Traffic Shaping; Policy Routing - D-Link DFL-1100 User Manual

(if configured) and pass on the traffic. If Prevention is used, the traffic will be dropped and
logged, and if configured, an email alert will be sent.

Traffic Shaping

The simplest way to obtain quality of service in a network, seen from a security as well as a
functionality perspective, is to have the components in the network, not the applications, be
responsible for network traffic control in well-defined choke points.
Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a
number of configurable parameters. Differentiated rate limits and traffic guarantees based on
source, destination and protocol parameters can be created; much the same way firewall
policies are implemented.
There are three different priorities when configuring the traffic shaping, Normal, High and
Critical.
Limit works by limiting the inbound and outbound traffic to the specified speed. This is the
maximum bandwidth that can be used by traffic using this policy. Note, however, that if you
have other policies using limit, which in total comprises more then your total Internet
connection, and have configured the traffic limits on the WAN interface, this limit is sometimes
lowered, to allow traffic with higher priorities to have precedence.
By using Guarantee, you can use a policy of minimum bandwidth. This will only work if the
traffic limits for the WAN interface are configured correctly.

Policy Routing

Normal routing can be said to be a simple form of policy based routing; the "policy" is the
routing table, and the only data that can be filtered on is the destination IP address of the
packet. What is commonly referred to as policy based routing, is, simply put, an extension of
what fields of the packet we look at to determine the routing decision. In the DFL-1100, each
rule in the firewall policy can specify its own routing decision; in essence, we route according
to the source and destination IP addresses and ports.
Policy based routing can for example be used to route certain protocols through transparent
proxies such as web caches and anti-virus scanners, without adding another point of failure
for the network as a whole. It's very important to know that the proxy must support this also
for it to work.
There are two ways to configure Policy Routing; both include specifying the Gateway to send
the traffic over. The first one, Redirect via routing (make gateway next hop), will just
reroute the traffic to the given gateway as if it was just another router. The second mode, Via
address translation (change destination IP), will change the destination IP, in the IP
header, and then pass the packet on to the gateway. This is used, for example, in transparent
squid-proxy setups.
34