How to use custom policies to restrict the traffic with specific IP address?
1. OverviewCustom policies are used to restrict the traffic with specific IP addresses based on the smart flow control function,thereby meeting the bandwidth requirements of specific users or servers. When you create a custom flow control policy, you can flexibly configure the limited user range, the bandwidth limit, the limited application traffic, and the ratelimit mode. When a custom policy is enabled, it takes precedence over the smartflow control configuration.
Custom policies fall into common policies and VPN policies.
Common policies include the custom policies configured on the Eweb or Ruijie Cloud and the flow control policies configured on Ruijie Cloud for authentication accounts. Common policies manage common traffic.
Common policies and VPN policies are used tomanage common traffic and VPN traffic, respectively.
2. Getting Started
Before you configure a custom policy, enablesmart flow control first. For details, see: community.ruijienetworks.com/forum.php?mod=viewthread&tid=7935&extra=page%3D1
3. Configuration Steps
Choose One-Device >Gateway > Config > Behavior>Flow Control > Custom Policy.
(1) Set Policy Type.
data/attachment/forum/202404/07/143332ieddn9je9n947e9x.png
*Note
The flow control policies configured on Ruijie Cloud and Eweb are displayed in the Normal Policy list. The flow control policies for authentication accounts configured on Ruijie Cloud cannot be edited or deleted on Eweb. You can only enable or disable these policies and change the priority of them.(2) (Optional) Switch the application library
*Note
This feature is only supported on RG-EG105G-V2and RG-EG210G.
[*]The application lists vary in different regions. The Chinese and International versions of the application library are provided. Please select the version based on the regions.
[*]Click to select Application Library Version and click OK. The version is switched after a few minutes.
*Caution
[*]It takes about one minute to switch the application library version. Please wait.
[*]If you switch the application library, the template of the application priority will be reset, and the old application control policy may be inactive. Please proceed with caution.
data/attachment/forum/202404/07/143704jnnog8vel6k67lku.png
(3)Set a custom policy
[*]Set a custom policy
Set Policy Type to Normal Policy and click Add tocreate a custom flow control policy.
a. Set a custom policy.
You can setup to 30 custom common policies, including the custom policies configured on Eweband Ruijie Cloud.
You can setup to 20 flow control policies for authentication accounts on Ruijie Cloud. TheEweb only displays these policies.
data/attachment/forum/202404/07/151718vuv2rx25xbxx5g2c.pngb. Configure items related to a common policy
Table 1-1 Configuration of a Custom Policy
Parameter Description
Policy NameA policy name uniquely identifies a customflow control policy. It cannot be modified.
TypeThe type of a flow control policy can beset to the following:
>User Group: Indicates that the policy isapplied to users in a specified user group. You need to select a user groupto be managed.
>Custom: Indicates that the policy isapplied to users in a specified IP address segment. You need to manuallyenter the IP address range to be managed.
User GroupSelect a user to be managed by the policyfrom the user group list.
If you select all members of a user group,the policy takes effect on the entire user group (it also takes effect onmembers added to the user group later).
This parameter is required when Type is set to User Group.
IP/IP RangeSpecify the IP address rangefor the flow control policy to take effect. When Type is set to Custom,enter the IP address manually. You can enter a single IP address or an IPaddress segment.
This parameter is required when Type is set to Client.
The IP address range must bewithin a LAN segment.
You can choose One-Device> Gateway > Monitor > Ethernet status to check thenetwork segment of the current LAN port. For example, the networksegment of the LAN port shown in the figure below is 192.168.2.0/24.
data/attachment/forum/202404/07/144113u8jf2ajujjouuf4u.png
Bandwidth Type>Shared: Indicates that all users in auser group (all IP addresses in an address range) share the configured uplinkand downlink bandwidths, and the bandwidth of a single user is not limited.l >
Independent: Indicates that all users in auser group (all IP addresses in an address range) share the configured uplinkand downlink bandwidths, and the maximum bandwidth of a single user can belimited.
Application When Bandwidth Typeis set to Shared, the flow control policy can be configured to takeeffect only on specified applications.
>All Applications: Indicates that the flowcontrol policy takes effect on all applications in the current applicationlibrary.
>Custom: Indicates that the flowcontrol policy takes effect only on specified applications in the applicationlist.
