QoS question

Hello ChriZathens ,
Thank you for reaching out to the community, you may refer the following recommended read - Sophos Firewall: How to Configure QoS and understanding the conceptual difference between the shared and individual and the Traffic shaping Doc. To achieve your requirernemnt.  

Thanks for the reply. I have actually read that article

However this applies to setting QoS on specific devices/users

I thought that setting the Total available WAN bandwidth would apply to my whole network. Is this not the case?

Do I have to create a custom traffic shaping policy for my available bandwidth and use it in a firewall rule?

If yes, then wgy set the global bandwidth. Could you please explain the logic behind it? Thanks! 

For the overall bandwidth ? - Ref: Traffic shaping settings
Total available WAN bandwidth: Enter the total bandwidth available from ISPs on all the WAN links of the firewall.

But if you want apply QoS the best option here would to be apply in firewall rule, by creating a custom profile.
Again I'd like to understand your end goal here.

My goal is nothing extraordinary, really..

Since my internet is crap, I simply wanted to improve a bit on the overall latency. So I thought that setting Total available WAN bandwidth would do the trick.

So If my understanding is correct, a top rule can be applied with source my internal network, destination --> WAN and apply a custom Traffic shaping Policy, so that it applies to all machines.

Does a custom policy like this seem correct?

My down speed is about 17Mbits, so I set it to about 16 for improved latency

My upload is about 2.5 Mbits, so set this a bit lower, too

The usage type should be shared, since it is spread for the whole network?

And finally, what does the Total available WAN bandwidth does? 

Thanks again for all your help!

So your ISP Plan is 17 Mbps so you can use the conversion - https://www.gbmb.org/kb-to-mb
That would be your total WAN bandwidth. And for the shared concept you can use the following example:
Example for Shared concept:

# 4 users
One firewall rule
1QOS 1mbps Shared

I believe that the link to the conversion is not helpful, since we are not trying to convert KB but Kbps

Anyway, regarding the shared concept, If I understand correctly (and asking because I already read the article and was not 100% sure, so thought the person to ask is the editor of the article...  )..

Seems like the correct choice, I do want all machines to share the whole bandwidth with the one rule I have created. So if one is downloading , it can use the full speed

This whole topic is complicated...

First, what are your actual up/down limits? Are they symmetrical (8 up and 8 down on the one gateway, 18 up 18 down on the other)?

Second, you won't get a download speed test that exceeds your highest-bandwidth gateway. You reach out to the speed test server through one of your gateways, which will have a particular public IP address (assuming IPv4 here) and that's where the speed test server will respond. You won't magically have that server also respond through the other gateway (that did not contact it) as well. You can get traffic through both gateways simultaneously, which will increase your overall, aggregate bandwidth but won't help a specific connection. You won't get 26 Kpbs for a single connection.

Third, the Total Bandwidth only works when you also check the Enforce Guaranteed Bandwidth and it's a limit. But again, you will not get faster speed tests than your fastest gateway -- assuming your outgoing request is going through that gateway.

Fourth, perhaps you're thinking of "buffer bloat" which has to do with latency and jitter, not speed. Traffic Shaping can definitely help there, but that won't increase transfer speeds..

Fifth, you need to be very careful in SFOS when it says KB it may erroneously (!) mean Kbps (bits) but in the case of Traffic Shaping I think it actually does mean KBps (bytes) If you check the Enforce Total Bandwidth checkbox and put a Total Bandwidth of 1000, I believe you'll see your speed test limit at (1000 * 1000 / 8 = 125K) 125Kbps. Again, I leave the Total Bandwidth box off and do everything via policies.

For the approach you are describing (which I believe is wrong) you are correct that you'd want to set up (Firewall) Rule policies and then reference them in your firewall rule. But you can also do policies based on Application (which Sophos defines based on traffic type, ports, and perhaps other characteristics), User (in IPv4, I use Clientless Users a lot to organize things and to make various displays clearer), etc.

