Setting Up Rules to Work on Gateway / File Server

Hello. I am having a problem getting my network setup correctly. I have a server with two NICs acting as a gateway to the internet (WAN/192.168.0.1). It also has local files to be shared. The 15 clients have IP addresses 192.168.0.x with 192.168.0.1 as their gateway. Here is what I have for rules on the server:

RULE 1
Direction: Both
Rate: Unlimited
Protocol: Any IP Based
Interface: LAN
Source: Whole IP Range: 192.168.0.0 to 192.168.0.15
Destination: Whole IP Range: 192.168.0.0 to 192.168.0.15
Dest: Any
Port: Any

INTERNET RULES FOR CLIENTS 2 THRU 15
Direction: Out
Rate: 300 kbit/s
Protocol: TCP/UDP
Interface: LAN
Source: Local
Source Port: Any
Destination: MAC Address
Destination Port: Any

Direction: In
Rate: 75 kbit/s
Protocol: TCP/UDP
Interface: LAN
Source: MAC Address
Source Port: Any
Destination: Local
Destination Port: Any

LAST RULE
Direction: Both
Rate: Blocked
Protocol: TCP/UDP
Interface: LAN
Source: Any
Destination: Any
Dest: Any
Port: Any

When I first set it up, the rules worked fine for controlling internet access, but accessing the shared files on the server was slow. After reading your forums, I added RULE 1 and it fixed the problem with the speed to the server’s shared files. Now my problem is that the internet access rules are only working on the IN/Upload side to the server. It is not restricting the internet download speed from the server. To verify, when I refresh my Rules View, the Received column changes for all of the clients’ exchanges to the server showing the upload limit is working, but the Sent from the server to the clients remains the same/zero. That is all falling under the Unlimited/RULE 1’s Sent column.

I have tried changing the Download/Out rule source from Local to Any, but it did not change my results.

Is there something else that I’m missing?

Thank you for your help,

Dave

Is there a proxy server runnung on the two NICs machine?
I would change your rules in this way (ports are all set to "any":

Direction: Both 
Rate: Unlimited 
Protocol: Any IP Based 
Interface: LAN 
Source: Whole IP Range: 192.168.0.0 to 192.168.0.15 
Destination: Whole IP Range: 192.168.0.0 to 192.168.0.15 

INTERNET RULES FOR CLIENTS 2 THRU 15 
Direction: Out 
Rate: 300 kbit/s 
Protocol: TCP/UDP 
Interface: LAN 
Source: Any
Destination: MAC Address 

Direction: In 
Rate: 75 kbit/s 
Protocol: TCP/UDP 
Interface: LAN 
Source: MAC Address 
Destination: Any

LAST RULE 
Direction: Both 
Rate: Blocked 
Protocol: TCP/UDP 
Interface: LAN 
Source: 192.168.0.0 to 192.168.255.255
Destination: Any

Hope this helps. If no, please tell me more about the server configuration (software, not hardware).

Thank you for the quick reply. I changed the ports and source to Any:any and it is still the same. I do have the server setup as a caching proxy on 8080; I have tried using the rules found in the help file (Local:8080), but I get the same results where it only restricts the upload limit. I also wanted to limit bandwidth on other messaging apps that go around the proxy port, so I was using Any for the port. The proxy is ISA 2004. Will I need additional rules for this setup?

Dave

So, you've got a proxy server for downloads and NO proxy for uploads, right? Then, the rules will be different. First we need to describe those who download data through proxy. Secondly, allow unlimited local bandwidth. Finally, throttle uploads. The rules order is important:

Name: Downloads
Direction: Out 
Rate: 300 kbit/s 
Protocol: TCP/UDP 
Interface: LAN 
Source: Local : port 8080
Destination: MAC Address 

Name: Local communications
Direction: Both 
Rate: Unlimited 
Protocol: Any IP Based 
Interface: LAN 
Source: Whole IP Range: 192.168.0.0 to 192.168.0.15 
Destination: Whole IP Range: 192.168.0.0 to 192.168.0.15 

Name: Uploads
Direction: In 
Rate: 75 kbit/s 
Protocol: TCP/UDP 
Interface: LAN 
Source: MAC Address 
Destination: Any

Try this configuration without the blocking rule. If it works, I'll tell you how to block the rest (it isn't trivial is this case).

Thank you -- That configuration is working great now. I look forward to your solution on preventing access if someone picks an IP address outside the range of the bandwidth limited addresses. The blocking rule at the end won’t work?

Yes, it won't work. First we need to list those who can download through the proxy. Then block anyone else. Second, permit local communications. Third, permit direct uploads. Then block anyone else. Have a look on the following ruleset:

Name: Downloads
Direction: Out 
Rate: 300 kbit/s 
Protocol: TCP/UDP 
Interface: LAN 
Source: Local : port 8080
Destination: MAC Address 

....
Other rules permitting downloads must be here
....

Name: Block unauthorized downloads
Direction: Out 
Rate: Blocked
Protocol: TCP/UDP 
Interface: LAN 
Source: Local : port 8080
Destination: 192.168.0.0 to 192.168.255.255

Name: Local communications
Direction: Both 
Rate: Unlimited 
Protocol: Any IP Based 
Interface: LAN 
Source: Whole IP Range: 192.168.0.0 to 192.168.0.15 
Destination: Whole IP Range: 192.168.0.0 to 192.168.0.15 

Name: Uploads
Direction: In 
Rate: 75 kbit/s 
Protocol: TCP/UDP 
Interface: LAN 
Source: MAC Address 
Destination: Any

...
Other rules permitting uploads must be here
...

Name: Block unauthorized uploads
Direction: In 
Rate: Blocked
Protocol: TCP/UDP 
Interface: LAN 
Source: 192.168.0.0 to 192.168.255.255
Destination: Any

It is working great now. Thank you for walking me through this.

Dave