SRX

Expand all | Collapse all

Download policer won't work

Jump to Best Answer
  • 1.  Download policer won't work

    Posted 02-20-2019 07:04

    Hi!

     

    I have a srx 240 cluster and want to limit the download speed to one of my server.

     

    Here's how I wanted to do this:

     

    #Policer 50Mbit/s

    set firewall policer policer-50mbit if-exceeding bandwidth-limit 50m
    set firewall policer policer-50mbit if-exceeding burst-size-limit 128k
    set firewall policer policer-50mbit then discard

     

    #Filter

    set firewall family inet filter download-limit term wsus-server from source-address 192.168.0.1/32
    set firewall family inet filter download-limit term wsus-server then policer policer-50mbit
    set firewall family inet filter download-limit term wsus-server then accept

     

    #Configuring policer on the interface the server 192.168.0.1 is connected to

    set interfaces reth5.10 family inet filter input download-limit

     

    When this configuration is active, the whole 192.168.0.0/24 subnet is limited to 50Mbit/s. Why`s that?

    The WAN interface is reth0.1 configured with interface NAT.

     

     

    Kind regards

    Andy



  • 2.  RE: Download policer won't work

    Posted 02-20-2019 07:13

     Hello,

    According to Your config and assuming You did not omit filter terms, You are rate-limiting the traffic FROM 192.168.0.1 AND dropping all traffic from the rest of 192.168.0.0/24 subnet - because there is no "else allow" term:

     


    @MetzingerAn wrote:

     

    #Filter

    set firewall family inet filter download-limit term wsus-server from source-address 192.168.0.1/32
    set firewall family inet filter download-limit term wsus-server then policer policer-50mbit
    set firewall family inet filter download-limit term wsus-server then accept

     


     

    You need to add last term with "accept" to actually allow the rest of 192.168.0.0/24 subnet to communicate with outside world:

     

    set firewall family inet filter download-limit term else then accept

    HTH

    Thx

    Alex



  • 3.  RE: Download policer won't work

    Posted 02-20-2019 08:13

    Hi Alex!

     

    Oh my. I added the line

    set firewall family inet filter download-limit term else then accept

    to this config. All clients in the /24 network are now able to download at full speed 🙂 including the 192.168.0.1/32... 

    I don't get it...



  • 4.  RE: Download policer won't work
    Best Answer

    Posted 02-20-2019 08:27

    Hello,

     


    @MetzingerAn wrote:

    Hi Alex!

     

    All clients in the /24 network are now able to download at full speed 🙂 including the 192.168.0.1/32... 

    I don't get it...


    You rate-limited the packets with SRC IP 192.168.0.1  - which from this host' point of view is UPLOAD.

    if You need to limit DOWNLOAD TO this host, You need to construct a different filter and apply it in "output" direction to the same interface. 

    HTH

    Thx

    Alex



  • 5.  RE: Download policer won't work

    Posted 02-20-2019 08:29

    Since you want to limit download speed you have to apply the filter in input direction  on WAN interface with destination IP as NAT address of the server or apply the filter on reth5.10 interface with real ip address of the server as destination address.