How do I limit total bandwidth available for a server (in this case Exchange) to 15 mbits? On a Juniper I could simply specify traffic shaping right on the rule.
On our SG230 I created a traffic selector for any->any->NetworkGroupThatContainsMyExchangeServersUntrustIPs
And then a bandwidth pool with 15000 set for both guaranteed and upper limit.
Keep in mind that you put the Bandwidth pool/traffic selector on the last passing interface. So for inbound, you have to put it on the internal interface that's connected to the server, For outbound, you have to put it on the external interface(s).
Hmm, so sounds like I didn't do it right since I used the external ip of the server (that's how most other solutions I've used work). So I should switch from the untrust ip to a selector based on the internal/actual ip of the server?
Pesos, please say if you want to affect inbound our outbound traffic. Also, click on [Go Advanced] below and attach pictures of any Traffic Selectors, Bandwidth Pools and Download Throttling Rules involved in this question.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
This would be traffic coming from internet clients through the untrust, NATed to the server sitting behind the Sophos on the internal interface, so inbound.
Sounds like if I just change to the internal network definition of the server(s) I should be good to go.
If that is a web server that's not receiving uploads from the clients on the Internet, then all you probably want is a Bandwidth Pool guaranteeing/limiting 15Mbps to 'Web server -> Any -> Internet' on the External interface. If you're still unsure, please attach the pictures I requested above.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Exchange is Microsoft's email server product - so traffic does flow in both directions as clients download and upload mail... But I assume that the firewall never sees this as "server initiated" even when data is flowing from server to client and that everything falls under the one DNAT rule as Outlook maintains a persistent SSL connection to the server.
I do, however, have SMTP flowing in both directions, so an approach that would limit that bidirectionally would be ideal... thanks!
p.s. there are 3 objects in the traffic selector because there are 3 exchange servers that we want to share the bandwidth
No, I was just reminding myself to answer your question instead of giving advice - many of us here do get paid for hands-on work. [;)]
Unfortunately, there's no agreement on how a device should do traffic shaping - a lot of agreements about how certain techniques are used, but not in how they're presented to the administrators of the routers...
In the UTM, a Bandwidth Pool on an interface only affects traffic leaving that interface. The "ExchangeOut" traffic selector is ignored because it applies only to traffic going in the other direction. On the Trust (LAN) interface, the limit should restrict traffic going to Exchange. Since the NIC is likely 1GB, the guarantee likely has no effect. If the SMTP Proxy (Email Protection) is active, the entire rule has no effect because the traffic is with "Internal (Address)" instead of "Internet."
Since Exchange is likely the only source of SMTP packets, you want a Bandwidth Pool on the Untrust (External) interface with 'Any -> SMTP -> Internet' limited-to and guaranteed 15Mbps. You also want a Download Throttling rule on the interface capping 'Internet -> SMTP -> Any' at 15Mbps. These will work regardless of whether you're using the SMTP Proxy.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Quote
