Limiting Bandwidth
-
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
We have a client who wants VoIP but is maxing out their download capabilities due to streaming internet video. My co-worker wants to setup VLAN 1 for VoIP and VLAN 2 for everything else. VLAN 1 would be plugged into Port 1 on the Firewall, VLAN 2 would be plugged into Port 2 on the firewall. Then, from the firewall he wants to limit the amount of bandwidth VLAN 1 (everything but voip) can use in order to assure the customer that their phones will be functional.
I'm hoping there is a better way to limit them without needing to use VLAN's. This customer will not purchase any new hardware short of the phones themselves.
Not sure this is possible. The incoming traffic will come from whatever random source as fast as that source can send it. You have no control.
What I don't know is - if you limit connections like youtube to say 1 Mb total allowed, will that keep youtube from flooding your inbound pipe?
My co-worker is saying it can, but I don't believe anything he says which is why I'm asking. Reminds me of QoS which is entirely within the LAN
If he's saying it can, then that means he knows how to do it, right?
He asked me what the best way to achieve this would be, but I have no idea what he's talking about. You can manage the 1 KB request to YouTube, but not the resulting download AFAIK
Well, I think you can affect the download, but only once it reaches the firewall. Limit inbound from youtube to say 1 Mbps, but still at the start Youtube could flood you with 10 Mbps and the firewall would have packets stacking up, but I do believe that some form of return traffic to youtube must tell them to slow down/reduce quality (aka fewer packets or smaller ones) so things don't stack up..
but you'd likely have to manage that for every site on the internet.
Exactly, you can break it after it arrives, but only afterwards.
-
@scottalanmiller said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
We have a client who wants VoIP but is maxing out their download capabilities due to streaming internet video. My co-worker wants to setup VLAN 1 for VoIP and VLAN 2 for everything else. VLAN 1 would be plugged into Port 1 on the Firewall, VLAN 2 would be plugged into Port 2 on the firewall. Then, from the firewall he wants to limit the amount of bandwidth VLAN 1 (everything but voip) can use in order to assure the customer that their phones will be functional.
I'm hoping there is a better way to limit them without needing to use VLAN's. This customer will not purchase any new hardware short of the phones themselves.
Not sure this is possible. The incoming traffic will come from whatever random source as fast as that source can send it. You have no control.
What I don't know is - if you limit connections like youtube to say 1 Mb total allowed, will that keep youtube from flooding your inbound pipe?
My co-worker is saying it can, but I don't believe anything he says which is why I'm asking. Reminds me of QoS which is entirely within the LAN
If he's saying it can, then that means he knows how to do it, right?
By definition, he'd have to.
This is the whole thing - if he knows it can be done - then tell him to do it.. because as we all assumed from the beginning, you can't control what the upstream is sending you.
-
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
We have a client who wants VoIP but is maxing out their download capabilities due to streaming internet video. My co-worker wants to setup VLAN 1 for VoIP and VLAN 2 for everything else. VLAN 1 would be plugged into Port 1 on the Firewall, VLAN 2 would be plugged into Port 2 on the firewall. Then, from the firewall he wants to limit the amount of bandwidth VLAN 1 (everything but voip) can use in order to assure the customer that their phones will be functional.
I'm hoping there is a better way to limit them without needing to use VLAN's. This customer will not purchase any new hardware short of the phones themselves.
Not sure this is possible. The incoming traffic will come from whatever random source as fast as that source can send it. You have no control.
What I don't know is - if you limit connections like youtube to say 1 Mb total allowed, will that keep youtube from flooding your inbound pipe?
My co-worker is saying it can, but I don't believe anything he says which is why I'm asking. Reminds me of QoS which is entirely within the LAN
If he's saying it can, then that means he knows how to do it, right?
He asked me what the best way to achieve this would be, but I have no idea what he's talking about. You can manage the 1 KB request to YouTube, but not the resulting download AFAIK
Well, I think you can affect the download, but only once it reaches the firewall. Limit inbound from youtube to say 1 Mbps, but still at the start Youtube could flood you with 10 Mbps and the firewall would have packets stacking up, but I do believe that some form of return traffic to youtube must tell them to slow down/reduce quality (aka fewer packets or smaller ones) so things don't stack up..
but you'd likely have to manage that for every site on the internet.
