How to Use QoS

This article outlines the basic functionality of Quality of Service (QoS) to shape or limit bandwidth.

Overview

You need to make settings on four tabs under Interfaces & Routing > Quality of Service for a full QoS implementation. The logic of QoS on the UTM is:

  1. Do I have QoS enabled?

  2. Does QoS match a pattern that I have defined?

  3. What does QoS do with this traffic?

Note: All bandwidth references in QoS are in kilobits per second.

Status

You start the configuration on the Status tab. It shows all configured physical interfaces on the system. QoS works on a per-interface basis. Click the switch of an interface to enable QoS for it.

Traffic Selectors

On the Traffic Selectors tab, specify the type of traffic you want to control. The UTM classifies traffic based on IP address and service type or application type.

To specify a new traffic selector, do as follows:

  1. Click New Traffic Selector.

  2. Enter a descriptive name.

  3. Select the type. Types are either Traffic Selector, Application Selector, or Group. A group lets you bind several individual selectors together.

  4. Select a source IP address.

  5. Select a service or application.

  6. Select a destination IP address.

  7. Under Advanced, you can optionally select how to use TOS or DSCP.

  8. Click Save.

Bandwidth Pools

Bandwidth pools define the action the UTM takes with matching traffic. The UTM can prioritize, limit, or guarantee bandwidth for packets that matches a traffic selector. If you've turned on the TOS or DSCP options, the UTM takes that into account as well.

To specify a new bandwidth pool, follow these steps:

  1. Click New Bandwidth Pool.

  2. Make the following settings:

    Name: Enter a descriptive name.

    Interface: Select the interface on which you want to apply QoS.

    Position: The position that defines the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

    Bandwidth: The guaranteed bandwidth for the traffic. This specifies an amount of bandwidth that the UTM won't use for any other service. If the traffic that matches the traffic selector needs more bandwidth, it will get more bandwidth, unless you set an upper limit.

    Specify an upper bandwidth limit: Select to define a maximum bandwidth for the traffic.

    Traffic Selectors: Select the traffic selectors that apply to this bandwidth pool.

  3. Click Save.

Example Scenario

Control outbound TCP port 12345 traffic.

First, create a traffic selector as follows:

  1. Go to Interfaces & Routing > Quality of Service (QoS) > Traffic Selectors.

  2. Add a new traffic selector with the following settings:

    • Name: TCP port 12345

    • Selector type: Traffic Selector

    • Source: Internal (Network)

    • Service: Create a new service for the TCP port 12345.

    • Destination: Any

    • TOS/DSCP: off

  3. Save the traffic selector.

Next, use the new selector with a bandwidth pool.

  1. Go to the Bandwidth Pools tab.

  2. Look at Bound to Interface and confirm that you're about to use the intended target interface.

  3. Add a new bandwidth pool with the following settings:

    • Name: TCP port 12345

    • Position: Bottom

    • Bandwidth: 1000 kbit/s

    • Specify upper bandwidth limit: Enable and set the limit to 5000 kbit/s.

    • Traffic Selectors: Check the traffic selector you created before: TCP port 12345.

  4. Save the bandwidth pool.

Finally, enable QoS on the target interface as follows:

  1. On the Bandwidth Pools tab, click the switch of the TCP port 12345 bandwidth pool.

    QoS is now enabled for that interface and will guarantee and limit bandwidth as specified.

Download Throttling

You can use download throttling similar to bandwidth pools to limit the amount of traffic allowed from the internet to client devices.

To specify a new download throttling rule, do as follows:

  1. Go to Interfaces & Routing > Quality of Service (QoS) > Download Throttling.

  2. Look at Bound to Interface and confirm that you're about to use the intended target interface.

  3. Click New Download Throttling Rule.

  4. Make the following settings:

    • Name: Enter a descriptive name.

    • Position: The position that defines the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore.

    • Limit: Set the bandwidth limit for the traffic that specifies the maximum bandwidth for the traffic.

    • Traffic Selectors: Select the traffic selectors to use with this bandwidth pool.

  5. Save the download throttling rule.

Example Scenario

Control inbound TCP port 12345 traffic.

First, create a traffic selector as follows.

  1. Go to Interfaces & Routing > Quality of Service (QoS) > Traffic Selectors).

  2. Add a new traffic selector with the following settings:

    • Name: TCP port 12345

    • Selector Type: Selector

    • Source: Any

    • Service: Create a new service for the TCP port 12345.

    • Destination: Create a new host with the IP address 192.168.0.10.

    • TOS/DSCP: off

  3. Save the traffic selector.

Next, use the new selector with a bandwidth pool.

  1. Go to Interfaces & Routing > Quality of Service (QoS) > Download Throttling.

  2. Look at Bound to Interface and confirm that you're about to use the intended target interface.

  3. Add a new download throttling rule with the following settings:

    • Name: TCP port 12345

    • Position: Bottom

    • Bandwidth: 5000 kbit/s

    • Traffic Selectors: Check the traffic selector you created before: TCP port 12345.

  4. Save the download throttling rule.

Finally, enable QoS on the target interface.

  1. On the Download Throttling tab, click the switch of the TCP port 12345 download throttling rule.

    QoS is now enabled and will limit bandwidth as specified.

TOS and DSCP

We're giving a high-level explanation of these terms. For more information, refer to the official RFC publications.

TOS

TOS stands for type of service and is a set of bit flags in an IP header. Depending on which bits are set to 1, a router can take different actions. This is a list of settings:

  • Normal

  • Minimize monetary cost

  • Maximize reliability

  • Maximize throughput

  • Minimize delay

DSCP

Also known as DiffServ. The DSCP portion of the IP header specifies the urgency of traffic flow. DSCP is largely used in VoIP infrastructure. This is an advanced setting and is not recommended for use unless the value of the DSCP bits or the DSCP Class is known before configuration. There are limitations:

  • QoS only works on outbound traffic, relative to the UTM. This means if you want to use QoS for inbound traffic, you must specify a bandwidth pool and associate it with the internal interface.

  • QoS is a function of the iptables framework. If you are using a configuration that bypasses iptables functionality, QoS doesn't work as intended.

  • QoS only works on physical interfaces. This means that QoS doesn't work well with VPN tunnels.

Related Topics Link IconRelated Topics