WinGate Forums

[Alen]

I read again your post and mentioned this:

But it does have access to the packets travelling between the WinGate computer and any other computer, e.g. a client computer and a proxy, or the proxy and the internet. So it can be used to control bandwidth for proxy traffic, intercepted traffic, or traffic from the WinGate computer to any other computer.

So is it possible to limit the speed of clients Internet connections without limiting, in fact, the Wingate 2 LAN connection speed?

[Alen]

Adrien,

I tried with "Apply traffic to/from local machine" option activated, and even without speed limit (just medium priority for all clients) it makes too much inconvenience to me. For example, GK from remote PC can't work, when it is only 4 client PCs connected to Wingate (i.e. Internet through Wingate). It's strange, as there were no speed limits, but it is the fact.
As a result I switched the option off again.

So I extremely need a method of limiting bandwidth of clients connections to Internet regardless of the connection method: NAT or Proxy.
For example, if we set 10KB/sec speed limit for all, then the integral (i.e. NAT + Proxy + WGIC) maximum speed for each user should be limited by 10KB/sec. How could this be done?

[Alen]

Dear Adrien,

I am still waiting for some info from you.

[Alen]

Logan, please tell Adrien that I am packing my laggage and preparing to visit New Zeland to get answer on my question. ;-)

[Alen]

Alen wrote:

I extremely need a method of limiting bandwidth of clients connections to Internet regardless of the connection method: NAT or Proxy.
For example, if we set 10KB/sec speed limit for all, then the integral (i.e. NAT + Proxy + WGIC) maximum speed for each user should be limited by 10KB/sec. How could this be done?

It's 3 months already I am using a single restriction with Medium priority and 120kbits limit together with an individual rule for each user ip with "Apply traffic to/from local machine" and "Rule is bidirectional" (for host ip to any ip) options. It looks like I reached my target!? No more complaints from users when someone is downloading something large.
I don't know why it did not work when I tried first time and got problems with non-functional remotely started Gatekeeper...

The only question I still have is: is it necessary to use individual rules for each user ip?
And could my old problems appear because I used (I don't remember this for sure) only one rule with my whole subnetwork as a source (i.e. 192.168.0.0 mask 255.255.255.0)?!

[adrien]

Hi Alen

Apologies again for very late response to this. You're welcome to come down to New Zealand if you like though, we'll look after you!

The key thing to remember with bandwidth control in WinGate, is that the restriction you define effectively defines a resource. Think of it like a piece of pie. It's a certain size.

If you create a rule that associates traffic with that resource, then the resource is shared amongst all traffic that matches the rule.

So if you have a rule that associates traffic from multiple users with a single restriction (resource), then all the users share that bandwidth.

In this case, it's not really designed to allocate bandwith per user (which I know people want - we're looking into ways to do this).

So to get around it, you'd need to create a restriction per user and a rule per user to assign that user's traffic to that restriction, which it sounds like is what you did.

[Alen]

Oh-h, sometimes it is very difficult to understand you. You are trying to explain more than people ask (like my grandpa did, and now I do the same ;-)) and make them confused.

Ok, let's suppose I can't understand anything. Very stupid customer.
Just instruct me what should I do in BC options to have the following result (or as near to it as is possible with Wingate 6.x):

Llimit the total bandwidth of client's connections to Internet regardless of the connection method: NAT or Proxy or their simultaneous usage.

For example, I have Internet connection with 1024kbit\sec bandwidth, I have 25 users and in average only 10 of them are using Internet concurrently. I want to limit each user's total bandwidth usage (regardless of his connection method or methods, what he is doing, etc.) to 128kbit/sec. How could this be done.

[adrien]

Hi

I guess I should have just answered the question you asked :).

In response to "do I need to create a rule for each client IP", the answer is yes, and furthermore you need to create a restriction for every client IP as well.

Rules are only used for choosing which piece of pie a user is sharing. If you want each user to have their own piece of pie, you need to define each piece, and define the rule that assigns that piece to only that user.

