Per user QoS

In our previous section, we explained per host rate limiting (see details). Per host bandwidth control is purely based on IP address, on a per IP/host basic. It has no visibility on the user identity and it’s not possible differentiate different service levels for different users within the same network.

Per user bandwidth control/allocation provides the granularity to assign bandwidth based on user’s identity. We can configure different user profiles, and attach the desirable profile to specific users to map to our access policies, eg. user1 logs and assigned with 2Mbps upload/download, user2 logs in and assigned with 4Mbps upload/download. This feature is only applicable on HotSpot Gateway or HotSpot Access, and is part of our HSG user authorization (access control) feature.


    • user accounts must be locally created within HSG RADIUS (or cloud RADIUS for HSA)
    • user authorization profiles (access policies) must be created within RADIUS. Each access profile sets the min/max bandwidth per user.
    • each user must be attached with their respective access profile.
    • different user can have different access profile, therefore having different access privileges even within the same network

Configuration prerequisites:

    • HotSpot service must be enabled on the user LAN, configured through CLI
    • Configure user accounts, profiles and assignments from RADIUS portal


In this example, we are trying to achieve following objectives:

    • subscribed backhaul bandwidth is 100Mbps
    • network (LAN-eth1) is allocated total 50Mbps, per host is capped at 2Mbps upload/download
    • network (LAN-eth2) is allocated total 50Mbps (with captive portal enabled)
      • some users (user1) are capped at 4Mbps upload/download, no guaranteed bandwidth
      • some users (user2) are capped at 8Mbps upload/download, no guaranteed bandwidth
      • some users (user3) are capped at 8Mbps upload/download, but guaranteed with 4Mbps upload/download.

CLI configuration on mbox

!interface eth0description "Link to WAN/Internet"enableip address dhcptraffic-shape 100000000 100000000 class 1 50000000 50000000 match fwmark 110 class 2 50000000 50000000 match fwmark 120!interface eth1description "connection to LAN-eth1"enableip address 50000000 50000000 class 1 50000000 50000000 match fwmark 110!interface eth2description "connection to LAN-eth2 with Captive Portal enabled"enableip address!ip name-server!ip dhcp-server!!below firewall-set rules marks packets for LAN-eth2 for traffic-shapingfirewall-set 11 mark 110 access src remark "outbound from LAN-eth1"firewall-set 12 mark 110 access dst remark "inbound into LAN-eth1"firewall-set 21 mark 120 access src remark "outbound from LAN-eth2"firewall-set 22 mark 120 access dst remark "inbound into LAN-eth2"!firewall-limit 10 bps 2048000 all src remark "limit upload LAN-eth1"firewall-limit 11 bps 2048000 all dst remark "limit download LAN-eth1"!firewall-access 10 permit outbound eth0!firewall-snat 10 overload outbound eth0!security hotspot eth2hotspot-wan eth0hotspot-server ports 5000 5001hotspot-shape 50000000 50000000 fwmark 120client-network localhost testing123 <- refer to next part for RADIUS settinghotspot-online-page DEF-Login <- users will login through a portalstart!

RADIUS setting (for user accounts and access profiles)

RADIUS setting are done through a GUI - RADIUS portal.

User authorization (access control) profile

User account settings