Skip to main content
Wever
Wever
Explorer
March 8, 2022
Solved

Fortigate -> Traffic shaper -> Fortigate issue

  • March 8, 2022
  • 4 replies
  • 9894 views

Hi,


Setup

I use a Fortigate 60E (WAN Router) to split our internet connection to a 2nd location.
On the 2nd location we also have a Fortigate 60E.
I used a traffic shaper on the WAN Router to limit there speed to 100Mbit.

Both run FortiOS 6.2.10

 

The Issue:
On the 2nd location for one reason or another, 1 user can use up 100% of that 100MBit during a download.
Any other device at that point will not be able to internet untill the download is done.
Has anyone seen this before? it feels like the 2nd Fortigate doesn't know the line speed, even though I set the Estimated Bandwidth to 100000 kbps.

 

I don't understand why its not balancing the connection.

Best answer by Toshi_Esumi

Many unknowns for your set up.

- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.

- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.

- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper

- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface  (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).

 

I recommend you read the cookbook again.

 

Toshi

4 replies

Vando_Pereira
Staff
Vando_Pereira
Staff
March 8, 2022

Hello,

 

Have you checked the traffic shaping policy to see if it's configured properly ?

Is it applied in the LAN or WAN interface ?

Maybe the user is somehow able to passthrough the policy, and consume all the available bandwidth.

This link will help you to see if something is wrong:

If its all as you intended, we can do a debug flow to see what is happening behind the curtains. 

 

Best regards.

 

    Wever
    WeverAuthor
    Explorer
    March 8, 2022

    Hi,


    We have a 1000MBps internet speed on the WAN router.
    We should be fine there.

    We created a VLAN on de DMZ poort with a /24 subnet.
    location 2 got 1 fixed IP and we applied a By IP Traffic Shaper on that IP adres

    The idea is that if we get a 3rd building we can give that a fixed IP in the same subnet with a By IP Shaped as well.

    Looking through the Cookbook it looks fine.
    Still think its because the Fortigate at the 2nd location doesn't know there is a 100MBit limit.

    Vando_Pereira
    Staff
    Vando_Pereira
    Staff
    March 8, 2022

    Ok, I'm starting to understand the situation.

    So you have the Per-IP traffic shaping applied on the F60E that splits your internet access ? and is there just 1 user that is able to by pass the shaping policy ?

    Have you tried to use some of the debug commands to see if the sessions coming from the location 2 have the shaper applied to it ? Just to be sure.

     

    • diagnose sys session list -> to see if the shaper is applied to the location 2 sessions.
    • diagnose debug flow -> to see what happens when traffic from location 2 goes through the firewall.

    Best regards.

    Wever
    WeverAuthor
    Explorer
    March 8, 2022

    Wever_1-1646746249595.png

    Hope this helps, Both routers are 60E's

    Vando_Pereira
    Staff
    Vando_Pereira
    Staff
    March 8, 2022

    Sure does, thank you for that, it helps to have a more clear picture.

     

    Are you using DSCP ? in the traffic shaper ?

     

     

    Wever
    WeverAuthor
    Explorer
    March 8, 2022

    We have no DSCP applied on the Traffic Shaper

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 8, 2022

    And, @Wever , please share us the shaper and shaping-policies using the shaper in CLI.

     

    Toshi

    Wever
    WeverAuthor
    Explorer
    March 8, 2022

    Sure, no problem.
    Debug flow didn't show my an direct issue.

    Connected

    FGT61E-WAN-Router # show firewall shaper per-ip-shaper PerIP-100Mbit
    config firewall shaper per-ip-shaper
    edit "PerIP-100Mbit"
    set max-bandwidth 102400
    next
    end

    FGT61E-WAN-Router # show firewall policy
    config firewall policy
    edit 2
    set name "DMZ_OUT"
    set uuid 0cb0eda0-e1a7-51e8-71d7-61c1dec713ab
    set srcintf "STH_DMZ"
    set dstintf "wan1"
    set srcaddr "WAN_IPs_100Mbit" "WAN_IPs_50Mbit" "WAN_IPs_20Mbit" "WAN_IPs_10Mbit"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set fsso disable
    next
    edit 3
    set name "DMZ_IN"
    set uuid 279d2a02-e1a7-51e8-6baa-b86febaf6734
    set srcintf "wan1"
    set dstintf "STH_DMZ"
    set srcaddr "all"
    set dstaddr "WAN_IPs_100Mbit" "WAN_IPs_50Mbit" "WAN_IPs_20Mbit" "WAN_IPs_10Mbit"
    set action accept
    set schedule "always"
    --More-- set service "ALL"
    --More-- set fsso disable
    --More-- next
    end

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    March 8, 2022

    Many unknowns for your set up.

    - You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.

    - Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.

    - As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper

    - In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface  (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).

     

    I recommend you read the cookbook again.

     

    Toshi

      Wever
      WeverAuthor
      Explorer
      March 9, 2022

      Hi Toshi,

      I think I get what you are saying.

      1. Yes sorry location 2 needs to go through location 1.
      2. Apparently my college made that mistake of using Memory 1024 bits, kind of a habit working with Virtual Machines, Will fix that.

      3. Got it, will plan to reconfigure it.

      4. Thanks for that, I think we know what to do now.

      Terms & ConditionsAccessibility statement