There are multiple users uploading shared files on external file hosting services and their combined bandwidth is saturating the internet line. Is there a way we can limit the upload speed for our users?
Overview and conditions
Bandwidth limiter features in the web proxy section only applies to download, not upload, so how can upload be limited on a Smoothwall system?
You can use the bandwidth module to limit upload but before you can apply bandwidth module rules there are some caveats:
- Bandwidth rules are applied by IP address.
You can't limit upload based on user groups, only IP addresses. Limiting upload as a general rule will suffice in most cases, because the main purpose is to prevent upload capacity being exhausted by web traffic, preventing other services from working. You can use destination IP addresses as well but this can be tricky when dealing with cloud services as the destination IP addresses may change.
- Spoofing needs to be enabled in the web proxy configuration
Spoofing allows the bandwidth module to "see" the client IP address when traffic is being proxied which is needed to apply bandwidth limitations. Unfortunately this means that some setups will not be able to use this solution as spoofing requires return traffic to be routed back via the Smoothwall. When the Smoothwall is both firewall and web filter, spoofing can be enabled but when the Smoothwall is web filter only, there may be issues when enabling spoofing. Please talk to Smoothwall support to get help in determining if spoofing can be used.
Once spoofing has been enabled, we can now configure the bandwidth module to impose both download and upload limits. As a generic example, let's assume we have an internet connection with 100 MB incoming and 20 MB outgoing. As we are running other services, like remote desktop, VoIP and web services, we would like to reserve 10 MB outgoing and 5 MB incoming to those services, so we will limit our web traffic to 95 MB incoming and 10 Mb outgoing. In addition, we will prioritize non-web traffic higher than web traffic.
Configuring the Bandwidth Module
Lets start in the "Bandwidth » Control » Shaping policies" section, where we can define the bandwidth shaping rule for our traffic.
We are going to use the Default policy, already in place as we do not have any other requirements than defined above and this should apply to all traffic. Expand the default and you will see a single "slice" defined with a weight of 10 - there are no bandwidth limits assigned.
Use the "Add new slice" button and enter the following:
In the applications field, you will need to expand the "Networking" section and scroll down to find HTTP. HTTP includes both HTTP and HTTPS.
Incoming cap is set to 95 and remember to switch the metric from Kbps to Mbps.
Outgoing cap is set to 10 and again, remember to switch the metric.
Leave the weight at 10 for both incoming and outgoing.
Save the slice and then edit the default slice and change the weight to 1 in both incoming and outgoing. Weighting prioritizes the traffic and a priority of 1 is higher than a priority of 10. This means that the Smoothwall will prioritize non-HTTP traffic higher than HTTP traffic.
Next let's go to the "Bandwidth » Control » Classes" section and edit the "All traffic" class. This should be set to use the "Default" shaping policy as standard, so no need to change anything here for now, just checking.
Finally we need to go to "Bandwidth » Control » Interfaces" and setup our interface and bandwidth values. Use the "Add new interface limits" and select the external interface and IP address you use for default LLB pool as seen in the "Network » Configuration » Source NAT & LLB rules" section. Set the bandwidth values for Maximum bandwidth in and Maximum bandwidth out according to the values on your internet connection.
Save the interface limit and the "All traffic" class should show up as well as any other class that has been defined. For now, leave all the values there at default and go to "Bandwidth » Diagnostics » Monitoring" where we will now test that our limits are applied. You should be able to see traffic matching both the Web traffic and the Default definition. Test download limits by using https://www.thinkbroadband.com/download or any other download resource.
This is a simple example, focused on limiting upload values for web traffic in order to preserve bandwidth for other services. The manual will be able to explain other features available in the bandwidth module and Smoothwall support and chat is always available for questions/clarifications.