So say for 10 users.

restriction 1: 128kbps
restriction 2: 128kbps
restriction 3: 128kbps
restriction 4: 128kbps
restriction 5: 128kbps
restriction 6: 128kbps
restriction 7: 128kbps
restriction 8: 128kbps
restriction 9: 128kbps
restriction 10: 128kbps

rule 1: traffic to/from clientip1 uses restriction1
rule 2: traffic to/from clientip2 uses restriction2
rule 3: traffic to/from clientip3 uses restriction3
rule 4: traffic to/from clientip4 uses restriction4
rule 5: traffic to/from clientip5 uses restriction5
rule 6: traffic to/from clientip6 uses restriction6
rule 7: traffic to/from clientip7 uses restriction7
rule 8: traffic to/from clientip8 uses restriction8
rule 9: traffic to/from clientip9 uses restriction9
rule 10: traffic to/from clientip10 uses restriction10

It's painful sorry.

the best way to limit all traffic for a client, is by matching on the client IP. That will get everything, including proxy, NAT etc. So the rule would specify the source as the client IP, bidirectional (so affects connections to or from client IP).

Adrien

[Alen]

It's painful sorry.

O-oh yes.
Do you change this in v7?

the best way to limit all traffic for a client, is by matching on the client IP. That will get everything, including proxy, NAT etc. So the rule would specify the source as the client IP, bidirectional (so affects connections to or from client IP).

Yes, I made it by ip.

Well, as I said for now it's 3 months already I am using a single restriction with Medium priority and 120kbits limit together with an individual rule for each user ip with "Apply traffic to/from local machine" and "Rule is bidirectional" options.
And it looks like it is working quite good. I am not sure if it is working fully as wanted, but at least there are no more complaints from users when some of them are downloading something large.

Adrien, are you sure we need an individual restriction for each user? I can't see any purport in it.
I understand the rule gives each "rule addressee" (a user or a group of users) his\their part of bandwidth, but restriction is just "the way to say" what is the volume of the restriction. Why should one repeat it for each addressee?!
Please clarify that it is indeed necessary to create personal restrictions per user when the restrictions are supposed to be the same for all. I just don't believe this...

[Alen]

Rules are only used for choosing which piece of pie a user is sharing. If you want each user to have their own piece of pie, you need to define each piece, and define the rule that assigns that piece to only that user.

I reread your post and just realised that in case this is true (I mean if each piece of pie is "named" and dedicated by restriction), then all of my ~ 35 users (~10 concurrent) are using the same 120kbit/sec piece of bandwidth, which had to be just awful.
Besides, I am almost constantly downloading and see download speed is ~ 12-13KB\sec ~ 100-110kbit/sec - almost the whole dedicated bandwidth. And that means other users are getting almost nothing, but this is not true. They can also download by the same speed.

No, Adrien, you are definitely wrong, if one needs to divide bandwidth equally among all users he needs just one desired restriction and individual rule for each user. And that is effective for NAT connection method only (as I remember).
If in addition the one wants the restriction to be effective for all types of connection methods he must also activate "Apply traffic to/from local machine" or/and (?) "Rule is bidirectional" options.
This is my verdict.

P.S. I wonder: is any meaning in "Rule is bidirectional" option if "Apply traffic to/from local machine" is activated?

[adrien]

Hi

I'll have to check through the code to see about how restrictions are shared, or if there is any other possible explanation for what you are seeing.

bidirectional simply affects how a rule is matched. Matching of rules only is performed on a new connection. So, the first packet of a connection is examined against the rules. Bidirectional matching means it will match either source or dest, rather than just source or just dest. So this is an indepedent issue of whether local traffic (to / from firewall iteself) is counted. However if the clients are using proxy, you definitely want this option selected (local traffic) So yes, you are correct both these options need to be on.

Adrien

[Alen]

I'll have to check through the code to see about how restrictions are shared, or if there is any other possible explanation for what you are seeing.

Please.

bidirectional simply affects how a rule is matched. Matching of rules only is performed on a new connection. So, the first packet of a connection is examined against the rules. Bidirectional matching means it will match either source or dest, rather than just source or just dest. So this is an indepedent issue of whether local traffic (to / from firewall iteself) is counted. However if the clients are using proxy, you definitely want this option selected (local traffic) So yes, you are correct both these options need to be on.

Not fully clear yet. Let's try to speak on a more simple way.

As I can understand by its name "Apply traffic to/from local machine" affects to all traffic from the client PC and to the client PC to\from Wingate machine, which means both download and upload speeds are limited. But limited on the segment between the client PC and Wingate. Is this correct? (in fact it is not completely correct, but please read the whole post before answering)
"Rule is bidirectional" option, as I can understand, is making restriction on Wingate itself and it is effective for the traffic between Wingate and Internet, for both download and upload speeds.

