I was surprised at how easy it was to
implement Bandwidth Management on our public wireless using our
SonicWALL NSA 240. Here’s how I did it. Your mileage may vary.
Step one. Log into your SonicWALL.
Step Two. Navigate to
Network –> Address Objects and create an “
Object” to match your Public Wireless Traffic. Click “
Add…” under Address Objects.
created an object called “PublicWiFi-Test” for this example and matched
it to traffic on network 192.168.11.0/24 which is the IP address range
of our Public Wi-Fi traffic. You can match to a number of other
identifiers as well.
Step Three. Navigate to
Firewall –> Access Rules. Change the view style to “
All Rules” and then click “
is when we actually tell the SonicWALL what we want to do with the
Public Wireless Traffic. In the window that comes up fill out the fields
like I have below. What we are doing is telling the firewall to process
traffic that is from the LAN to the WAN, from any Service, matching the
PublicWiFi-Test object that we defined earlier, to any destination.
On the “
Advanced” tab, leave everything as the default, but check the “
Create a reflexive rule” so that inbound traffic will be matched as well.
QoS tab, change the
DSCP Marking Action to “
Explicit”. Then change the “
Explicit DSCP Value” to “
0 – Best effort/Default”.
That way, if you have some other policies downstream that mark or
generate traffic with a higher DSCP (like video) the PublicWiFi traffic
won’t mess with your video feed.
Now, on the
tab, you will actually configure the Bandwidth Management. Check the
first box and then enter a percent or Kbps value for the Guaranteed
bandwidth and the Maximum Bandwidth. This first section will apply your
settings to “Outbound” traffic or in Internet terms, Upload Speed. One
MB should be a good cap. You can also set the “
to 7 which is the lowest. I’m not sure which takes precedence since you
already set a value in the QoS tab. Now, click the next box and set the
download values. At the bottom you can check the “
Enable Tracking Bandwidth Usage” if it makes you happy. Click OK and your ready to go!
Step Four. You can now test your new policy out by going to a site like http://www.speakeasy.net/speedtest
If you’ve done it right, your upload and download numbers should match
the numbers you set in your policy.
SonicWALL Bandwidth Management
Bandwidth management allows you to assign guaranteed and maximum bandwidth to
services and prioritize traffic on all WAN zones. Using access rules, bandwidth
management can be enabled on a per-interface basis. Packets belonging to a
bandwidth management enabled policy will be queued in the corresponding priority
queue before being sent on the bandwidth management-enabled WAN interface.
All other packets will be queued in the default queue and will be sent in a
First In and First Out (FIFO) manner (a storage method that retrieves the item
stored for the longest time).
How SonicWALL Bandwidth Management Works
SonicWALL bandwidth management can assign a portion of the available
bandwidth and a priority to each class of network traffic. Priorities
rank from 0 (zero), highest, to 7, lowest. Defining a class of traffic
that has 0 bandwidth allocated to it effectively blocks the traffic
there is no other traffic with higher priority on the network. The
packet classifier analyzes a packet when it arrives for its packet
protocol, source information, and destination information. It then
the packet to a class queue where it waits to be processed. If the
is full, the packet is dropped. Normal retransmission of data ensures
that the packet is sent again.
Class queues are processed based on the amount of bandwidth allocated
(guaranteed and maximum), and the priority assigned to the class queue.
Within the class queue, packets are processed on a first-in, first-out
basis. When network traffic reaches the maximum allocated to the class,
packets from the next class in priority order are processed. Typically,
each class is allocated a portion of the available bandwidth,
and when that limit is reached, no more traffic for that particular
is forwarded. But if there is available bandwidth on the network that
is not in use by a particular class, a class can temporarily borrow
and send traffic until the maximum bandwidth allocated to the class is
reached. Spare bandwidth is allocated among the highest priority
no more bandwidth is available or until all of those classes have
their maximum bandwidth. If this happens, the remainder of the
is divided among the next priority classes. This process is repeated
all of the available bandwidth is consumed.
If you create an access rule for outbound mail traffic (such as SMTP)
and enable bandwidth management with the following parameters:
- Guaranteed bandwidth of 20 percent
- Maximum bandwidth of 40 percent
- Priority of 0 (zero)
The outbound SMTP traffic is guaranteed 20 percent of available
bandwidth available to it and can get as much as 40 percent of available
bandwidth. If this is the only access rule using bandwidth management,
it has priority over all other access rules on the SonicWALL security
appliance. Other access rules use the remaining bandwidth (minus 20
percent of bandwidth, or greater than minus 20 percent and less than
minus 40 percent of bandwidth).
rules using bandwidth management have a higher priority than access rules
not using bandwidth management. Access rules without bandwidth management
are given lowest priority.