How do I calculate Guardian bandwidth limiting settings for my users?

Article #: Product Castle
KB-60 Guardian All


A guide to using the bandwidth limit settings for users, including an explanation of how Squid interacts with this feature.


I would like to set different bandwidth limits by user groups on the Smoothwall. How do bandwidth limiting policies apply? Are they cumulative, and how do they apply to unauthenticated users?

At the top of the administration UI page it says "A performance optimization has been enabled; users will receive full bandwidth across multiple connections but not on any single connection". What does this mean?


Bandwidth Limiting policies are not cumulative; they are read from top to bottom and if any top policy matches, it will be the only one applied. For this reason, you must place specific policies at the top, and more generic policies at the bottom.

Unauthenticated IPs is considered a separate user-group. Anyone falling under that will be matched based on the bandwidth policy for Unauthenticated IPs so you will have to include this group specifically in a policy.

The performance optimization message on the Smoothwall displays when you have more than one "Squid worker" on your system — which is a performance optimization. Because of that there is a possibility users will receive a lower bandwidth if they go through just one "squid worker" as the bandwidth allocation is divided between the workers.

You can see the number of squid workers by running a diagnostics check in the System > Diagnostics > Functionality tests page (under Guardian tests); the Functionality test results page shows the Number of workers under the Guardian info results section. Note that this is not Number of worker threads.

If you have multiple Squid workers, you set the bandwidth limit value to be what you originally want.

For example:

If you want to limit bandwidth to 500 kilobytes per second (Kbytes/s), you would set Guardian to 500 Kbytes/s.

However if you measure the speed for a single download you will see that a client only gets 250 Kbytes/s if two workers or 125 Kbytes/s if four workers. But over several connections (most browsers open several) and over several clients (usually one bucket is shared over several clients) then you will get the desired 500 Kbytes/s in total.

If you try and double the amount to 1000 Kbytes/s for two workers, you will get the 500 Kbytes/s for a singe connection, but by making multiple connections (or several clients) can get 1000 Kbytes/s which is not the 500 Kbytes/s that was intended.

Other things to consider when setting bandwidth limiting:

  1. It is recommended you create bandwidth limiting policies for the Unauthenticated IPs user group as well, as it can be used to bypass the web filter.
  2. All whitelisted web filtering policies bypass bandwidth limiting.
  3. After creating all required bandwidth limiting policies, ensure you clear the cache and restart the web proxy (Web proxy > Web proxy > Settings).
  4. If creating policies for a specific user group (Who) and enable Shared between clients, the bandwidth limit is shared for the whole group. Leaving this blank means each individual user gets the configured value.
  5. Be aware that the unit used to limit bandwidth is kilobytes per second, so:
    • 512 Kbytes/s = 4 megabits per second (Mbps)
    • 8,000 Kbytes/s = 62.5 Mbps
    • 16,000 = 125 Mbps

For a detailed description of how to configure bandwidth limiting, go to:


Last updated: Author: Contributions by:
24th March 2017 Farzand Ali Stephen Baynes