Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
Differences
This shows you the differences between two versions of the page.
|
web_gui:security_page [2010/11/26 10:23] tibor |
web_gui:security_page [2012/10/16 11:29] (current) tibor made flow quotas text more generic |
||
|---|---|---|---|
| Line 7: | Line 7: | ||
| * [[web GUI:security profile|AC]] - by default same protection as Hi | * [[web GUI:security profile|AC]] - by default same protection as Hi | ||
| - | {{ :web_gui:security_page.png?227|Security page in rel 5.30}} | + | {{ :web_gui:security_page.png?227|Security page in rel 5.31}} |
| Even though all three profiles are freely configurable you should leave profiles Hi and Lo unchanged and apply your changes to profile AC. | Even though all three profiles are freely configurable you should leave profiles Hi and Lo unchanged and apply your changes to profile AC. | ||
| Line 31: | Line 31: | ||
| **Peak** shows the absolute highest number of flows ever used since Internet Gate was turned on. | **Peak** shows the absolute highest number of flows ever used since Internet Gate was turned on. | ||
| - | **Total** is the number of flows reserved, available to be used by the firewall. Default value is 4000, allowed values are between 500 and 9000. If no Total value is visible (field empty) it means the default value of 4000. | + | **Total** is the number of flows reserved, available to be used by the firewall. The default value depends on the amount of memory the unit has, 4000 or 10000 flows. If no Total value is visible (field empty) default value is 4000. |
| If the Peak value approaches the Total value you are recommended to increase the Total value, click on Apply, [[:settings and administration:apply and save permanently|save permanently]] and reboot. | If the Peak value approaches the Total value you are recommended to increase the Total value, click on Apply, [[:settings and administration:apply and save permanently|save permanently]] and reboot. | ||
| Line 40: | Line 40: | ||
| ==== Flow Quotas ==== | ==== Flow Quotas ==== | ||
| - | During heavy load, when most flows are already in use, the remaining free flows should be rationed out to LAN clients most needing them. In some cases, for example when running certain BitTorrent or other peer-to-peer applications, one client can use thousands of data streams requiring thousands of flows to get through the firewall. Without flow quotas they might use up all flows, leaving other LAN clients unable to connect to the Internet. | + | During heavy load, when most flows are already in use, the remaining free flows should be rationed out to LAN hosts (PC-s) most needing them. In some cases, for example when running certain BitTorrent or other peer-to-peer applications, one host can use thousands of data streams requiring thousands of flows to get through the firewall. Without flow quotas they might use up all flows, leaving other LAN hosts unable to connect to the Internet. |
| - | Flow Quotas limit the maximum amount of flows one single LAN client can use. With default configuration no LAN client is allowed to use more than 3000 (4000-1000) flows. | + | Flow Quotas limit the maximum amount of flows one single LAN host can use. For example if flows total is set to 4000 and flow quotas are set to 1000 then no LAN host is allowed to use more than 4000 - 1000 = 3000 flows. |
| - | If there are less than 1000 flows left, flow quotas become activated. If a LAN client already have more than 200 flows and requests to open a new one will be denied. Applications running on that client receive no answer from the remote host. | + | :!: As long as there are enough unused flows flow quotas are inactive: any LAN host may open any number of flows they desire. |
| + | If there are less than the entered flow quota number of flows left, flow quotas become activated. If a LAN host already have more than flow quota flows and requests to open a new one it will be denied. Applications running on that host then receive no answer from the remote host. | ||
| + | If the number of flows used drops below any of the thresholds (the global or the per host) then new flows are allowed to be created again. | ||
| + | |||
| + | === QoS === | ||
| + | Flow Quotas only limit regular flows going through the firewall (flows created by firewall command MODIFY on the WAN interface). Flows used by SIP and flows to extra WAN interfaces are not affected. Thus even if a host already have maximum amount of flows open placing a SIP call will still be able to open additional flows. | ||
| + | |||
| + | === Special scenarios === | ||
| + | The default flow quotas settings suit most users. There are however some special scenarios that might require changing the settings: | ||
| + | |||
| + | == Single user == | ||
| + | If there is only one host behind the Internet Gate, that host should be able to use //all// flows. In such case set the **If less than** value to 0. | ||
| + | |||
| + | == Strict Quotas == | ||
| + | In some cases, for example if running an Internet café, you want to make sure each LAN host gets the same amount of flows. For example if you have 10 hosts on the LAN then each should have 400 flows guaranteed. In such case set the **If less than** value to same as **Total**, and the **allow max** value to Total divided by the number of LAN hosts. | ||