Yeah he's asking per device, not per website. He says it's possible but I've never seen it so I really don't know
Why would he care about each device? That's just loads of manual work for no reason. Man, this guy LOVES his manual, pointless wasted effort.
-
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
I think Watchguard Firewalls have the ability to define maximum bandwidth as a rule, but I have not played with it enough to know how it functions and I was thinking that is only for the LAN itself.
Sure, but that would just make things worse, not better. You can call your ISP and lower your speed if that's all you want.
-
@scottalanmiller Totally agree that it doesn't make sense and did tell him that
-
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@momurda I'm telling you what my co-worker told me which doesn't make a lot of sense to me. He wants to partition the switch for half the ports to be vlan 1 and half to be vlan 2 and then he wants to create interfaces on the firewall for each.
The issue here is that his goal is to have VLANs, not to have VLANs for a purpose. He wants loads of extra work, that is manual, to drive up billing rates. That's all. There is nothing in what he is suggesting to support good networking or VoIP or anything of the sort. He's just trying to run the stock "VoIP network scam" that every reseller does.
-
@scottalanmiller So he is getting DDOS? Come on.
I can easily set the bandwidth on my external fw port to a value between 1 and 1000Mb/s, and whatever that limit is cant be exceeded. No device on the internal network will pull more than this from outside, ever. Not sure why anybody would want to do that as i said earlier, but it is possible.
I could even set the bandwidth max on an internal fw port to any of these values for the same effect. -
I don't understand why "HEY USERS, STOP WATCHING YOUTUBE ALL DAY!!!!" isn't the obvious solution here. Your coworker wants to use tech to solve a people issue. No video streaming = no more bandwidth issues.
-
@momurda said in Limiting Bandwidth (Help me name this thread):
@scottalanmiller So he is getting DDOS? Come on.
I can easily set the bandwidth on my external fw port to a value between 1 and 1000Mb/s, and whatever that limit is cant be exceeded. No device on the internal network will pull more than this from outside, ever. Not sure why anybody would want to do that as i said earlier, but it is possible.
I could even set the bandwidth max on an internal fw port to any of these values for the same effect.yes it can be exceeded. The ISP could send 10,000 Mb/s down the pipe. Your firewall would just stop processing packets at whatever level you set.
-
@dashrender Unsolicited? Now youre talking about ddos, which is impossible under normal circumstances. Unless this is about hosting a voip conference call with 10000 users at once on a 10mb connection.
-
@rojoloco said in Limiting Bandwidth (Help me name this thread):
I don't understand why "HEY USERS, STOP WATCHING YOUTUBE ALL DAY!!!!" isn't the obvious solution here. Your coworker wants to use tech to solve a people issue. No video streaming = no more bandwidth issues.
I'm using youtube as an example, I have no idea what they are watching or on what platform. I just know it's not hosted by them and they access it over the WAN
-
@rojoloco said in Limiting Bandwidth (Help me name this thread):
I don't understand why "HEY USERS, STOP WATCHING YOUTUBE ALL DAY!!!!" isn't the obvious solution here. Your coworker wants to use tech to solve a people issue. No video streaming = no more bandwidth issues.
When we had a 10/10 connection this is exactly what we did. We disallowed all streaming because it frequently crippled our network.
-
@momurda said in Limiting Bandwidth (Help me name this thread):
@scottalanmiller So he is getting DDOS? Come on.
I can easily set the bandwidth on my external fw port to a value between 1 and 1000Mb/s, and whatever that limit is cant be exceeded. No device on the internal network will pull more than this from outside, ever. Not sure why anybody would want to do that as i said earlier, but it is possible.
I could even set the bandwidth max on an internal fw port to any of these values for the same effect.That's not how it works. You put that limit on the outside interface and the internal devices absolutely will pull more than that from it. Their ability to request more speed isn't affected by that limit. It will actually act like a DDoS attack, but obviously isn't really one.
