply to Joshua Drost

    Hi Joshua,

    please find attached the SIP traffic packet from the XG and VoIP limited graph.

    voip traffic.docx

    And XG does not recognise Apple pages which is a pain.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • +1

    After doing some manual testing, it appears that the XG handles Traffic Shaping according to the 2nd example. The XG always considers the "upload" side as traffic flowing from the source to the destination, and the "download" side as traffic flowing from the destination to the source.

    You will have to create different Traffic Shaping rules/pools for your traffic out to the internet, vs. your port forwards.

Unfiltered HTML