Description:

Some scenarios require the prioritization of certain data traffic (e.g. real-time data traffic) along with guaranteed bandwidths. This can be implemented on a Unified Firewall using the Traffic Shaping feature.

This article describes how to configure Traffic Shaping on a LANCOM R&S®Unified Firewall.

Traffic Shaping can only be used for communications between the LAN and WAN, but not for communication between different local networks.


Requirements:

  • LANCOM R&S® Unified Firewallwith LCOS FX as of version 10.8 REL
  • A configured and functional network with Internet connection on the Unified Firewall
  • Web browser for configuring the Unified Firewall

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox


Scenario:

In this example scenario, VoIP data traffic should be treated with priority.


Procedure:

How Traffic Shaping works:


The packets must be assigned to a Traffic Group to be processed by the Traffic Shaping module. There are two ways assign traffic to a Traffic Group:

  1. By selecting the Traffic Group in a desktop connection, an IPsec connection, or an Application Routing profile
  2. By selecting a DSCP value in the field Incoming DSCP of the Traffic Group. This means that all data traffic transmitted via the Unified Firewall and with the matching DSCP value is assigned to the Traffic Group.

 

When assigning the Traffic Group or a DSCP value via Outgoing DSCP for a desktop connection, an IPsec connection, or an Application Routing profile, the following options are available:

  1. Neither the traffic group nor a DSCP value is selected for Outgoing DSCP.
    No traffic shaping takes place.
  2. The Traffic Group is selected but no DSCP value is set for Outgoing DSCP.
    → The data traffic is assigned to a Traffic Group and prioritized or limited according to the Shaping Configuration.
  3. No Traffic Group is selected but a DSCP value is set for Outgoing DSCP.
    → The Unified Firewall sets the DSCP value for all outbound packets (can be recognized by downstream devices and prioritized accordingly).
  4. A Traffic Group is selected and a DSCP value is set for Outgoing DSCP.
    → The data traffic is assigned to a Traffic Group and prioritized or limited according to the Shaping configuration.
    → The Unified Firewall sets the DSCP value for all outbound packets (can be recognized by downstream devices and prioritized accordingly).

 

Behavior of a Traffic Group with or without an assigned DSCP value:

  • In a Traffic Group with an assigned DSCP value, the first packet received with this value is treated as an inbound packet. The source (LAN or WAN) is irrelevant.
  • If a Traffic Group has no DSCP value assigned to it, the allocation of traffic to a Traffic Group can only be achieved by entering it into a desktop connection, an IPsec connection, or an Application Routing profile.


1) Creating a Traffic Group (required):

1.1) Connect to the Unified Firewall, go to the menu Network → Traffic Shaping → Traffic Groups and click on the "+” icon to create a new traffic group.

Image of a detailed network configuration interface displaying various settings including Traffic Groups, Monitoring Statistics, DHCP Interfaces, Dynamic DNS Accounts, Routing, and WLAN Settings.

1.2) Adjust the following parameters to create a group for VoIP traffic and click Create:

  • Name : Enter a descriptive name for the group (in this example VoIP).
  • Incoming DSCP : Choose an appropriate DSCP value for the group (in this case for VoIP, the flag EF (Telephony) is used).

Specifying a DSCP value in the field Incoming DSCP is optional.

Screenshot of a VoIP configuration interface showing options for incoming DSCP EF Telephony settings with a notification that changes will be preserved until the user cancels or logs out.



2) Creating a Shaping Configuration (optional):

2.1) Go to the menu Network → Traffic Shaping → Shaping Configurations and click the “+” icon to create a new Shaping Configuration.

Image displaying a technical configuration interface with options for network monitoring, DHCP interfaces, DNS recounts, routing, and traffic shaping configurations.

2.2) Change the following parameters:

  • Interface : Select the Interface used for the Internet connection from the drop-down menu. Only one Shaping Configuration can be created per interface at any time.
  • Maximum Download Bandwith : Enter the Maximum Download Bandwidth of the Internet connection (in this example 100 Mbps).
  • Maximum Upload Bandwith : Enter the Maximum Upload Bandwidth of the Internet connection (in this example 40 Mbps).

A policy-based IPsec connection can also be used as an interface. In this case, Traffic Shaping takes effect before data traffic is sent into the tunnel.

Image displays a network configuration interface showing settings for maximum download and upload bandwidth, along with inbound and outbound traffic group rules, including priority and bandwidth limits.

2.3 For the inbound traffic adjust the following parameters under Inbound Rules and click the “+” icon to accept them:

How "Inbound Rules" work


If an inbound packet is detected with the DSCP value assigned to the Traffic Group (the first inbound packet with this value), the rule applies and guarantees or limits the bandwidth for this packet.

The sum of the guaranteed bandwidths of all rules in any transmission direction must not exceed the maximum interface bandwidth for this transmission direction.

  • Traffic Group : From the drop-down menu, select the Traffic Group created in step 1 (in this case VoIP).
  • Priority : From the drop-down menu, set a priority between 1 and 7, where 1 is the highest and 7 the lowest priority. Data traffic that does not match any of the rules has the lowest priority, and bandwidth is not guaranteed. Multiple rules can have the same priority. In this case, the transmission medium is shared out “fairly”.
  • Guaranteed Bandwith : Enter the guaranteed bandwidth for inbound traffic. This is then reserved for the selected connection and is not available elsewhere
  • Maximum Bandwith : Enter the maximum bandwidth for inbound traffic. If this bandwidth is exceeded, the Unified Firewall discards the relevant packets.

