This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QOS not working

Hi Group, attempting to limit outbound CIFS traffic from servers sitting behind the sophos to computers on the Internet.

Here is how it is setup.

A traffic selector was created as follows- Internal Network --> CIFS --> Any

Then a bandwidth pool bound to the External Interface was created as follows- Specify upper bandwidth 1000 kbits, traffic selector from above chosen.

I'm trying a file copy from the server behind the sophos to my home pc, bandwidth is not being limited.  This should work.  I'm coming in over VPN and I have 'keep classification after encapsulation' enabled in advance.

Any ideas here?



This thread was automatically locked due to age.
Parents
  • "I'm coming in over VPN and I have 'keep classification after encapsulation' enabled in advance."

    Maybe I'm forgetting something, but I think that selection only applies to IPsec traffic leaving an interface because of an SNAT rule.  Are you using an IPsec client on your home PC or do you have an IPsec site-to-site between your home and office or ???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Using IPSEC client, ie the SSLVPN.  However, I would also like to implement it on a site to site.

  • The SSL VPN client is not an IPsec client, so QoS can't work on this traffic in the way you've imagined.  QoS could work on the External interface with a site-to-site VPN, but not with an IPsec remote access client.

    To QoS this traffic, you will need to work on the Internal interface and use a new Service definition with Destination and Source Ports the opposite of the "CIFS" Service.  Something like "CIFS Response" = 445 -> 1:65535, where 445 is the Source Port.  Then, make a Download Throttling rule on the Internal interface limiting 'Internal (Network) -> CIFS Response -> VPN Pool (SSL)' to 1000kbps.  Any better luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • The SSL VPN client is not an IPsec client, so QoS can't work on this traffic in the way you've imagined.  QoS could work on the External interface with a site-to-site VPN, but not with an IPsec remote access client.

    To QoS this traffic, you will need to work on the Internal interface and use a new Service definition with Destination and Source Ports the opposite of the "CIFS" Service.  Something like "CIFS Response" = 445 -> 1:65535, where 445 is the Source Port.  Then, make a Download Throttling rule on the Internal interface limiting 'Internal (Network) -> CIFS Response -> VPN Pool (SSL)' to 1000kbps.  Any better luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data