The firewall has zero ability to influence the rate at which data arrives at it, normally that is limited far away at the other end of the WAN. If you add a limit on your firewall, the lack of packets making it back to devices will normally encourage their network stacks to start rate limiting based on the failures of packets to arrive, but nothing forces them to. The WAN will continue to get more traffic than the firewall is allowing through and the bottleneck will be moved from the far point of the network to the near one.
It can encourage internal devices to request data more slowly, but only sometimes and in no way creates the hard limit that you are imagining.
From an end point perspective, the traffic has been limited. From the WAN perspective, where it matters, it has not.
-
@momurda said in Limiting Bandwidth (Help me name this thread):
@dashrender Unsolicited? Now youre talking about ddos, which is impossible under normal circumstances. Unless this is about hosting a voip conference call with 10000 users at once on a 10mb connection.
It's solicited. That's the problem. People request a YouTube video, YouTube sends the stream. And will often do so higher than your firewall limit.
-
@momurda said in Limiting Bandwidth (Help me name this thread):
@dashrender Unsolicited? Now youre talking about ddos, which is impossible under normal circumstances. Unless this is about hosting a voip conference call with 10000 users at once on a 10mb connection.
But it's not unsolicited. The users are streaming. For example, Netflix will keep sending more and more packets until they stop getting the needed responses or it maxes out the speed needed for a given resolution - it's part of their auto resolution solution. If you have a crappy internet connection, you get a crappy looking video, if you have a fast internet connection, you get good looking video.
Now yes, if you limit it, and allow the VOIP traffic to not be limited, then you will have that always open head room - but then you should look at Scott's video and he explains why this is bad.
-
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@rojoloco said in Limiting Bandwidth (Help me name this thread):
I don't understand why "HEY USERS, STOP WATCHING YOUTUBE ALL DAY!!!!" isn't the obvious solution here. Your coworker wants to use tech to solve a people issue. No video streaming = no more bandwidth issues.
I'm using youtube as an example, I have no idea what they are watching or on what platform. I just know it's not hosted by them and they access it over the WAN
His point was - when people complain (or logging servers send alerts about issues) you look at who and what is happening and tell those people to knock it off.
-
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@rojoloco said in Limiting Bandwidth (Help me name this thread):
I don't understand why "HEY USERS, STOP WATCHING YOUTUBE ALL DAY!!!!" isn't the obvious solution here. Your coworker wants to use tech to solve a people issue. No video streaming = no more bandwidth issues.
I'm using youtube as an example, I have no idea what they are watching or on what platform. I just know it's not hosted by them and they access it over the WAN
His point was - when people complain (or logging servers send alerts about issues) you look at who and what is happening and tell those people to knock it off.
I have been told it's for business purposes. It's a foster care non-profit so i have no idea how or why, but let's assume they are right for now
-
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@rojoloco said in Limiting Bandwidth (Help me name this thread):
I don't understand why "HEY USERS, STOP WATCHING YOUTUBE ALL DAY!!!!" isn't the obvious solution here. Your coworker wants to use tech to solve a people issue. No video streaming = no more bandwidth issues.
I'm using youtube as an example, I have no idea what they are watching or on what platform. I just know it's not hosted by them and they access it over the WAN
Do they actually need it for some work related thing? If not, block that shit and put a no streaming policy in place. If they do actually need it, I have no idea how to solve the problem.
-
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@dashrender said in Limiting Bandwidth (Help me name this thread):
@wirestyle22 said in Limiting Bandwidth (Help me name this thread):
@rojoloco said in Limiting Bandwidth (Help me name this thread):
I don't understand why "HEY USERS, STOP WATCHING YOUTUBE ALL DAY!!!!" isn't the obvious solution here. Your coworker wants to use tech to solve a people issue. No video streaming = no more bandwidth issues.
I'm using youtube as an example, I have no idea what they are watching or on what platform. I just know it's not hosted by them and they access it over the WAN
His point was - when people complain (or logging servers send alerts about issues) you look at who and what is happening and tell those people to knock it off.
I have been told it's for business purposes. It's a foster care non-profit so i have no idea how or why, but let's assume they are right for now
Then you simply need more bandwidth. That's it. That's the only correct answer.
-
I'm glad it's not just me but this is why I ask. I already came to the correct conclusion for once. Thanks guys
