Optimizing Bandwidth for Sites

A typical internet radio station uses 128k of streaming bandwidth. Some use up to 256k.
Podcast downloads can take 100-200k, easily.
System & software updates can use even more.

A few people listening to low-quality internet radio stations is 512k (about 1/3rd) of a T1.
A few people downloading podcasts, is easily another 512k.
A few people downloading system or software updates, and your expensive T1 is all used up.

That’s zero bandwidth for employees clocking in and out, zero bandwidth for customers file transfers, and zero bandwidth for email in and out.

And ALL of those things can be going on at once for any computer or employee.

Call it a modern “tragedy of the commons“.

One thing that you can do if you have a good router/firewall is managing Quality of Service (or “QoS”). QoS is basically giving high priority to things that are important for business (like email, VOIP, incoming FTP, etc.), and low priority to things that are not important (software updates, YouTube, streaming radio, etc.).

This isn’t just for businesses, either. If you use Skype at home, you should make your Skype calls a higher priority than your internet browsing so that you don’t lose call quality while you (or someone you live with) is using the internet.

So, if you can configure QoS on your firewall, here are a few tips:

• Assign QoS by IP address block. Apple, for example, owns the Class A block 17.x.x.x. Unless you do business directly with Apple, you’re probably only ever accessing “17.” addresses for software updates, podcasts, iTunes Store, etc. – all low priority. Unless, of course, you’re using MobileMe.
• Assign QoS by DNS name. Chances are pretty good you’re not doing much business with youtube.com, doubleclick.com, msn.com, espn.com, npr.org, or a variety of other high-use, low-productivity sites.
• Assign by service. Not every firewall allows you to prioritize by service, but most will allow you to do it by port number. Things that should have high priority: VOIP (varies), SMTP (25), FTP (21).

Almost everything else will be fine if you leave it set to the default priority level. Your business (or home) may have other priorities (online gaming, for example), but these are a good starting place. Just make sure you save your router/firewall settings before you start and you’ll be able to undo anything you accidentally screw up.

“Why do we fall down, Bruce? So we can learn to pick ourselves up.”

Load Balancing and Static NATs

<Heady tech. mumbo-jumbo>

CheckPoint’s Safe@Office firewalls don’t handle load balanced dual ISP configurations properly if you have external IPs static NAT’d to internal machines.

When you connect your first WAN link (WAN1) and set up static NATs for external addresses to reach internal machines, everything works fine. When you set up your second WAN link (WAN2), your internal machines with NAT’d addresses will not be able to use WAN2. If you’re using WAN2 for failover only, this is not a problem (well, until WAN1 fails), but if you’re trying to use load balancing, whenever the firewall routes a NAT’d machine to WAN2, the request will fail – DNS will time out, PINGs won’t come back, etc. You’ll be able to reach anything internal, and you’ll be able to ping the firewall just fine, but traffic beyond that will fail.

If you want to see it in full effect, just disable WAN1 for a moment. Anything that doesn’t have a static NAT will work just fine, but any machine with a static NAT will lose it’s internet connection.

The solution is to set up a static route from any machine with a static NAT. So here’s how to properly set it up:

1. Connect both WAN links and make sure they’re working the way they should – including load balancing the traffic. That’s pretty easy.
2. Now add a network object for the machine you want accessible from outside. If you can find it in your list of computers (Reports > My Computers), just click the “Add” link next to it. You’re adding a single computer; It’s going to have a fixed IP address and you’re going to Perform Static NAT. I gave mine an external IP address from the pool connected to WAN2, but I don’t think it matters. Then just give it a descriptive name.
3. Now click Network > Network Objects and make sure it appears in that list with the correct Static NAT address.
4. Now click Routes at the top and hit the New Route button. For Source, select Specified Network, the network will be the IP address of the Network Object you just created and the Netmask will be 255.255.255.255. Destination is “ANY” and Service is “ANY“. In the next window, for Next Hop IP, choose the WAN link that includes the external IP address that you selected in step 2. Metric doesn’t really matter for something this simple, you can leave the default.
5. Now just test it. Make sure that you have internet access from the Network Object created in step 2. Disable one connection, test again, enable it, disable the other one, test again, etc.

Obviously, you can make it much more complex than this, but this is important information for getting load balancing and static NATs working.

</Heady tech. mumbo-jumbo>