Rate Limiting SSL VPN User Traffic

With lots of people working at home, contention on VPNs is a real problem at the moment - license capacity, device CPU and throughput rate.

One way to deal with this is to apply rate limits to user traffic. This can be done in a number of ways - applying a BWC policy in the Access Policy, using Traffic Classifiers, etc but I like simple solutions so i'm going to show you how to do it with virtual servers and iRules, and to take the easy way out you can use my iApp to do it for you!

For a start, let's look at an SSL VPN in a bit more detail.

Tunnels!

The tunnel part of the SSL VPN is based around the Connectivity Profile - this specifies settings like compression and VPN settings. When you create a Connectivity Profile, this also creates a tunnel interface

This tunnel interface is used as an internal connector so that outgoing traffic can be managed - the same function is used with HTTP explicit proxies which use http-tunnel. This is a very powerful feature - this means that we can create a virtual server which listens on that tunnel interface to be able to capture VPN user traffic before it leaves the BIG-IP.

Bandwidth Controllers

We have two types of bandwidth controller policy - Static and Dynamic.

A Static policy sets the overall rate of traffic allowed, a dynamic policy allows us to set an overall rate but also a rate per user flow. For instance, we could allow ALL VPN traffic to be 1Gbps but each individual traffic flow within that could be limited to 1Mbps.

iRules

To apply the policy to the user traffic we are going to use an iRule with the BWC::policy command - this will set the policy on this flow for both uplink and downlink traffic in two different events - CLIENT_ACCEPTED and SERVER_CONNECTED

when CLIENT_ACCEPTED {
    BWC::policy attach /Common/bwc-10M "[IP::remote_addr]:[TCP::remote_port]"
}
when SERVER_CONNECTED {
    BWC::policy attach /Common/bwc-10M "[IP::remote_addr]:[TCP::remote_port]"
}

 

Obviously the TCP::remote_port would be UDP::remote_port in a UDP virtual server.

Putting it together

Below you can see the virtual server configuration which I created using my iApp

ltm virtual Common/vpn-1.app/vs_bwc_vpn-1_tcp_default {
    app-service /Common/vpn-1.app/vpn-1
    creation-time 2020-04-29:10:26:39
    destination Common/0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2020-04-29:11:32:33
    mask any
    profiles {
        Common/tcp { }
    }
    rules {
        Common/vpn-1.app/rule_bwc_vpn-1_tcp_default
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        pool Common/snat-1
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        Common/connectivity-1
    }
    vlans-enabled
    vs-index 7
}
ltm virtual Common/vpn-1.app/vs_bwc_vpn-1_udp_default {
    app-service /Common/vpn-1.app/vpn-1
    creation-time 2020-04-29:10:26:39
    destination Common/0.0.0.0:any
    ip-protocol udp
    last-modified-time 2020-04-29:11:32:33
    mask any
    profiles {
        Common/udp { }
    }
    rules {
        Common/vpn-1.app/rule_bwc_vpn-1_udp_default
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        pool Common/snat-1
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        Common/connectivity-1
    }
    vlans-enabled
    vs-index 6
}

 

It works!

 

iperf with no bandwidth controller

$ iperf -c 10.20.20.3
------------------------------------------------------------
Client connecting to 10.20.20.3, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  3] local 10.20.20.131 port 5957 connected with 10.20.20.3 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   184 MBytes   154 Mbits/sec

iperf with a 10Mbps bandwidth controller applied

$ iperf -c 10.20.20.3
------------------------------------------------------------
Client connecting to 10.20.20.3, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  3] local 10.20.20.131 port 6066 connected with 10.20.20.3 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.2 sec  12.1 MBytes  9.98 Mbits/sec

 

Make it easy

I've shown you there how to put together the constituent parts yourself but brought to you by the magic of iApps, you can do it all automagically.

You can use the iApp at APM VPN Bandwidth Controller iApp - just create the BWC policy you want to apply beforehand and run the iApp.

You can even treat certain protocols differently - imagine if you want to limit HTTPS to 1Mbps but allow other traffic to have 10Mbps ( because a 1 second delay in a web page load is not noticeable but a 1 second delay in a Zoom session is very noticeable! )

Published Apr 29, 2020
Version 1.0
No CommentsBe the first to comment