Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wever
New Contributor II

Fortigate -> Traffic shaper -> Fortigate issue

Hi,


Setup

I use a Fortigate 60E (WAN Router) to split our internet connection to a 2nd location.
On the 2nd location we also have a Fortigate 60E.
I used a traffic shaper on the WAN Router to limit there speed to 100Mbit.

Both run FortiOS 6.2.10

 

The Issue:
On the 2nd location for one reason or another, 1 user can use up 100% of that 100MBit during a download.
Any other device at that point will not be able to internet untill the download is done.
Has anyone seen this before? it feels like the 2nd Fortigate doesn't know the line speed, even though I set the Estimated Bandwidth to 100000 kbps.

 

I don't understand why its not balancing the connection.

1 Solution
Toshi_Esumi
Esteemed Contributor II

Many unknowns for your set up.

- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.

- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.

- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper

- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface  (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).

 

I recommend you read the cookbook again.

 

Toshi

View solution in original post

12 REPLIES 12
Wever
New Contributor II

Sure, no problem.
Debug flow didn't show my an direct issue.

Connected

FGT61E-WAN-Router # show firewall shaper per-ip-shaper PerIP-100Mbit
config firewall shaper per-ip-shaper
edit "PerIP-100Mbit"
set max-bandwidth 102400
next
end

FGT61E-WAN-Router # show firewall policy
config firewall policy
edit 2
set name "DMZ_OUT"
set uuid 0cb0eda0-e1a7-51e8-71d7-61c1dec713ab
set srcintf "STH_DMZ"
set dstintf "wan1"
set srcaddr "WAN_IPs_100Mbit" "WAN_IPs_50Mbit" "WAN_IPs_20Mbit" "WAN_IPs_10Mbit"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
edit 3
set name "DMZ_IN"
set uuid 279d2a02-e1a7-51e8-6baa-b86febaf6734
set srcintf "wan1"
set dstintf "STH_DMZ"
set srcaddr "all"
set dstaddr "WAN_IPs_100Mbit" "WAN_IPs_50Mbit" "WAN_IPs_20Mbit" "WAN_IPs_10Mbit"
set action accept
set schedule "always"
--More-- set service "ALL"
--More-- set fsso disable
--More-- next
end

Toshi_Esumi
Esteemed Contributor II

Many unknowns for your set up.

- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.

- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.

- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper

- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface  (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).

 

I recommend you read the cookbook again.

 

Toshi

Wever
New Contributor II

Hi Toshi,

I think I get what you are saying.

1. Yes sorry location 2 needs to go through location 1.
2. Apparently my college made that mistake of using Memory 1024 bits, kind of a habit working with Virtual Machines, Will fix that.

3. Got it, will plan to reconfigure it.

4. Thanks for that, I think we know what to do now.