>Application Group:Indicates that the flow control policytakes effect only on specified applications in the application list.
When Bandwidth Type is set to Independent,some models do not support application selection and the flow control policytakes effect on all applications in the current application library bydefault.
For the models, contact technical supportengineers.
Application List When Application is set to Custom,it specifies the applications, on which the policy takes effect. The trafficof the selected applications is subject to the policy.
Application GroupWhen Application isset to Application Group, it specifies the application groups, onwhich the policy takes effect. The traffic of the selected application groupis subject to the policy.
Channel PrioritySpecify the trafficguarantee level. The value range is from 0 to 7. A smaller value indicates ahigher priority and the value 0 indicates the highest priority.
Different traffic priorityvalues correspond to different application groups in an application template.2 indicates the key group, 4 indicates the normal group, and 6indicates the suppression group.
Bandwidth LimitConfigure whether to limitthe bandwidth.
>Limit Kbps: You can set the uplink anddownlink bandwidth limits as needed.
>No Limit: When the bandwidth issufficient, the maximum bandwidth is not limited. When the bandwidth isinsufficient, the minimum bandwidth cannot be guaranteed.
Uplink BandwidthConfigure the datatransmission rate in uploading, in Kbps. It includes Limit-at, Max-Limit, andMax-Limit per User.
>Limit-at: Specifies the minimum bandwidth that can be shared by all users whenthe bandwidth is insufficient.
>Max-Limit: Specifies the total maximumbandwidth that can be occupied by all users when the bandwidth is sufficient.
>Max-Limit per User: Specifies the maximumbandwidth that can be occupied by each user when multiple users share thebandwidth. It is optional and can be configured only when >Bandwidth Typeis set to Independent. The rate is not limited by default.
Downlink RateConfigure the datatransmission rate in uploading and downloading, in Kbps. It includesLimit-at, Max-Limit, and Max-Limit per User.
>Limit-at: Specifies the minimum bandwidth that can be shared by all users whenthe bandwidth is insufficient.
>Max-Limit: Specifies the total maximumbandwidth that can be occupied by all users when the bandwidth is sufficient.
>Max-Limit per User: Specifies the maximumbandwidth that can be occupied by each user when multiple users share thebandwidth. It is optional and can be configured only when Bandwidth Type is set to Independent. The rate is not limited by default.
InterfaceSpecify the WAN port, onwhich the policy takes effect. When it is set to All WAN Ports, thepolicy will be applied to all WAN ports.
EnabledSet whether to enable theflow control policy. If it is disabled, the policy does not take effect.
*Caution
After switching the application library version, you may need to reconfigure the application list.c. Click OK.
[*]Set a custom VPN policy.
a. Set Policy Type to VPN Policy and click Add tocreate a custom VPN flow control policy.A maximum of 10 VPN policies can be configured.data/attachment/forum/202404/07/151416an3sdasz4i058q4m.png
b. Configure items related to a VPN policy
Table 1-2 Configuration of a Custom VPN Policy
Parameter Description
Policy NameA policy name uniquely identifies a customflow control policy. It cannot be modified.
TypeThe type of a flow control policy can beset to the following:
>User Group: Indicates that the policy isapplied to users in a specified user group. You need to select a user groupto be managed.
>Custom: Indicates that the policy isapplied to users in a specified IP address segment. You need to manuallyenter the IP address range to be managed.
User GroupSelect a user to be managed by the policyfrom the user group list.
If you select all members of a user group,the policy takes effect on the entire user group (it also takes effect onmembers added to the user group later).This parameter is required when Type is set to User Group.
IP/IP RangeEnter an IP address or IP range manually.This parameter is required when Type is set to Client.
Effective UserSpecify the type of effective users. Itcan be set to the following:
>Internal IP/User: For a gateway, IP addressesof clients connected to the gateway are internal IP addresses.
>External IP/External User: For a gateway, non-gatewayinternal IP addresses are external IP addresses.
The configuration suggestions are asfollows:
1. When clients are configured tocontrol VPN traffic, select Internal IP/ User to control the trafficof internal network users. When the VPN server is configured to control theVPN traffic, select External IP/External User to control the trafficof external network users.
2. For the VPN of the NAT model,the external IP address of the server must be in the IP address segment ofthe VPN address pool.
