MichaelBalack
asked on
How to use traffic shaping on firwall?
This is a foritgate 80C firewall setup in a small clinic. We used 2 interfaces, WAN1 as untrusted and Switch (Internal) as trusted. Our Internet line is a 5 Mbps broadband. There is only one segment for internal for both wired and wireless. There is one Wireless AP deployed in the clinic, for quest access. Besides this, this AP also means for staff's handphone/laptop, and other wireless device Internet access. IPs would be allocated from a internal server.
Recently, we found high traffic on Internet throughout the days. Most of the these traffic were resulted from anonymous/guest. In view of these, we are thinking of "splitting" these traffic into 2. The first one being the top priority traffic, such as, wired connections, and wireless connections for fixed laptop/PC, and staffs' handphones. The second being the least priority traffic for those guests via wireless. Does this mean I have to setup the 2 different traffic shaping rules with 2 firewall rules? Please show step-by-step on getting the thing done.
thanks
Recently, we found high traffic on Internet throughout the days. Most of the these traffic were resulted from anonymous/guest. In view of these, we are thinking of "splitting" these traffic into 2. The first one being the top priority traffic, such as, wired connections, and wireless connections for fixed laptop/PC, and staffs' handphones. The second being the least priority traffic for those guests via wireless. Does this mean I have to setup the 2 different traffic shaping rules with 2 firewall rules? Please show step-by-step on getting the thing done.
thanks
ASKER
Hi Stolsie,
Please see the answers:
What AP are you using?
ans: Cisco 1600 series
Do your guests get different IP addresses to that of your staff users?
ans: No, they are get the same subnet IP addresses
Please see the answers:
What AP are you using?
ans: Cisco 1600 series
Do your guests get different IP addresses to that of your staff users?
ans: No, they are get the same subnet IP addresses
I would make sure guests get a different IP address to staff and your data network (have you put security in place?)
then put in place QoS for your staff (do you have a VoIP solution? the staff will need to be one point lower) you only have a 5Mb internet line anyway so you wouldn't really want to throttle bandwidth.
I would then put an extended ACL in place on the guest network Vlan (vACL) I would block traffic to all internal services and clients and only allow traffic out to the internet on ports 53,80 and 443. (53 only if you don't have internal DNS)
then put in place QoS for your staff (do you have a VoIP solution? the staff will need to be one point lower) you only have a 5Mb internet line anyway so you wouldn't really want to throttle bandwidth.
I would then put an extended ACL in place on the guest network Vlan (vACL) I would block traffic to all internal services and clients and only allow traffic out to the internet on ports 53,80 and 443. (53 only if you don't have internal DNS)
Is guest wireless access password protected?
ASKER
Hi Greg,
Yes, ap access password protected
Yes, ap access password protected
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
If it is possible, increase the bandwidth into the office. 5Mbs for a business serving smartphones and business machines is not enough.
If this is not possible, change the guest password and only give it to people that you know.
If this is not possible, change the guest password and only give it to people that you know.
ASKER
The suggestions and traffic shaping settings are working. In fact, after some monitoring, traffic for different groups are working accordingly,.
You would only need one rule for traffic shaping and possibly another for access but that would just be so you can assign the traffic shaping policy.
first though I would like to know a few things
What AP are you using?
Do your guests get different IP addresses to that of your staff users?