New Member

Question

Traffic Shapping

Forum|Forum|14 years ago
April 30, 2012
8 replies
10178 views

I have setup traffic shaping on a Fortigate 60C and it seems to be mostly working, but latency on the Internet link still increases when downloads are running, is this normal? I have a 10Mb fiber connection, one internal port of the Fortigate is traffic shaped to 2.4Mb, and the other is shaped to 5Mb. I also have the 2.5Mb network set to priority low and the 5Mb set to high in the traffic shaping rule. If I download a large file on the 2.5Mb network from the internet I can see it is correctly restricted to a speed of 2.5Mb on the download, but ping responses on the 5Mb network go up from 1 -2ms to 150-250ms while the download is running, and general web access seems less responsive. Is this normal of all traffic shaped internet connections, I thought the whole point of traffic shaping was to be able to segment off your Internet connection into different pipes that don' t affect each other? Any help would be appreciated.

rwpatterson

New Member

No matter how you slice it, when your pipe nears capacity, you will notice a slow down in response.

AcronymAuthor

New Member

But I would have thought if I had a 10Mb pipe then when the 2.5Mb Lan downloads a file using that whole 2.5Mb, it would still leave the rest of the 7.5Mb running nice and fast without much latency increase as the pipe is not at capacity. I have confirmed using the Fortigate dashboard stats that the 2.5Mb download is only running at 2.5Mb and nothing much else is going on, so there is still lots of bandwidth left. Thanks for your reply

ede_pfau

SuperUser

The problem is that traffic shaping is only effective on one side of the pipe. The FGT can put traffic into (3) different priority queues and service them differently. For the lowest queue, it will have to drop packets to keep the bandwidth below the specified threshold. But dropped packets are forwarded from the ISP in any case (I' m talking about download traffic here) so the pipe itself will not benefit much from this. Secondly, all BW management is done through priorities; ping as a service will have a very low priority itself, compared to ftp, http and so on. So higher RTT values with ping should not be taken as a measure of available BW. But they are indicative. I' d set up this to clarify the situation: download a huge file (some GBs) via the 2.5 Mbps line. See it saturating the allocated BW. Now, make a second download of a huge file using the second WAN line. Here, you should be able to utitlize 7.5 Mbps BW. If you can confirm this, you have achieved all you can with a one-sided traffic prioritization. Note that limiting BW on one link will not necessarily guarantee low latency on another one, only BW. I think I remember there' s a KB article on traffic shaping, you might search for it for more details.

AcronymAuthor

New Member

Ok I see your point about download traffic, so if the pipe from the ISP to the Fortinet is 10Mb, the traffic shaping will be receiving the full 10Mb from the ISP on the outside interface, and then dropping any packets over the 2.5Mb, so in effect still flooding the 10Mb pipe from the ISP to the fortinet. I thought TCP traffic was smarter than that, and when an end point in the communication can only run at a certain speed it told the other end to only send traffic at that speed. I wonder how this affects things like voice, we also have voice traffic shaping and prioritisation setup, so voice has 1Mb at High, the 7.5Mb is at Medium, and the 2.5Mb is at low. So are we saying inbound (download) traffic shaping is not really that effective unless it is done at the ISP using traffic shapping or VLAN' s with different bandwidth profiles. I will do some more testing with the two downloads and report back. Thanks for your assistance. Shane

Wayne11

Explorer

Wow, have read this thread now and I' m very surprised! We have latency problems, so we applied on each important policy a Traffic Shaping rule. This morning we had an extremly high peak again which consumes the whole bandwith 15Mbps from our ISP to the FG, although the policy has a Traffic Shaping limit from 2Mbps. So if this is true what you guys wrote here, how can we limit the download bandwith for a policy so a download would not use the the full 15Mbps from the ISP? Wayne

Wayne11

Explorer

Just if someone else has this problems, after we set on each outbound policy with active traffic shaping the " Shared Traffic Shaper Reverse Direction" it' s working like a charm

ede_pfau

SuperUser

Alternatively, you could use a ' per-IP' traffic shaper which controls both directions. If you have a number of users, why limit everyone if only a few overuse the line?

Wayne11

Explorer

Because we have latency problems and an initiated download was consuming the whole throughput from the pipe of our ISP. So if just one of my users is initiating a download to a fast web server, it would use 15Mbps and all other have latency problems, especially our external Outlook users. That' s why in our case a traffic shaping for all users on the http, https and ftp policy is the best solution in my opinion. But thx for your suggestion.

rwpatterson

New Member

A couple things come to mind here for me: 1) Did you tell the FGT what the pipe sizes are?

  config system interface      edit " port2"           set vdom " root"           set ip blah-blah-blah          set allowaccess ping https          set type physical          set tcp-mss 1470          set inbandwidth 12800 <-Inbound pipe size (in Kilo BYTES! in V4.2)          set outbandwidth 12800 <-Outbound pipe size (in Kilo BYTES! in V4.2)          set description " Outside (Internet) interface"           set alias " Internet"           set speed 100full      next  end

2) Did you set the default traffic priority to something less than high?

  config system global      set tos-based-priority medium  end

Wayne11

Explorer

hmmm, no I haven' t! I didn' t know the inbandwidth, outbandwidth and tos-based-priority parameters exist at all

How or what defines the " default traffic priority" ? I guess I have to read those settings in the CLI guide. Thx Robert!

rwpatterson

New Member

Basically the default is what any policy gets if you don' t state otherwise. If the default is high (how it comes from the factory) and you set any policy to high, then all policies get processed at the same priority level. Kinda useless.... On the bandwidth side, if the FGT doesn' t know what the total pipe size is, it can' t accurately limit or divide out the slices to allow each their proper amount.

Wayne11

Explorer

Sounds logical to me, will set it to medium as well then. thx again

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded