Today I had to limit a internet connection on one of the sites for the company I work for. The internet connection is mainly used for guest access and backup since the main traffic travels over a MPLS connection. The same internet connection was going to be used for a VPN tunell towards a supplier that has a VPN device behind my SRX240. Since this location is in the middle of nowhere it’s limited to 1 Mbps SDSL connection. The issue then is that there is no bandwidth left for the external VPN on the connection when guest users are using the connection.
I have added the main information regarding the configuration below:
Guest subnet: 192.168.200.0/26
Guest interface: vlan.20
The first step is to define the policer. Since I want to keep some bandwidth for the VPN I limit the 1 mbps to 800 kbps. As you can see from the text below there is an abbreviation for kbps that is k. You can specify a value in bits per second either as a complete decimal number or as a decimal number followed by the abbreviation k (1000),m (1,000,000), or g (1,000,000,000). You can also specify a value in cells per second by entering a decimal number followed by the abbreviation c; values expressed in cells per second are converted to bits per second using the formula 1 cps = 384 bps. The value can be any positive integer. In this example its set to 800 k.
set firewall policer policer-800k if-exceeding bandwidth-limit 800k set firewall policer policer-800k if-exceeding burst-size-limit 625k set firewall policer policer-800k then discard
The next part is to set the filter itself. Here I wan’t to configure the same speed limit both for up and down traffic. You can create diffrent limits for the different directions if you want to but in this example I have the same speed both ways. In the end of the filter I have a accept all to let the remaining traffic go trough the interface. I did not need to do that in this example but I like to make sure I don’t block anything that I shouldnt.
set firewall filter meeting-limit term from-meeting from source-address 192.168.200.0/26 set firewall filter meeting-limit term from-meeting then policer policer-800k set firewall filter meeting-limit term from-meeting then accept set firewall filter meeting-limit term to-meeting from destination-address 192.168.200.0/26 set firewall filter meeting-limit term to-meeting then policer policer-800k set firewall filter meeting-limit term to-meeting then accept set firewall filter meeting-limit term accept then accept
In the end we have to apply the filter to an interface as both inbound and outbound. The best practice is to only do this on the inbound side so you don’t process the traffic that you are discarding. In my case I had some issues with that. If I had filtered the traffic from the internet towards 192.168.200.0/26 network I wouldnt filter anything. The reason for this is that the traffic I would see is the NAT’ed address on the internet. So the destination adress would be my public IP. When I filter the outbound traffic on the port after it has returned trough NAT it get’s the correct IP and I can filter the traffic.
set interfaces vlan unit 20 description meetingroom set interfaces vlan unit 20 family inet filter input meeting-limit set interfaces vlan unit 20 family inet filter output meeting-limit set interfaces vlan unit 20 family inet address 192.168.200.1/26
The configuration should in the end look something like this:
firewall {
policer policer-800k {
if-exceeding {
bandwidth-limit 800k;
burst-size-limit 625k;
}
then discard;
}
}
filter meeting-limit {
term from-meeting {
from {
source-address {
192.168.200.0/26;
}
}
then {
policer policer-800k;
accept;
}
}
term to-meeting {
from {
destination-address {
192.168.200.0/26;
}
}
then {
policer policer-800k;
accept;
}
}
term accept {
then accept;
}
}
interfaces{
vlan {
unit 20 {
description meetingroom;
family inet {
filter {
input meeting-limit;
output meeting-limit;
}
address 192.168.200.1/26;
}
}
}
}
As a reference I used KB28161
Networks and rants 