Per host QoS (rate limit)
In our earlier section, we explained traffic shaping on a per network or per application basis (see details).
But sometimes it’s desirable to control per host bandwidth. Because per network bandwidth is referring to the available bandwidth, shared by all hosts coming from the network. But some “bursty” users can exhaust the entire backhaul bandwidth and cause congestion at the upstream, especially during virus/storm outbreak. So it is very important to be able to cap (or rate limit) per user or per host bandwidth so that all users or applications within the network can fairly share the available upstream pipe. This is particularly important in public Wi-Fi networks, where attacker could use the free network (with huge backhaul) to launch DDoS attack against another victim networks.
In this section, we will talk about how to control bandwidth on a per IP host basis.
Per host bandwidth control basically limits (or rate limiting) maximum bandwidth per IP host based on the configured policies.
firewall-limit <rule_no> <max_bandwidth Kbps> inbound/outbound/all src/dst <Proto/Port or IP or subnet>
- firewall-limit is also a type of firewall-access but it supersedes all other access list. It’s also processed “top-down” based on the <rule_no>.
- There’s an implicit “permit” for each firewall-limit rule, eg. all traffic matching a limit rule will be permitted to pass through as the allowed <bandwidth> rate. Use “show firewall access-list all” to verify the ordre of all ACLs, use “show firewall limit-list” to verify detail policy of each configured rate-limit setting.
- if the rule is for src, we typically are trying to limit upload; likewise it its dst, we are limiting download.
- For <Proto/Port or IP or subnet>, if we use specific IP host, this rule is just limiting the particular hosts; if we use subnet, we are applying the same rule to all hosts within the subnets; We can also limit per session bandwidth by combining src/dst/protocol (tcp/udp) and port numbers (eg, http/80 etc).
For example, if we configure below rules, it means “each host within subnet 172.16.1.0/24 will be rate-limited to 2Mbps upload and download, for all applications, going through all interfaces.”
firewall-limit 10 2048 all src 172.16.1.0/24 remark UL
firewall-limit 11 2048 all dst 172.16.1.0/24 remark DL
If we configure below rules, it means “each host within subnet 172.16.1.0/24 will be rate-limited to 2Mbps upload and download, for http traffic only, going through all interfaces.”
firewall-limit 10 2048 all tcp src 172.16.1.0/24 dport 80 remark UL-http
firewall-limit 11 2048 all tcp sport 80 dst 172.16.1.0/24 remark DL-http
It is possible to combine per network traffic-shaping with per host rate limiting. For example, we can set a total bandwidth for a network, then further rate limit per host bandwidth within that network.
In this example, we are trying to achieve both objectives:
- subscribed backhaul bandwidth is 100Mbps
- network (LAN-eth1) is allocated total 50Mbps
- per host is capped at 2Mbps upload/download
description "Link to WAN/Internet"
ip address dhcp
traffic-shape 100000 100000
class 1 50000 50000 match fwmark 110
description "connection to LAN-eth1"
ip address 172.16.1.1/24
dns 22.214.171.124 126.96.36.199
range 172.16.1.5 172.16.1.100
traffic-shape 50000 50000
class 1 50000 50000 match fwmark 110
ip name-server 188.8.131.52 184.108.40.206
firewall-set 10 mark 110 access src 172.16.1.0/24 remark Network-UL
firewall-set 11 mark 110 access dst 172.16.1.0/24 remark Network-DL
firewall-limit 10 2048 all src 172.16.1.0/24 remark "host UL"
firewall-limit 11 2048 all dst 172.16.1.0/24 remark "host DL"
firewall-snat 10 overload outbound eth0