Screenshot of a network configuration interface displaying inbound rules, traffic groups, priority settings, guaranteed bandwidth, and maximum bandwidth options.

2.4) For the outbound traffic adjust the following parameters under Outbound Rules and click the “+” icon to accept them:

How "Outbound Rules" work


The sum of the guaranteed bandwidths of all rules in any transmission direction must not exceed the maximum interface bandwidth for this transmission direction.

  • Traffic Group : From the drop-down menu, select the Traffic Group created in step 1 (in this case VoIP).
  • Priority : From the drop-down menu, set a priority between 1 and 7, where 1 is the highest and 7 the lowest priority. Data traffic that does not match any of the rules has the lowest priority, and bandwidth is not guaranteed. Multiple rules can have the same priority. In this case, the transmission medium is shared out “fairly”.
  • Guaranteed Bandwith : Enter the guaranteed bandwidth for outbound traffic. This is then reserved for the selected connection and is not available elsewhere.
  • Maximum Bandwith : Enter the maximum bandwidth for outbound traffic. If this bandwidth is exceeded, the Unified Firewall discards the relevant packets.

Screenshot of a network configuration interface showing details for outbound traffic rules including traffic group, priority, guaranteed bandwidth, and maximum bandwidth settings.

2.5) Then click Create.

Screenshot of a network configuration interface showing settings for maximum download and upload bandwidth, as well as inbound and outbound rules for VoIP traffic with designated priorities and bandwidth limits.



3) Working with the Shaping Configuration:

To apply the Shaping Configuration created in step 2, the Traffic Group created in it needs to be referenced from a desktop connection, an IPsec connection, or an Application Routing profile (or in several of these ways).


3.1) Using the Shaping Configuration in a desktop connection:

On the desktop, click the network object, select the connection tool, and click the Internet object to open the desktop connection.

Image displaying a partial view of a user interface with the text 'QF'.


3.1.1) Using the Shaping Configuration for the whole desktop connection:

Go to the Traffic Shaping tab and, using the drop-down menu Traffic Group, select the Traffic Group created in step 1 (in this example VoIP) and click Save.

Optionally, the Outgoing DSCP can be set to a DSCP value that is assigned to outbound packets.

An image of a network configuration interface displaying various settings including NAT rules, URL content filtering, application filtering, application-based routing, and traffic shaping, with options for VoIP and telephony marked.


3.1.2) Using the Shaping Configuration for individual protocols of a desktop connection:

3.1.2.1) Under Options for the relevant protocol (in this example the user-defined service SIP), click NAT to reach the advanced settings.

Screenshot of a network configuration interface showing options for HTTP and HTTPS connections with settings for NAT, content filtering, and traffic shaping.

3.1.2.2) Go to the Traffic Shaping tab, select the option Use Service Specific Settings and, using the drop-down menu Traffic Group, select the traffic group created in step 1 (in this example VoIP).

Then click OK.

Optionally, the Outgoing DSCP can be set to a DSCP value that is assigned to outbound packets.

Image of a network configuration interface showing options for ports, protocols, traffic shaping, and advanced settings related to VoIP and telephony.

3.1.2.3) Then click Save.

Screenshot of a network configuration interface showing settings for INTRANET and WAN with options for NAT, URL Content Filter, Application Filter, Application Based Routing, and Traffic Shaping.


3.1. 3) Activate the configuration changes:

Finally, implement the changes by clicking Activate.

Image of a firewall interface showing configuration settings or options.


3.2) Using the Shaping Configuration on an IPsec connection:

Traffic Shaping is not available for VPN SSL connections.

3.2.1) Switch to the menu VPN → IPsec → Connections and, for the connection to be adjusted, click the pencil icon to edit the connection.

Screenshot of a network monitoring and configuration interface displaying connections, desktop user authentication, IPsec settings, and security profiles.

3.2.2) Go to the Traffic Shaping tab, use the drop-down menu to select the Traffic Group created in step 1 (in this example VoIP) and click Save.

Optionally, the Outgoing DSCP can be set to a DSCP value that is assigned to outbound packets.

Screenshot displaying an advanced user interface for configuring IKEv2 UFSS connections, including options for security profiles, connection tunnels, authentication, routing, and traffic shaping.


3.3) Using the Shaping Configuration in an Application Routing profile:

3.3.1) Switch to the menu UTM → Application Management → Routing Profiles and click the desired routing profile to edit it.

3.3.2) Use the drop-down menu to select the Traffic Group created in step 1 (in this example VoIP) and click Save.

Optionally, the Outgoing DSCP can be set to a DSCP value that is assigned to outbound packets.

Image of a VoIP routing configuration interface displaying various settings including proxy bypass options, internet connection type, and telephony settings, with a warning that modifications will be preserved until reset or logout.

Screenshot of a technical user interface displaying options for Virtual and Augmented Reality, Voice over IP, and Web Services configurations.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH