Page 126 / 131
Scroll up to view Page 121 - 125
126
Traffic shaping
In these examples we assume that the WAN port of the firewall is connected to Internet
with an up and downstream bandwidth of 2 mbps.
Limit bandwidth to a service
To limit bandwidth a service (in this case FTP) can use, follow these steps:
1.
Create a new policy rule. Under
Firewall->Policy
click
LAN->WAN
.
Click
Add new
.
2.
Setup he new policy
Name the rule
allow_ftp
Set position to
2
Set action to
allow
Select service:
ftp_outbound
Schedule should be
always
Check the T
raffic shaping
box and enter
400
as up and downstream limit.
Click
Apply
3.
Click
Activate
and wait for the firewall to restart.
All FTP traffic from computers on the LAN network will now be limited to the total
bandwidth of 400kbit/s in both directions.
Limit bandwidth to one or more IP addresses
The example above can be modified to only limit FTP bandwidth from one or more IP
addresses. In the policy setup, add the IP addresses that should be limited in the Source Nets
box.
Now all FTP traffic from
192.168.1.125
on the LAN network will be limited to 400kbit/s in
both directions. If more than one IP is required, a comma-separated list or a network can be
entered (eg
or
192.168.1.0/24
).
Page 127 / 131
Guarantee bandwidth to a service
To set up traffic shaping to guarantee a service a certain amount of bandwidth, follow
these steps:
1.
Set the interface speed for the WAN interface under
System->Interfaces:
Click
Edit
for the WAN interface.
Check the
Traffic shaping
checkbox.
Enter upstream bandwidth:
2000
(2mbit/s)
Enter downstream bandwidth:
2000
(2mbit/s)
Click
Apply
2.
Create a new policy rule. Under
Firewall->Policy
click
LAN->WAN
.
Click
Add new
.
3.
Setup the new policy:
Name the rule
allow_ftp
Set position to
2
Set action to
allow
Select service:
ftp_outbound
Schedule should be
always
Check the
Traffic shaping
box and enter
1000
as up and downstream guarantee.
Page 128 / 131
128
Click
Apply
3.
Click
Activate
and wait for the firewall to restart.
FTP traffic from LAN to WAN will now be guaranteed half of the total bandwidth to the
Internet, 1mbit/s of 2mbit/s. If there are no FTP connections, or if the bandwidth usage of the
FTP connections are less than 1mbit/s other services can use the bandwidth. The guaranteed
bandwidth isn’t reserved for FTP traffic only. Eg if the FTP session is using 800kbit/s, all other
services could still use all of the reminding 1200kbit/s.
Important note!
The WAN interface speed under
System->Interfaces
must match the
speed of the Internet connection for guarantees to work. If the bandwidth is set to high, traffic
shaping will not work.
Traffic shaping could also be used for VPN connections. An IP phone connection over an
IPsec LAN-to-LAN tunnel could for example be guaranteed a certain amount of bandwidth.
Traffic shaping for VPN is done in the same way as physical interfaces. First make sure Allow
all VPN traffic is unchecked (
Firewall->Policies->Global settings
). Select the interfaces
under Custom policy, eg
LAN
to
IPsecTunnel01
, and click
Show
. Now policies for the VPN
interface can be created in a similar way as the setups in the guides above to make
guarantees or limits.
Page 129 / 131
Appendixes
Appendix A: ICMP Types and Codes
The Internet Control Message Protocol (ICMP) has many messages that are identified by
a “type” field; many of these ICMP types have a "code" field.
Here we list the types with their
assigned code fields.
Type
Name
Code
Description
Reference
0
Echo Reply
0
No Code
RFC792
3
Destination Unreachable
0
Net Unreachable
RFC792
1
Host Unreachable
RFC792
2
Protocol Unreachable
RFC792
3
Port Unreachable
RFC792
4
Fragmentation Needed and
Don't Fragment was Set
RFC792
5
Source Route Failed
RFC792
6
Destination Network Unknown
RFC792
7
Destination Host Unknown
RFC792
8
Source Host Isolated
RFC792
9
Communication
with
Destination
Network
is
Administratively Prohibited
RFC792
10
Communication
with
Destination
Host
is
Administratively Prohibited
RFC792
11
Destination
Network
Unreachable
for
Type
of
Service
RFC792
12
Destination Host Unreachable
for Type of Service
RFC792
13
Communication
Administratively Prohibited
RFC1812
14
Host Precedence Violation
RFC1812
15
Precedence cutoff in effect
RFC1812
4
Source Quench
0
No Code
RFC792
5
Redirect
0
Redirect Datagram for the
Network (or subnet)
RFC792
Page 130 / 131
130
1
Redirect Datagram for the
Host
RFC792
2
Redirect Datagram for the
Type of Service and Network
RFC792
3
Redirect Datagram for the
Type of Service and Host
RFC792
8
Echo
0
No Code
RFC792
9
Router Advertisement
0
Normal router advertisement
RFC1256
16
Does not route common traffic
RFC2002
10
Router Selection
0
No Code
RFC1256
11
Time Exceeded
0
Time to Live exceeded in
Transit
RFC792
1
Fragment Reassembly Time
Exceeded
RFC792
12
Parameter Problem
0
Pointer indicates the error
RFC792
1
Missing a Required Option
RFC1108
2
Bad Length
RFC792
13
Timestamp
0
No Code
RFC792
14
Timestamp Reply
0
No Code
RFC792
15
Information Request
0
No Code
RFC792
16
Information Reply
0
No Code
RFC792
17
Address Mask Request
0
No Code
RFC950
18
Address Mask Reply
0
No Code
RFC950
30
Traceroute
RFC1393
31
Datagram
Conversion
Error
RFC1475
40
Photuris
RFC2521
0
Bad SPI
RFC2521
1
Authentication Failed
RFC2521
2
Decompression Failed
RFC2521
3
Decryption Failed
RFC2521
4
Need Authentication
RFC2521
5
Need Authorization
RFC2521
19216811.live