Tech Support Guy banner
Status
Not open for further replies.

Bandwidth Control

Tags
network
3K views 15 replies 4 participants last post by  plodr 
#1 ·
I own a net cafe.It has 24 systems assigned with static ip from 192.168.1.101 - 192.168.1.124.Ther are 4 dsl lines eich connected to a Tplink TD8816 router and all four routers are connected to tplink tl-r470t+ load balancer which is in turn connected to dlink 24 port switch the total network speed is 16Mbps which is around 2 MBps when a customer uses download manager in 1 cabin he takes up all available bandwidth.Is there any way to limit the download speed to 3 Mbps ie 400KBps to all systems
 
#2 ·
I would recommend two solutions
1. Check the "bandwidth control" and QOS features in your tl-r470t+ load balancer router.
2. Enable "port mirror" in switch settings of tl-r470t+, then you can deploy a passive internet filter product(ie: WFilter Enterprise) on the mirroring port to monitor and block IDM connections.
 
#5 ·
Per gargoyle's suggestion, yes, the use of traffic control/bandwidth control in your TPlink load balancer can accomplish what you're looking to do based on the user's guide on TPLink's website. You'll have to create individual "user" definitions to correspond to each terminal you have by individual IP. From what I see you'll also need to create a unique group for each "user" you create as it looks like the configuration page for bandwidth control doesn't allow rules to be applied on a per user basis.

Per gargoyle's suggestion about port mirroring, no, this won't work for to deploy a passive internet filter or any internet filter for that matter. Port mirroring or port spanning is a feature by which you select a specific port to copy the network traffic to be sent to another port on the device. Why this is done is to do packet captures to analyze the network traffic at a specific point on your network. This is typically done to diagnose something or to audit the network for security purposes. However port mirroring doesn't allow a device to act on something it sees on your network as the structure of how port mirroring won't allow this.

If you want to add some sort of filtering, you need a content filtering device which can be inserted between your load balancer and the Dlink network switch. The best deployment model for this content filtering device is to act as a "bump" in the wire where layer 2 traffic can pass through without noticing there is an actual device in the network path between the load balancer and switch. Once the content filtering device sees network traffic not authorized by policies you set, it will block it. The better solution is to have a firewalls/routers which have built in content filtering support which either pulls down database information from a service to keep its profile list up to date. The profile list/database contains information on various web sites in categories which you can just set policies based on category. For instance, you can set a policy which blocks social media and porn web sites. And that will be the extent of the configuration. The load balancer you have has a very basic filter that acts on URLs. To be able to capture all combinations of URLs that correspond to a category of web site you want to block is pretty much impossible and to keep that filter rule(s) up to date is impossible. Other firewalls/routers have a feature to utilize a content filtering server you run on your network. The web traffic hits the firewall/router and before the firewall/router forwards on the traffic to the Internet, it sends the web traffic to this content filtering server. The server inspects the packet and checks the policies set on the server. It will then respond yes to forward on the traffic or no don't forward. Both deployment models will send a reply message to the terminal which has a web page saying their web session was blocked due to violating usage policy. I've deployed both and can attest it works well.
 
#6 ·
I am sure a pass-by internet filter can also filter internet traffic on a mirroring port. The trick is to send RST packets to kill TCP connections, also can send denial page to clients.
This technical is widely used, for example: websense, wfilter...
The only shortcoming of pass-by filter is that it can not block udp traffic.
 
#7 ·
Explain to me how a mirrored port setup would work when the function of a mirrored port is to just copy traffic (either ingress or egress or both) from the parent port to the mirrored port? The mirrored port is not capable of moving traffic the other way. I have not ever seen this in any network device with port mirroring functionality to ever do this. If you have, name it. Even the TP-Link manual for the load balancer says the same thing.

Plus I know how systems like Websense works. I have actually deployed a Websense server in conjunction with a Cisco PIX 515E in a real corporate environment. And what you're saying is NOT how it works in that setup which is also how other firewalls operate which leverage an external content filtering server.
 
#8 ·
A passby filter listens on the mirrored port, when it detects a connection needs to be blocked. It will send a RST packet to the source IP to kill this connection. This is how it works. A passby filter does not move packets, it just break the connections.

Websense can work with Cisco PIX via some API or protocol(named as "integrated mode"). However, it also can be deployed in pass-by mode on a mirroring port(It's called "stand-alone software deployment"). Please check the "standalone deployments section": https://www.websense.com/content/support/library/web/v75/wws_deploy_guide/WWS Deployment Guide.pdf
 
#9 ·
Looking at the Websense guide you've linked, it discusses on page 45 the topic we're talking about here. It references your suggested deployment topology of using a span or port mirrored port to insert the Websense device. The user's guide states this is only valid if the port mirroring support on the switch supports bi directional network traffic. Looking at the TP-Link user's guide there is not reference that it supports this. In this situation, it's necessary to add a second NIC to the Websense device to do the blocking.
 
#11 ·
Would you provide the command for IOS that changes the behavior of the destination port to allow it to egress traffic to the source port? The only settings I'm aware of for ingress and egress relates to the flow of traffic at the source port and whether that data is mirrored to the destination.

Have you personally tried mirroring ports on the TP-Link load balancer in question and verified bidirectional traffic between the source and destination ports? I went back and looked at the documentation and there is no mention of it supporting bidirectional communication.
 
#12 ·
"Ingress" is not targeted to port. For example, cisco 2950:

monitor session 1 source interface Fa0/23
monitor session 1 destination interface Fa0/22 ingress vlan 1


"ingress vlan 1" means the destionation interface can send traffic to "vlan 1".

For tplink, I've setup various tplink router/switch before. All the settings are done via web UI. There is no option to enable "bidirection" because it's bidirection in default and can not be changed.
 
#13 ·
I waited to respond to your post as I was digging through various configuration guides to get a better explanation of the ingress parameter with the SPAN configuration line setting up the destination port. Depending on how you read the explanations, it would follow my way of looking at the command which is there is no forwarding of any traffic ingressing from a device connected to the destination port. But if you read it a different way, it follows what you think it does.

So today, I contacted a friend that actually works at Cisco for an explanation of what is going on with the commands in question here. He said, the ingress command that is part of the destination config line is only to accept additional traffic from vlan 1 per your example. He said the destination port is not bidirectional and can only egress traffic mirrored from source ports.

To know for sure, if I get around to it, I'll try setting up a set of SPAN ports based off the configuration you've listed above on either my 2960G, 3560E, or Nexus 5010. I can't test out your statements concerning TP-Link supporting bidirectional traffic flows between source and destination ports as I don't own any TP-Link gear. But again from what I've seen, I haven't run across any managed switches which support bidirectional traffic flows between source and destination ports in a port mirroring/SPAN configuration which is also the same thing my friend at Cisco said.
 
#15 ·
sorry to disturb you guys but i have a problem if i activate application optimized routing in bandwidth control the speeds are shared based on no of users present if only 2 person is connected to the internet the speeds are as high as it can be but if 10 person uses net the speed is optimized. if i activate bandwidth balanced routing the speeds are halved for every new user but the problem is the upload speed is also halved meaning a 3Mbps upload speed is halved for every new connection so that no web pages open bcoz of the low upload speed and i tried everything with traffic control but nothing works the speeds are not controlled is there any way i can control only the download speed but not the upload speed
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top