Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 38 subscribers
  • Views 1904 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic Shaping (Q about "Total bandwidth", etc)

Wayne Folta

When working with Traffic Shaping, on the System Services > Traffic Shaping Settings page, it has a field to fill in "Total available WAN bandwidth". Is this for: a) upload, b) download, c) the sum of upload and download, or d) something else?

It appears that Traffic Shaping is much more useful on upload for a couple of reasons. First, the up bandwidth to the ISP is pretty much the bottleneck. LAN speeds are generally much faster so it's taking the higher-bandwidth LAN traffic and trying to stuff it into WAN bandwidth that is a problem. Second, the XG sees all of the up-bound traffic and can queue/drop intelligently, but on the down-bound traffic the best the XG can do is to drop traffic and if it's connection-oriented (TCP) the unacknowledged packets will slow down the far end. But that's only some traffic and only indirect and binary (Fast/slow) control.

So my assumption is the Total WAN bandwidth would be referring to A (upload bandwidth). But then again, you can set limits/guarantees on both directions so how could the XG make even semi-reasonable guarantees on download if it has no idea of download bandwidth.

Any tips on setting the "Total available" or on the effectiveness of traffic shaping down (i.e. from WAN) traffic?

The times I've had the worst problems are during video conferences, when someone initiates a big download from a fast site and it makes incoming video stutter a lot. If no videoconferencing is taking place, more power to the downloader. I'd really rather approach it as a guarantee for video rather than a limit on downloads. (Not to mention there are many download options to cover.) So is the overhead -- if any -- of traffic shaping actually more of a parasitic loss than is worth it for the once-a-month-ish big download hurting videoconferencing?

(I'm beginning to think that while traffic shaping has been fun to finally figure out, it may not actually provide benefits in my use case.)



This thread was automatically locked due to age.
  • 0

    I've discovered a few clues:

    1. The Total available WAN bandwidth has no apparent effect if you do not also enable Enforce guaranteed bandwidth.

    2. Once you enable Enforce guaranteed bandwidth, both upload and download speeds will be limited by Total Available WAN bandwidth. So, if you naively assume that this should be the upload speed -- over which the XGS has more direct control -- you will also be inadvertently throttling the (higher-capacity) download speed.

    3. The SFOS web GUI has a problem with using "KB" to sometimes mean "Kb" and sometimes to actually mean "KB", and in this case it does mean KB. Which will create some confusion if you're looking at things like SpeedTest or your ISP agreement which is in Kb/s. So if you intend to use it, your Total available WAN bandwidth setting should be 1/8 what everyone else says. To repeat: in this section of the web GUI KB actually means KB.

    4. Once you enable Enforce guaranteed bandwidth, its Limit applies and will also throttle traffic both up and down.

    5. Traffic shaping (except the Default rule) will only have an effect if you are matching the traffic in a Firewall Rule, and if that Firewall Rule has an action that will invoke Traffic Shaping. It's easy to fool yourself by creating an Application-based policy and then applying it as the default for an Application, but that does nothing unless you also have a Firewall Rule that is properly set up to apply the shaping. Here are the steps for each: A applies to all, and then you choose B, C, D, or E depending on which kind of policy you created...

    A. Create Traffic Shaping Policies: System Services > Traffic Shaping and there are four kinds of shaping: a) Rule-based, b) User-based, c) Application-based, and d) Web-category-based. There are also two kinds: 1) Individual, and 2) Shared. I believe Shared sets a single Guarantee or Limit in aggregate for all entities (rules, users, etc) that the policy is applied to. I imagine Individual applies the Guarantee or Limit to each entity, but the manual says something about "first" rather than "each", so I don't know.

    B. Rule-based: In a Firewall Rule (Rules and Policies > Firewall Rules, then create or edit a rule), go to the bottom of the details and select your Rule-based Traffic Shaping Policy in "Shape Traffic". Easiest option.

    C. User-based: Create or edit a User (Authentication > Users) or Clientless User (Authentication > Clientless Users), and in "Traffic Shaping" select the policy. Then go to a firewall rule (Rules and Policies > Firewall Rules) and edit or create. Go down to the checkbox "Match Known Users" and then enter the users to whom you have applied a Traffic Shaping Policy. (May be direct or via a group, I think.) REMEMBER that the Firewall Rule will only apply to these users once you check "Match Known Users" -- it's not adding to the rule, it's narrowing the rule. So you might want to clone the rule first if you want to use a rule you already have in general, and make sure that you edit the higher rule so it has a chance to fire first. You will notice that "Shape Traffic" is not selectable and says "User's Policy Applied".

    D. Application-based: Applications > Traffic Shaping Defaults, find the application(s) and update them to use the Traffic Shaping Policy. Then comes a very unintuitive move: Applications > Application Filter, where you'll probably want to clone the filter you're using (maybe "Block Very High Risk") and edit it adding an Accept section. In that Accept section, accept the applications for whom you created a Traffic Shaping Policy. So you should have an Accept section and a Deny section in the filter. (But once you save it, you'll see the summary says "Allow". It evidently allows multiple Allow and Deny but summarizes it by the first one.) Now you can go to Rules and Policies and create or edit a rule and under "Identify and control applications (App control)" select the Application Filter you created.  Then check the box below ("Apply application-based traffic shaping policy").

    E. Web categories. Do something similar to Application-based I imagine. (I haven't had to do it yet.) And check "Apply web category-based traffic shaping" in the rule.

Unfiltered HTML