This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QoS Download Throttling Not Working Properly

For a long time now I've had download throttling set up for web traffic, limiting connections to 15Mbps for upload and download. This used to work as expected, as verified using speedtest.net.

Recently I noticed that it didn't seem to be working anymore, and upon checking my traffic selectors noticed that all the ones using application selectors no longer worked, and when trying to edit those selectors the menu would just glitch out, as it seems the ability to select traffic by the application has been removed. A related side now is that the flow monitor is also no longer able to distinguish traffic by application (everything is 'unclassified').

I re-created the selectors using port numbers instead and updated the bandwidth pools and download throttling rules to reflect this change. Upon testing my download/upload throttling rule, it appears to be working for upload traffic but not download traffic. The rules are configured with the same ports, and set against both the internal and external interfaces.

Traffic Selectors:

External Interface Throttling Rule:

Internal Interface Throttling Rule:

Speedtest Result (our connection is 100Mbps up and down):

UTM Firmware version: 9.703-3

UTM Model: SG230

Does anyone know if this is a bug, or how to fix it?

This thread was automatically locked due to age.

Top Replies

BAlfson over 3 years ago in reply to Josh Marchant +1 verified

Indeed! That should work. Can you confirm that there's no Uplink Balancing rule, NAT rule or Web Filtering Profile with an 'optional interface for outgoing traffic' sending this traffic out from a different…

Parents

0 dirkkotte over 3 years ago

Download Throttling don't work stateful. ... i think

So you have to create a service with switches ports for using with traffic-selector.

Try: HTTP-Inbound srv-Port 80 dst-port 0:65535

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Marchant over 3 years ago in reply to dirkkotte

Unfortunately this doesn't seem to have made a difference.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Josh Marchant

Josh, Dirk is right. It's not possible that your Download Throttling rule ever worked without creating a "Web Surfing Responses" group. For example:

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Marchant over 3 years ago in reply to BAlfson

I agree that it does make perfect sense. However, upon implementing the service definition exactly as you've screenshot it still has not worked.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Josh Marchant

I see now, Josh...

Your "Web Traffic (Download)" Traffic Selector should now be something like 'Internet -> Web Surfing Responses -> External (Address)'.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Marchant over 3 years ago in reply to BAlfson

Thanks Bob, that also would make sense but unfortunately still no luck. I tried a few different combinations of sources and destinations that would resemble 'Internet -> Web Surfing Responses -> External (Address)' but none worked.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Josh Marchant over 3 years ago in reply to BAlfson

Thanks Bob, that also would make sense but unfortunately still no luck. I tried a few different combinations of sources and destinations that would resemble 'Internet -> Web Surfing Responses -> External (Address)' but none worked.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 3 years ago in reply to Josh Marchant

Jpsh, please show a picture of the Edit of the Traffic Selector. Also of the Edit of the Services Group with one of the Services open in Edit. Also, confirm that Web Filtering isn't using an (Address) other than that of the External (Address).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Marchant over 3 years ago in reply to BAlfson

We don't use web filtering so it shouldn't be anything to do with that (we don't even have the web protection license).

See screenshots below
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Josh Marchant

I can't see the 'Destination' part of the Traffic Selector picture.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Marchant over 3 years ago in reply to BAlfson

Its shown in the screenshot above that one - "External (WAN) Address"
Cancel
Vote Up 0 Vote Down

Cancel
+1 BAlfson over 3 years ago in reply to Josh Marchant

Indeed! That should work. Can you confirm that there's no Uplink Balancing rule, NAT rule or Web Filtering Profile with an 'optional interface for outgoing traffic' sending this traffic out from a different IP?

If not, I can't think of any other issue. Maybe it's time to put a Bandwidth Pool with an upper bandwidth limit on the Internal interface. The Traffic Selector would look like 'Any -> Web Surfing (Download Traffic) -> Internal (Network)'.

Any luck with that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up +1 Vote Down

Cancel
0 Josh Marchant over 3 years ago in reply to BAlfson

I don't have uplink balancing enabled, or web filtering. We also only have the one external IP in use so shouldn't be anything like that.

I've just tried it with the upper limit bandwidth pool and that has done the trick so that should be fine for now. Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 Josh Marchant over 3 years ago in reply to BAlfson

So I've had this working with the bandwidth pool for a couple of days but have realised that there is no way to set the 15Mbps upper limit on a per-connection basis, only overall. Really I need to limit the connection to 15Mbps for each connection rather than for the whole network.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Josh Marchant

Yeah, that's only available with Download Throttling rules. Someone needs to get eyes on your configuration. Have you tried getting help from Sophos Support?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel