3

I have Covad dual/bonded T1 service in our office coming through a Cisco 1841 and then through a Sonicwall 3060Pro/Enhanced SW firewall.

The problem I'm looking for some input on is how to limit the amount of bandwidth any single user/PC can user for downloading a file from the Internet.

It's become an issue that when one person happens to download let's say an ~300MB file, normal internet access for the other employees slows to a crawl. I've seen through MRTG that in fact usage of the circuit jumps to the full 3mb for the duration of the download and then drops.

Is it possible to control this? I'm not familiar with QOS or the like so I'm not sure.

Any help on this would be appreciated.

Thanks...Michael

AlamedaDad
  • 121
  • 5

3 Answers3

3

Michael,

We have been Sonicwall users for a decade or so, and we have fought with this issue for that entire time. What you are trying to do is not possible with a Sonicwall. You can limit the total bandwidth to a particular protocol or port number, but not by per session. We currently have an NSA2400 with the application firewall, and it is still an aggregate limit rather than a per-session limit.
That being said, you can setup a low QOS on the HTTP protocol so that any other protocol will take precedence. This won't get anyone else's browsing to be any faster, but it won't kill email or real-time streaming (unless it's http).
One other solution, is to put certain offenders in a user group and limit them to some fraction of your total bandwidth and all the non-offenders would still have the remaining fraction left over for browsing. This would require users to login into the firewall before browsing, unless your 3060 has LDAP integration. If it does, then you could setup groups in your Active Directory and then the user won't have to login in each time...

Scott Lundberg
  • 2,364
  • 2
  • 14
  • 22
0

You can't limit the traffic coming in to your T1s, because the gear on the other side is the one deciding what bits get stuffed into your tubes. So you've got a few options that require you to talk to your carrier (and likely spend some additional $$).

  1. Talk to your carrier to get them to set QoS policies on sourced from port 80, or on a TCP connection to an external port 80... (if that's all you care about).
  2. Ask them to maintain per-flow markings and then set priorities or bandwidth allocations based on the markings youv'e set. So what you want to say is: "Hey, Covad, let me mark my outbound TCP session packets with a DSCP priority X, and please make sure the return traffic on those flows/sessions is marked similarly. Then, could you please make sure that flows marked X1, X1, or X2 get allocated no less than A, B, or C Kbps on these T1s." So you decide how valuable certain traffic is (i.e. IT's facebook and the bosses' pr0n > secretaries actual work), and Covad respects your decision on the return path.
  3. Speak with them to establish a secondary channel for your surfing, and use PBR on the 1841 to direct traffic outbound appropriately. You have (46) 64Kbps channels available on 2x T1s, so take 30 of them for your priority traffic, and split out the other 16 for your web surfers. They show up on the internet as a different IP, can have different rules applied, and (in this example) are restricted to only 1Mbps of your 3.0Mbps connection.
  4. Just buy a "business class" cable or DSL connection, and route the unimportant traffic out that one using policy-based routing.
James Cape
  • 1,067
  • 8
  • 16
  • "You can't limit the traffic coming in to your T1s" - This is not entirely true. You can't limit incoming traffic if it is something like a DoS attack, but for TCP traffic, you can still apply QoS policies. Many traffic shaping devices support things like delayed acks and window scaling that will cause the TCP stack on the remote side of a connection to slow the rate at which it is sending data. – Justin Jan 27 '10 at 01:11
  • Yep, you're right, I keep forgetting about the deep craziness of TCP :-). – James Cape Jan 27 '10 at 02:58
  • Thanks. I was concerned that I couldn't really do much, but I wanted to ask and hope someone knew something I didn't. I actually like Jame's idea #4. I've thought about getting Comcast as they've just installed in our building. If I implemented this solution, I'd need a way for all VPN-bound traffic to be sent over the T1s while normal web browsing would go over comcast. Any thoughts on that part? Thanks...Michael – AlamedaDad Jan 28 '10 at 01:30
  • There are lots of ways to implement that specific feature. What's the VPN used for (site-to-site, GRE-over-IPSEC, road warrior, etc.?), and where are you doing NAT? – James Cape Jan 28 '10 at 04:13
  • shouldn't really need any fancy routing to do that.. just plain routing will work fine. set the default route to the cheap comcast connection, and add routes for all of your networks to go over the t1s. if you are running something like bgp/eigrp/rip this part can be done automagically. – Justin Jan 28 '10 at 04:22
0

If you don't mind installing an additional PC to act as a bridge on the network, this software may be of help.

http://www.softperfect.com/products/bandwidth/

I'm using SPBWM with my cable connection to limit the available bandwidth on a per IP bases.

Here is a diagram of my network.

http://coreybrett.com/images/Network_Diagram.png

I have a rule for each address on my subnet, that limits bandwidth to 1Mbit/256k.

I've also had a very good experience with the tech support, considering I'm still running the 30 trial.

You would need the full version which is $100. (As it has a batch tool for creating rules)

Corey
  • 2,031
  • 12
  • 39
  • 54