06-08-2016 01:41 PM
06-08-2016 03:12 PM
You can do this. Even though the session is inbound initially, QoS profile rules are applied on the egress interfaces of the session's traffic in both directions.
You need a QoS Policy that matches the session. So the QoS Policy will have a source zone of External and a destination zone of DMZ and will assign that session a class.
You need a QoS Profile applied to the external interface that guarantees the class a certain amount of bandwidth.
Let's say the QoS Policy assigns the session class 2, then the QoS Profile on the external interface should guarantee 15 Mbps to class 2.
I think the trickiest thing with QoS is that you frequently need to create a bottleneck in the firewall for it to be effective. This means the Maximum value on the QoS Profile applied to the external interface must be set to less than the ISP data rate. If the ISP allows a 50 Mbps upload speed, the QoS profile maximum should be set to something like 48 Mbps.
06-08-2016 04:17 PM - edited 06-08-2016 04:24 PM
06-09-2016 07:20 AM
Hi,
A QoS rule associates a class to a session when it is established. It means that the traffic in both directions will have the same class, since they are part of the same session. Separately from that, traffic is subject to the interface QoS profile when it goes out through that interface. Your 2 interfaces could have different profiles, which means that class 2 on one interface could be guaranteed 15 Mbps, while class 2 on the other interface could be guaranteed 10 Mbps, or any other limit you want to set.
The 15 Mbps guarantee would apply to all class 2 traffic on that interface. I don't know about the exact algorithm used for QoS, but the way I see it is that your class 2 traffic will come out of your interface before any lower priority traffic waiting in a queue to be sent, up to a quota of 15 Mbps. Over that limit, the traffic will not have priority until the next second (or whichever time unit is used internally by the algorithm to calculate bandwidth limit).
I assume here that your class 2 traffic has priority set to high in your QoS profile, versus medium for the rest of the traffic.
Regards,
Benjamin
06-09-2016 07:29 AM
The traffic goes in both directions. Traffic from your server to the client will egress on the external interface.
Why must apply on external interface? The session comes from outside to inside, so egress interface is inside, or Im confused?
That is correct.
Briefing from your explanation;
1st Identify the traffic flow. (Out to In), so the rule must be out to in too.
2. Apply Profile. If I want guarantee downloads from DMZ server, apply on external. If i want guarantee uploads to DMZ apply to the internal.
Thats correct?
If only apply in one way just guarantee in one direction true?Correct
An other one, this 15Mbps are per session? Per total traffic that match the QoS rule?The 15 Mbps is for the total traffic that matches the QoS policy rule
The last one, this guarantee implies:It will only work during congestion. If there isn't congestion, then it doesn't need to work. No congestion would mean there is enough bandwidth to handle all the traffic and there is no need to do QoS.
1. This 15Mb are reserved ALWAYS (allocated) for traffic classified with class 2 (following our example)
Or
2. Just enter in game in case of congestion, ( when the interface where we applied the QoS profile suffer congestion).?
Thank you!!
06-13-2016 12:44 PM - edited 06-13-2016 12:45 PM
Ok, perfect!
A last question, can you explain a little more about:
"I think the trickiest thing with QoS is that you frequently need to create a bottleneck in the firewall for it to be effective"
Why it's necessary, can you ilustrate with example or similar?
Thanks!!
06-13-2016 12:48 PM
Thanks Benjamin, so from your explanation, I understood that you can apply 2 differents profiles on in interface and out interface, but MUST be the same CLASS (fixed on NAT rule) That's it?
Thanks!
06-14-2016 07:23 PM
Hi,
Saying "must" implies you might make a mistake choosing different classes, but in reality the class will always be the same for both direction, for a given session. You don't have a choice. So yeah you only set 1 class for both directions in the QoS rules (not the NAT rules), but you can choose different profiles for inbound and outbound traffic. Please note that sessions are class 4 by default, so even if you don't assign a class to a session, it will have an associated class.
Regards,
Benjamin
06-15-2016 08:06 AM
@ilnanu wrote:
Ok, perfect!
A last question, can you explain a little more about:
"I think the trickiest thing with QoS is that you frequently need to create a bottleneck in the firewall for it to be effective"
Why it's necessary, can you ilustrate with example or similar?
Thanks!!
QoS is only effective when there is congestion. If your firewall moves packets faster than your ISP, then the congestion is happening at the ISP. For example, if you have a 50Mbps download speed from the ISP and your firewall can transmit at 100Mbps, the firewall will not experience congestion and the QoS settings can't work. If the firewall has the maximum egress set on the inside interface to 48Mbps, it is now the bottleneck and will experience congestion and QoS will work.
There are a number of QoS guides that discuss this, but unfortunately many omit it. It can be a tricky concept. Here are a couple of links that include reasoning for setting the maximum below the ISP rate
https://networklessons.com/quality-of-service/qos-traffic-shaping-explained/
http://www.howtogeek.com/75660/the-beginners-guide-to-qos-on-your-router/
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
