QOS recommendations to combat bufferbloat

There's isn't a lot to configure unless you want to do web category or application based QoS.

In general you can either create a User/Group or Network QoS policy, It depends if you have authenticated/clientess users or not in your home network.

For your setup, I recommend you to create three policies, one for IoT, another for the servers and a last one for family/general usage.

On the basics:

• Always use the "Shared" option at bandwidth usage type. (For home usage.)
• Remember to set the priority correctly on each rule.
• Set the Upload/Download limits separately since you don't have a symmetric connection.
• Be aware It uses KB/s (Kilobytes per second)

For the priorities you can use (0) for the family internet usage, (1) for the servers and (2) for the IoT stuff.

This should be enough to help with bufferbloat, here's a test I've made with my laptop over WiFi: (Using the Firewall QoS.)

Many thanks, I will simplify my rules, I currently have rules for each IOT device using the mac-address as the source etc.  I will then adopt the recommended approach above to test.  My Virgin connection is rated at C at mo for everything.  TBH I'll shift back to Vodafone ADSL when my contract up I expect.

On a side not is your XG 115W running Home version or a licensed unit?

It's licensed.

I recommend you to do DHCP static addressing and use the Clientless function, this will make It easier for you to manage the firewall rules.

Will look at that, prefered the mac based rules originally so I didn't have to worry about static mappings.  I do have a few reservations in the management LAN, but that's so that devices stay on same address or if they get reset to DHCP / loose their static IP they'll stay on same address.

Also got none routable networks for iSCSI and NFS etc.

Ring cameras I'd probably allocate a high priority, but will explore that

Can you mix and match traffic policies, define as you've recommended above, but also enable application based too for Netflix, Prime, FaceTime and so on?

Mike Scott said:

Can you mix and match traffic policies, define as you've recommended above, but also enable application based too for Netflix, Prime, FaceTime and so on?

The last time I've tried this It indeed worked as expected, here's some info from the Docs:

Sophos Firewall implements traffic shaping policies in a certain order if they're associated with more than one object in the firewall rule. For example, if you've applied a traffic shaping policy to more than one object in the firewall rule, the following order applies:

• Application
• Application category
• Web category
• User
• Group
• Firewall rule

(You can find more information about this on the Docs.)

Perfect, thank you.  Just been reading that page myself (via sophos assistant), so glad I'm on the right track.

that is a really excellent bufferbloat score. As of a few years ago, the XG did not have fq_codel or cake as it's shaper. (the utm had fq_codel) Do you know what they use now?

The documentation isn't as clear as it could be and I made some observations based on my experience in another thread that you might find helpful: https://community.sophos.com/sophos-xg-firewall/f/discussions/133871/traffic-shaping-q-about-total-bandwidth-etc

It's also not clear to me that QoS on your firewall can mitigate download buffer bloat very well, depending on your ISP and the task at hand. With IPv4 there are only indirect mechanisms for throttling the far end, which don't work under all circumstances. Also, you may be trading off maximum download speed for lower/more-consistent latency. In my case, that's a bad tradeoff. If I was in a household with 4 people streaming high-def video while I'm trying to play a high-twitch game, it would matter. But it would also slow me down during the day doing large uploads/downloads -- as far as my experiments indicate.

None the less, I have set things up using clientless users, as Prism recommended above -- and even if you're not doing QoS, it's the way to organize lots of stuff in SFOS -- and in my case giving priority to certain streaming clients and applications, and I get an A on the buffer bloat test. It's much higher (in +ms) than Prism's screenshot above but I get checkmarks on everything except low-latency gaming (which I don't do).

Thank you for this information. Cake, in particular, tries to make this simple, but it really helps, since most networks are very asymmetric, to be able to control both the download and upload. Usually it's the upload that's the biggest problem. If you can't do those things separately, you are not going to see much benefit.

cake essentially only needs a "bandwidth" parameter to make things work better (up and down). It does per host fair queuing, which makes doing detailed rules less necessary, and diffserv (or other) forms of prioritization for the few other things that might need it. It is a successor the the htb+fq_codel based sqm-scripts.

according to @Prism 's post you can set up and down separately. htb+fq_codel is pretty good, but his report is sooooo good, it looks to me like it's cake. :) I am one of the authors of both subsystems. Anyway, some doc on cake: https://arxiv.org/abs/1804.07617