Link to home
Create AccountLog in
Avatar of MichaelBalack
MichaelBalackFlag for Singapore

asked on

How to use traffic shaping on firwall?

This is a foritgate 80C firewall setup in a small clinic. We used 2 interfaces, WAN1 as untrusted and Switch (Internal) as trusted. Our Internet line is a 5 Mbps broadband. There is only one segment for internal for both wired and wireless. There is one Wireless AP deployed in the clinic, for quest access. Besides this, this AP also means for staff's handphone/laptop, and other wireless device Internet access. IPs would be allocated from a internal server.

Recently, we found high traffic on Internet throughout the days. Most of the these traffic were resulted from anonymous/guest. In view of these, we are thinking of "splitting" these traffic into 2. The first one being the top priority traffic, such as, wired connections, and wireless connections for fixed laptop/PC, and staffs' handphones. The second being the least priority traffic for those guests via wireless. Does this mean I have to setup the 2 different traffic shaping rules with 2 firewall rules? Please show step-by-step on getting the thing done.


thanks
Avatar of Stolsie
Stolsie
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi MichaelBalack

You would only need one rule for traffic shaping and possibly another for access but that would just be so you can assign the traffic shaping policy.
first though I would like to know a few things
What AP are you using?
Do your guests get different IP addresses to that of your staff users?
Avatar of MichaelBalack

ASKER

Hi Stolsie,

Please see the answers:

What AP are you using?

ans: Cisco 1600 series

Do your guests get different IP addresses to that of your staff users?

ans: No, they are get the same subnet IP addresses
I would make sure guests get a different IP address to staff and your data network (have you put security in place?)
then put in place QoS for your staff (do you have a VoIP solution? the staff will need to be one point lower) you only have a 5Mb internet line anyway so you wouldn't really want to throttle bandwidth.
I would then put an extended ACL in place on the guest network Vlan (vACL) I would block traffic to all internal services and clients and only allow traffic out to the internet on ports 53,80 and 443. (53 only if you don't have internal DNS)
Is guest wireless access password protected?
Hi Greg,

Yes, ap access password protected
ASKER CERTIFIED SOLUTION
Avatar of MichaelBalack
MichaelBalack
Flag of Singapore image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
If it is possible, increase the bandwidth into the office.  5Mbs for a business serving smartphones and business machines is not enough.

If this is not possible, change the guest password and only give it to people that you know.
The suggestions and traffic shaping settings are working. In fact, after some monitoring, traffic for different groups are working accordingly,.