Traffic Assignment

The Traffic Assignment tab allows you to assign traffic to the various QoS queues defined in the Service Assignment tab. Traffic assignment is done using firewall rules, and so the Traffic Assignment tab is actually a firewall rule editor.

In addition to creating and editing firewall rules associated with the QoS queues, you can also create your own firewall rules for your own purposes.

The order of the rules is critical. Each rule is numbered, and rules with a lower number (i.e.

that are higher in the list) are matched before the rules that follow. Therefore, the more specific rules must appear higher in the list than more general ones.

You can rearrange the rules by dragging-and-dropping them using the green rule numbers on the left of the list.

To create a new firewall rule, click on either the Add First button (to insert a new rule at the top of the list) or the Add Last button (to add a new rule to the bottom of the list). At any time you can use the rule's number (in green) on the left to drag-and-drop the rule to where you want it in the overall list.

When you move the mouse cursor over a rule, it is highlighted. Clicking on a rule's highlighted area selects the rule. You can also shift-click and control-click to select more than one rule.

With one or more rules selected, you can remove and/or duplicate them with the Cut, Copy and Paste buttons. Pasted rules are inserted above the topmost currently selected rule.

The Del button allows you to delete the selected rule(s).

Firewall rule fields are described below. Editable fields have a control such as a dropdown box, a context button, or a check box.

Network Objects

Network Objects provide a convenient method for naming and referring to various network entities, such as site subnets or protocol port numbers.

With Network Objects you can use names to represent a value (or a list of values) in a firewall rule. For example, the name NET:Site3 can represent a subnet address such as 10.1.3.0/24. You can use the NET:Site3 name in firewall fields instead of the numeric subnet. This makes it easier to understand the firewall rules.

If you later change the value of the NET:Site3 name, the new value will be applied wherever the name is used. This simplifies updating the optimizer's configuration as your network evolves.

There are 2 types of Network Object:

• NET objects represent a network, either as a subnet in CIDR notation or as a list of IP addresses.

• PORT objects represent one or more protocol port numbers.

Access to the Network Objects is through the context button associated with particular firewall fields.

Clicking that button opens the Network Object window:

The Network Object window provides different methods for entering information in a firewall rule field:

• Enter text allows you to edit the field directly.

• Select Network Object allows you choose a network object you've already defined, such as when you create links and sites on the Networks tab. Double-click an entry in the list to edit it. You can also add new objects here or delete existing ones.

When you select one of the items here, its name appears in the selected firewall rule's field.

• Select Port Object allows you to choose a named protocol port number, such as http for port 80.

Double-click an entry in the list to edit it. You can also add new port objects here or delete existing ones.

4.5.4.1. Firewall Rule Fields

Many of a firewall rule's fields are used to match the rule against network traffic.

When one of these fields is empty it means the rule matches against any value for that field.

^v: Rule number and position bar. Drag-and-drop this green number to move the rule within the list.

Enbl: A checkbox indicating whether the rule is enabled or disabled. For testing or debugging, you can switch rules on or off without having to delete the them.

Prot: Match the rule against a specific protocol. For more information on these protocols, refer to http://

www.protocols.com/.

Source Addr: Match the rule against traffic arriving from a particular IP address or subnet. Click on the context button to specify a value via the Network Objects window.

Src Port: Match the rule against traffic arriving from a particular protocol port number. (Note that some protocols don't use port numbers. Port number matching is typically useful with TCP or UDP.) Click on the context button to specify a value via the Network Objects window.

Dest Addr: Match the rule against traffic going to a particular IP address or subnet. Click on the context button to specify a value via the Network Objects window.

Dst Port: Match the rule against traffic going to a particular protocol port number. (Note that some protocols don't use port numbers. Port number matching is typically useful with TCP or UDP.) Click on the context button to specify a value via the Network Objects window.

VLAN: (Only available in Bridge mode when VLAN Transparency is enabled.) Match the rule against traffic in a specific VLAN.

Action: Allow or Deny traffic that matches the rule. Denied traffic is dropped. Rules that deny traffic are particularly useful when you want to prevent that traffic from passing through the device, or if you wish to reject connections to the device's web UI or SSH server² from specific hosts or networks.

Opt-TCP: (For TCP rules only.) Select this to apply TCP optimizations to the traffic that matches this rule. You may wish to disable TCP optimization for internal traffic that is not destined to go over the wireless link.

QoS Queue: The fully-qualified name of the QoS queue associated with the rule. Traffic that matches the rule will be put into this QoS queue. This field can not be changed here; use the Service Assignment tab to associate rules with QoS queues. Note that this field is resizeable.

DSCP In: Match the rule against traffic marked with the specified Differentiated Services Code Point value.

2 Cryptographic security features are only available on "Crypto" product models.

For non-Crypto products you should instead restrict telnet access.

DSCP out: This is not a traffic-matching field. Rather, this field allows you to specify that traffic matching the rule should be marked with the specified Differentiated Services Code Point value. This is useful if there are upstream devices that can prioritize traffic based on a DSCP value.

Fields for Lightweight Tunnelling Features

The following firewall rule fields are only available when lightweight tunnelling is enabled. None of these are traffic-matching fields.

XRT Action: Specifies the XipLink Real Time (XRT) optimization to apply to traffic in this QoS queue. The possible XRT optimizations are:

• Tunnel: Pass the traffic through the lightweight tunnel, but do not apply any XRT optimizations.

• Coalesce: Pass the traffic through the lightweight tunnel and coalesce the packets.

• ROHC: Pass the traffic through the lightweight tunnel, coalesce the packets, and compress the IP and UDP packet headers.

• RTP-ROHC: Pass the traffic through the lightweight tunnel, coalesce the packets, and compress the IP, UDP and RTP packet headers. See the section called “Header Compression” for details.

• Do not Tunnel: Do not pass the traffic through the lightweight tunnel and do not apply any XRT optimizations.

XRT Q: (Only available when XRT Action is Coalesce or higher.) Specifies the packet-coalescing queue to use for the traffic. The purpose of this field is to ensure that DSCP markings are preserved on coalesced packets. When packet coalescing combines several packets into one, only the first packet's DSCP field is preserved. If you're coalescing traffic with different DSCP classes, you need to associate each DSCP class with a different XRT Q so that the de-coalesced packets retain the correct DSCP markings.

Opt-IP: Specifies whether or not to apply byte caching and packet compression to the traffic. Options are None to disable these features, and Max to enable both schemes.

Packet compression includes Advanced Cellular Compression, if it is enabled.