How you manage your two gateways is the key here. Using the old-school gateway controls, you can set the two up to be round-robin, etc. I believe if you set the weights so your faster gateway is 2 and your slower gateway is 1, then 2 out of 3 new connections will use the faster gateway. Unfortunately, that's just connections, not bandwidth -- who knows how much bandwidth you intend to use on a particular connection -- so that will help overall and on average, but a particular speed test could go through the slower gateway.

Using SD-WAN, you can route particular traffic to the appropriate gateway. Also, it depends a LOT on what you are doing. If you're downloading a set of files and have the appropriate download software, you might be able to tell it to open up multiple connections to, say, download 3 files at once, and if you've set up your gateway controls properly, you'd hopefully get two downloading on the faster gateway and one on the slower.

Or, if you are wanting to watch Youtube and it must be the highest priority of all, you might send that traffic through the faster gateway for Youtube, and all other traffic through the slower gateway. You can probably do some of these things depending on time of day, if you watch Youtube at night.

As Vivek asked: your end goal matters a LOT, not how you think you are going to accomplish that goal with a tool that's new to you. Please share your actual goal so we can help.

Hello, Wayne and thanks for your extensive explanation!

Let me answer your questions:

1. The limits are not symmetrical. One ADSL line is about 7.5Mbits/1Mbit. The other line uses a combination of an ADSL line and a 4G LTE sim card which work in bonding mode and combined they have a speed of 18 down/3up. The actual speeds fluctuate from 18 to 30 down and from 2.5 to 5 up. 18/3 is the regular speed I am getting

2. I am performing the tests through a specific machine which gets limited to a specific gateway each time by a SD-WAN rule. I am not expecting combined speeds, of course.

3. I was asking what actually total bandwidth does. Thanks for this explanation.

4. Yes, exactly, I was trying to reduce buffer bloat. I know I can't achieve faster speeds. My goal was to limit both gateways so that when something is being downloaded, the rest of the clients have a positive browsing experience and latency does not go sky-high  

5. Yes I believe I found the desirable values by trial and error. Offtopic here, Sophos should consider changing this to Mbits, it makes no sense to have it this way IMHO

After Vivek's responses I started testing a bit and I realised that because I don't have a single WAN connection with a reliable down/up speed, it was not possible to accomplish what I wanted with a single firewall rule. So what I did is to create two different policies, one for the first and another one for the second gateway. Now, as mentioned. I am using SD-WAN rules to pass specific clients through a specific gateway. Those clients have also firewall/web filtering rules in place. So I went to those rules and  made sure to add the traffic shaping policy to them. 

I then used a specific machine and routed it through one of the gateways. I made sure that the correct shaping policy was set on its firewall rule. Then  run a speedtest to check that my limits were correctly set and run a buffer bloat test. Before messing with everything I was getting a C result. Afterwards a was getting A and in one test I got a B.

Then changed the policy on the firewall rule to apply shaping for the other gateway. Routed the machine through the second gateway using SD-WAN.

Speedtest again was showing that limits were correctly set. Bufferbloat tests also showed an overall improvement. 

Again my concern is not gaining speed, just to improve on browsing experience by lowering latency. So I don't even mind if I am losing a few Mbits down/up in the process

These changes were applied on Friday and got no complains during the weekend, so I believe I did not mess things up bigtime. But of course there is a chance that I indeed did something wrong and I simply did not get any bad feedback...

If you think I got something wrong, or set something really off, please do let me know.

EDIT:

P.S.: I am expecting a freaking FTTH connection to be available (finally). When this happens I will no longer keep the second internet connection and will have only one (probably a 500/50 connection). When this happens, am I correct to assume that a single firewall rule will suffice for my needs? I was thinking a top firewall rule. Source my LAN, destination WAN and only apply a shaping policy that will limit the speed to 490/49.

Thanks again!