3. For the VPN in router mode, theIP address segment must be set to IP addresses of restricted users. For theVPN in router mode, to configure flow control on internal IP addresses ofclients, set internal IP addresses to the IP addresses of the flow controlobjects.
Note:The external IP address configured by the Open VPN server is the IP addressof the address pool. The internal IP address configured by the client is theactual IP address of the client.
ApplicationWhen Bandwidth Typeis set to Shared, the flow control policy can be configured to takeeffect only on specified applications.
1. All Applications: Indicates that the flowcontrol policy takes effect on all applications in the current applicationlibrary.
2. Custom: Indicates that the flowcontrol policy takes effect only on specified applications in the applicationlist.
3. Application Group: Indicates that the flow controlpolicy takes effect only on specified application groups. The traffic ofapplications involved in the application group is subject to the policy.
When Bandwidth Type is set to Independent,some models do not support application selection and the flow control policytakes effect on all applications in the current application library bydefault.
For the models, contact technical supportengineers.
Application List When Application isset to Custom, it specifies the applications, on which the policytakes effect. The traffic of the selected applications is subject to thepolicy.
Application GroupWhen Application isset to Application Group, it specifies the application group, on whichthe policy takes effect. The traffic of the selected application group issubject to the policy.
Bandwidth LimitConfigure whether to limitthe bandwidth.
>Limit:You can set uplink and downlink bandwidth limits as needed.
>No Limit:When the bandwidth is sufficient, the maximum bandwidth is not limited. Whenthe bandwidth is insufficient, the minimum bandwidth is not guaranteed.
Uplink BandwidthConfigure the maximum uplinkbandwidth shared by VPN users matching the policy in Kbps.
When the bandwidth is sharedby multiple users, you can also set the maximum uplink bandwidth per user inKbps. The uplink bandwidth is not limited by default. Note: The parameter isvalid when Bandwidth Limit is setto Limit Kbps.
Downlink RateConfigure the maximumdownlink bandwidth shared by VPN users matching the policy in Kbps.
When thebandwidth is shared by multiple users, you can also set the maximum downlinkbandwidth per user in Kbps. The downlink bandwidth is not limited by default.
Note: The parameter is validwhen Bandwidth Limit is set to Limit Kbps.
InterfaceSpecify the VPN port, onwhich the policy takes effect. When it is set to All VPN Ports, thepolicy will be applied to all VPN ports.
EnabledSet whether to enable theflow control policy. If it is disabled, the policy does not take effect.
c Click OK.
(4) View Custom Policies
The currentcustom policies are displayed in the PolicyList section. You can modify and delete a custom policy. To delete multiplecustom policies in a batch, select the desired policies and click Delete Selected.
○Normal policy list
data/attachment/forum/202404/07/152601feeeuj9osiu2iu8j.png
○VPN policy list
data/attachment/forum/202404/07/152628by8o88moxmdymdxm.png
Table 1-3 Policy list information
Parameter
Description
Application ListThe ApplicationList contains the applications to which the policy is valid. If the Application Library matches with the Application that is set to Custom andsupported by the policy, data/attachment/forum/202404/07/152659zt3d8ptdczptt3vt.pngis displayed in the Application List. If not, data/attachment/forum/202404/07/152704qok3lg8ogkuoaguu.pngis displayed.
Status
Indicatewhether the current policy is enabled. You can click to edit the status. Ifthe Application Library does notmatch with the Application that isset to Custom and supported by thepolicy, you cannot edit the Statusdirectly. Please click Edit in theaction bar to edit the policy or switch the application library.
EffectiveState
Indicatewhether the policy is effective in the current system. If Inactive is displayed, check whetherthe policy is enabled, whether the policy-enabled port exists, and whetherthe Application Library matcheswith the Application to which thepolicy is valid.
MatchOrder
Allthe created custom policies are displayed in the policy list, with the latestpolicy listed on the top. The device matches the policies according to theirsorting in the list. You can manually adjust the policy matching sequence byclicking data/attachment/forum/202404/07/152713nzgcqt4qqnuduqt4.png or data/attachment/forum/202404/07/152719recc02k5cv8ocuz2.png in the list.
Action
Youcan modify and delete the custom policy.
Pages:
[1]