The point here is that the receiving firewall/switch/router (unless its proxybased) cannot choose or inform in which order the sending device (like the internetrouter your firewall is connected to) should send its packets. So you must happily accept the order of which the packets arrives on your uplink. What you are in charge of is in which order your packets will leave your firewall which gives that you can either delay outgoing packets or drop them all together (the later is often least demanding on the device which will perform the QoS and is part of RED shaping - randomly early detection). So to get the best effect when a user wants to download stuff is to not only delay/drop incoming packets (the actual download) but also the outgoing ack's sent back by the client to the server. When TCP is being used the algoritms at both client but in this case mainly server will adjust the windows being used and also how many packets will be allowed "in transit" (in plain english - the server will slowdown the speed in which the file is being sent at). More advanced QoS engines can alter windowsizes and other stuff to slow down a specific flow in order to not be forced to drop packets on the road. For the best effect of using QoS you should apply the very same rules in ALL your network equipment - also in the endnodes (the clients and servers themselfs) if possible. This way prioritized traffic will be prioritized at every hop while traffic you have choosed to prioritize down will only use whats left of the current links. Of course not all equipment can do QoS based on content so in PA's case you can tag outgoing packets with various QoS classes (DSCP or TOS) so that your switches and routers (who doesnt know if the flow is youtube which you want to prioritize down) will act on the DSCP/TOS fields in each IP packet instead and still be able to prioritize the traffic correctly through your infrastructure. PS. This subforum is mainly for question regarding the supportportal itself, the proper location for PA question is in KnowledgePoint DS.
... View more
I tried with your instruction but it didn't work, i have to mention that the interface that use the ip address 220.127.116.11 use vlan tagging. i added the subnet 18.104.22.168/28 to the interface as you mentioned and create a NAT policy as following Tag none source zone: internet destination zone : local destination interface :any source address : any destination address :test1 services: any source translation :none destination:address:test2 test1 is an ip address from the rane 22.214.171.124/28 test2 is a local host address i tested tracing to the true subnet from internet and it show the proper path till reaching my WAN ip
... View more