iDevices have been known to be amazing little devices, especially when you do image sharing, music, etc.. all in the cloud. the iCloud.
there is one catch, however…
at home we work with a 8 Mb down / 1 Mb up connection here and the iDevices are all configured to upload all pictures to iCloud whenever connected to wlan and download all music and apps automatically.
this can mess up your home DSL line very badly and make things like remote working or VPNs impossible to use due to line saturation, mostly outbound
see:
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=1 ttl=246 time=98.0 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=2 ttl=246 time=126 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=3 ttl=246 time=185 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=4 ttl=246 time=143 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=5 ttl=246 time=162 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=6 ttl=246 time=162 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=7 ttl=246 time=114 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=8 ttl=246 time=139 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=9 ttl=246 time=108 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=10 ttl=246 time=35.9 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=11 ttl=246 time=80.2 ms
64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=12 ttl=246 time=135 ms
now let’s get to work using the latest and greatest FortiOS 5.2 and create a shaper that applies only to mobile devices:
shaper for inbound and outbound will be created with 500k out, 4000k in
it will be applied to a security policy that is before the default lan > wan policy
config firewall shaper traffic-shaper
vuurmuur (traffic-shaper) # get mobile-500k
name : mobile-500k
guaranteed-bandwidth: 0
maximum-bandwidth : 512
priority : medium
per-policy : enable
diffserv : disable
vuurmuur (traffic-shaper) # get mobile-4000k
name : mobile-4000k
guaranteed-bandwidth: 0
maximum-bandwidth : 4000
priority : medium
per-policy : enable
diffserv : disable
and let’s apply it in both directions to the policy for mobile devices (need to enable device detection / application sensor for that to work – also this policy needs to be in a sequence earlier than the rest of the LAN)
config firewall policy
edit 5
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic disable
set devices "Mobile Devices" < <<<<<<<<<<<<<
set application-list "default"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set traffic-shaper "mobile-500k" <<<<<<<<<<<<<<
set traffic-shaper-reverse "mobile-4000k" <<<<<<<<<<<<<<
set nat enable
next
end
result:
64 bytes from 193.99.144.80: icmp_seq=1 ttl=246 time=30.6 ms
64 bytes from 193.99.144.80: icmp_seq=2 ttl=246 time=29.8 ms
64 bytes from 193.99.144.80: icmp_seq=3 ttl=246 time=21.9 ms
64 bytes from 193.99.144.80: icmp_seq=4 ttl=246 time=21.4 ms
64 bytes from 193.99.144.80: icmp_seq=5 ttl=246 time=21.9 ms
64 bytes from 193.99.144.80: icmp_seq=6 ttl=246 time=28.0 ms
64 bytes from 193.99.144.80: icmp_seq=7 ttl=246 time=29.6 ms
good!
and now create another one for email, facebook and other annoyances that people use to share pictures
this time low prio
and my desktop for work gets high prio ;)