If yes, then
- when only first option ("Apply traffic to/from local machine") is activated it will also influence on the speed between Wingate and Internet, because the client PC will tranfer or receive traffic with the limited speed to\from Wingate, thus totaly restricting upload traffic (because Wingate could not send the same data faster than receive it) and partially, not correctly, restraining download speed from Internet to Wingate.
- when only second option is used it fully and correctly restricts download speed (as Wingate could not send downloaded data to client PC faster than receive it), but partially, not correctly, restrains upload speed because Wingate will receive data from the client faster than it have to send to Internet.

And if we want to achive 2 targets: correctly restrict both download and upload traffic speeds and apply restriction to all connection methods at whole, then we have to activate both options.

Is this nearly correct. If not, can you please give me somewhat similar explanation.

[adrien]

I checked the code. There's only one copy of each restriction, and all rules assigned to it refer to it.

So all traffic matching a rule will share the same single restriction.

So, if you are seeing more bandwidth, then this would imply that the rule isn't being applied for some reason.

As for the explanation of to/from local machine here it is.

WinGate gets different indications of packets from NDIS depending on whether the packet is indicated by a miniport (incoming from a NIC), or sent by a protocol (going out a NIC). These different indications go into different handler functions, since the requirements are somewhat different.

The setting whether traffic applies to traffic to/from the WinGate machine merely controls whether traffic sent by a protocol (outbound to a NIC) should be controlled. This doesn't differentiate on whether the traffic is outbound to the LAN or WAN - purely if the host OS is sending the packet rather than receiving one.

When a client is configured to use a proxy, it connects to the proxy, so the SYN packet has the destination address of the WinGate server. Since this is the first packet in the connection (which is the only packet we check bandwidth rules for) and since it is to the WinGate server, unless the "apply to traffic to/from the local machine" option is set, the rule will not apply. So if you want to control proxy traffic this option must be set.

When the proxy makes a connection outbound to a server, this is also a local connection as far as bandwidth control is concerned.

Whether a bandwidth rule with "apply to traffic to/from the local machine" set will apply to any particular traffic, then depends on which IPs/ports you set in the rule, since we still must match on these as well.

Hope this answers the question.

[adrien]

a key thing to remember is the rules are not checked for every packet.

We maintain a connection entry for each connection (TCP and UDP and ICMP - UDP and ICMP are simulated connections with timeouts etc).

This connection entry stores things like which next hop MAC and interface to use. And which bandwidth rule to use.

The settings in the connection entry are initialised when we first receive a packet that is not part of any known existing connection - a new connection.

So it's only the initial packet which is inspected for matching bandwidth rules.

This packet might be NATed out to somewhere, or intercepted up the stack. But changes to the addresses happen after the rule is looked up, so the rule must match the packet actually received by WinGate (not the altered packet) in order to apply.

So consider 2 cases.

1. A client makes a NAT connection to www.wingate.com
2. A client makes a proxy connection to www.wingate.com

in case 1, the SYN packet received by WinGate will contain the destination address 210.55.214.36
in case 2, the SYN packet received by WinGate will contain the destination address 192.168.0.1, and a subsequent connection made will contain destination address 210.55.214.36 (but this will be from the WinGate host).

So, if you had a rule which matched on dest IP 210.55.214.36, then if you had the "apply to traffic to/from local...." set, it would apply to the connection in both cases. If not set, then it would apply only to the connection in case 1.

Consider another then

1. A client 192.168.0.2 makes a NAT connection to www.wingate.com
2. A client 192.168.0.2 makes a proxy connection to www.wingate.com

in both cases, the SYN packet received by WinGate will contain the source address 192.168.0.2, and the destination addresses will be per the previous example.

If you have a rule which matches on source IP 192.168.0.2, then it will match the first connection, but only match the second connection if the option "apply to traffic to / from...' set.

[Alen]

I checked the code. There's only one copy of each restriction, and all rules assigned to it refer to it.
So all traffic matching a rule will share the same single restriction.
So, if you are seeing more bandwidth, then this would imply that the rule isn't being applied for some reason.

I fully understand only the last sentence. :-)
And from it I conclude you still insist individual restrictions are also necessary. Well I still have an argument on your:

So, if you are seeing more bandwidth, then this would imply that the rule isn't being applied for some reason.

If the rule is not apllied, why everyone's connection is limited by ~13KB/sec, and when I change it speed limit also changes. Answer. ;-)

[adrien]

and you're certain they are all getting that same amount of bandwidth at the same time?

[Alen]

and you're certain they are all getting that same amount of bandwidth at the same time?

I am certain they all get the same maximum of the speed at the same time. E.g. if 3 of us are simultaneously downloading, each can see 12-13KB/sec download speed.

Adrien, please try yourself: just several identical rules each for a separate ip, but all with the same single restriction. It is working, I can see it right now.

The only thing I can say additionaly, is I failed to achive likely dynamic bandwidth control, which was my primary target at first, as you could remember.
When I assigned individual (and indentical) rules to all of my users ip and used a single restriction without bandwidth limit just Medium priority bandwidth - shaping did not work.
May be it would work if I also create individual (and identical) restrictions for each rule? I don't know.

[Alen]

I deleted this post after I found out it is difficult even for me to understand what I wrote after several days past...

[jillmason7]

Awesome thanks for the tips. New to the forum so all help is appreciated.

[Alen]

Adrien,
While checking BC working mechanism, please pay attention to 2 different situations:
1. One common restriction with speed restricted - many individual rules,
2. One common restriction without speed restricted (just prioritization) - many individual rules.

It seems to me, that in the first case we get this single rule to "grant" individual portions (that we have set) of the whole bandwidth to each user. But in the second - it makes problems: one user can occupy the whole bandwidth and prevent others to get equal portions.

I am claiming again, that I have the first variant now with one common restriction with 120kbit limit, and no one of my ~ 10 concurrently active users has any problems while I am downloading with ~ 13KB/sec. (For your reference: the total bandwidth we bought is ~ 512kbit/sec). So it works the way different of your declared.

But! I remember (and I reported about it here), that when I created one common restriction without speed limit, I got the situation, when I was not able to even log into Gatekeeper from the remote PC (I am sure it happened, just not sure if it began after I had "Apply traffic to/from local machine" and "Rule is bidirectional" options activated. But I believe I post it in this topic).

So please recreate these situations for yourself and get an explanation for all of us ;-).

[Alen]

And I still don't get the "Apply traffic to/from local machine" and "Rule is bidirectional" options explanation.
Please, try one more time. Explain in simple words, without going into deep and explaining how it works on the API layer.

If under machine in "Apply traffic to/from local machine" we understand Wingate server machine, and after reading your explanation n-s time:

As for the explanation of to/from local machine here it is.
WinGate gets different indications of packets from NDIS depending on whether the packet is indicated by a miniport (incoming from a NIC), or sent by a protocol (going out a NIC). These different indications go into different handler functions, since the requirements are somewhat different.
The setting whether traffic applies to traffic to/from the WinGate machine merely controls whether traffic sent by a protocol (outbound to a NIC) should be controlled. This doesn't differentiate on whether the traffic is outbound to the LAN or WAN - purely if the host OS is sending the packet rather than receiving one.

I can conclude, that this option makes Wingate machine to restrict not only traffic from LAN clients and from Internet servers, but also to LAN clients and to Internet servers.
And what does this give to us?

But after reading this:

When a client is configured to use a proxy, it connects to the proxy, so the SYN packet has the destination address of the WinGate server. Since this is the first packet in the connection (which is the only packet we check bandwidth rules for) and since it is to the WinGate server, unless the "apply to traffic to/from the local machine" option is set, the rule will not apply. So if you want to control proxy traffic this option must be set.

I am starting to think, that the effect of the option is not restriction of outgoing traffic, but activating an option, when not only public ip destined (NAT) traffic is restricted, but also local (Proxy) traffic. So the key word in the option is not to\from, but local!

Or may be the first part of the explanation was about another - "Rule is bidirectional" - option?

So, "Rule is bidirectional" = apply restriction to not only incoming (from Internet to Wingate! Not also from LAN clients to Wingate!?) traffic, but also outgoing (from Wingate to whom? LAN clients? Internet servers?). Is this just restriction of the upload speed?
"Apply traffic to/from local machine" = apply restriction not only to traffic destined to public ips (NAT), but also to the local (Proxy) traffic?

[Alen]

Adrien, I am still waiting for your help to understand some options and to clarify the way Wingate 6.x BC works.
Please read my last 3 posts and reply. (And don't hope I'll just forget about this thread ;-))