BWM for traffic from VPN to WAN

Options
Hi!

Besides a few BWM rules that I already have in place in our ATP500 and VPN310, I would like to add a rule for all users connecting via VPN. I would like to restrict their bandwidth FROM the entire VPN zone TO the WAN interface. Therefore I've set up this rule:



Unfortunately, it doesn't work. The users who connect to the network via VPN have the full WAN bandwidth available, regardless which Priority I choose in the section "Bandwidth Shaping". I somehow have the feeling that I messed it up the Incoming Interface and the Outgoing Interface, but I can't figure out what I've done wrong.

What I need is a simple rule to limit the bandwidth from any VPN user to any outgoing WAN connection.

What did I do wrong? Any help is appreciated!
Chris

All Replies

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Unfortunately, it doesn't work. The users who connect to the network via VPN have the full WAN bandwidth available, regardless which Priority I choose in the section "Bandwidth Shaping".
    Changing priority won't affect the bandwidth. The device gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate, so if there is no other traffic with higher priority, the lower-priority traffic can get the full bandwidth.
    I suggest changing the outgoing/incoming interface and Source/Destination settings.
    Outgoing: any
    Incoming: any
    Source: RemoteAccess_L2TP_Wiz_CLIENT 192.168.50.1/24  (L2TP client subnet)
    Destination: any
    Guaranteed Bandwidth: Inbound/Outbound: 500 kbps
    so that the L2TP client will match the Criteria while accessing the internet, then the traffic will be limited.

    James
  • Christian78
    Options
    Hello @Zyxel_James

    Thank you very much! I will try this. But isn't it the case that with the config you suggested, the traffic to the local networks is limited then, too?
    But I will play around a bit with it. Maybe the combination of defining the Source as L2TP subnet clients with a Destination will do the trick.

    Thanks once again for your help!
    Christian
  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023
    Options
    Yes, based on my suggestion, the traffic from RemoteAccess_L2TP_Wiz_CLIENT to Any will be limited, which includes to local network, you may adjust the Destination according to your needs.
  • Christian78
    Options
    Hi James,

    unfortunately, your first suggestion did not work as well. There is no change in the behavior at all.

    Christian
  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023
    Options
    Hi Christian78
    May I know how you test it? and please provide the topology of your network.
    You may also contact me via private message for further investigation, thanks.

Security Highlight