Applying traffic shaping or rate limit directly on a tunnel interface

Peddy1976 · ‎02-16-2018

Hello,

we have a VPN concentrator with a lot of VPN connection.

My doubt is if there is a possibility to limit the bandwith directly on the tunnel interface instead of applying traffic shaping on the policy.

Any suggestions will be really apprecciated.

Maurizio

Toshi_Esumi · ‎02-16-2018

What is exactly the problem and why do you want to control bandwidth by tunnel?

Peddy1976 · ‎02-16-2018

I have a FG that act as a VPN concentrator. Every VPN is contractualized with different bandwidth. So, i want to know if I can limit the bandwidth for every VPN and if this can done directly on the tunnel interface.

rwpatterson · ‎02-16-2018

For each tunnel there is a policy allowing traffic. On this policy you can apply the bandwidth limiters to the tunnel. In essence it is doing the same thing, just in a roundabout way.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Toshi_Esumi · ‎02-16-2018

I don't know what version you're running on the FG but with 5.4 they created "shaping-policy" in addition to firewall policies. Then in your case you have to create a shaping-policy per VPN (probably as srcint or [not and] dstint depending on with direction you wan to drop packets beyond the limit) and apply a shaper to it.

It seems that it would still work when you apply a sharper to a firewall policy but we starting using shaping-policy for our QoS config.

romanr · ‎02-16-2018

Hi,

you can set inbandwidth and outbandwidth parameters directly on the interface on the CLI. This should work for tunnel interfaces as well afaik.

Br,

Roman

Toshi_Esumi · ‎02-16-2018

I see. That's much easier solution.

xxx-fg (IKEv2Test1) # get | grep band inbandwidth : 0 outbandwidth : 0 estimated-upstream-bandwidth: 0 estimated-downstream-bandwidth: 0 xxx-fg (IKEv2Test1) # set inbandwidth ? bandwidth-limit <integer> in kbps (0-16776000; 0 for unlimited) xxx-fg (IKEv2Test1) # set outbandwidth ? bandwidth-limit <integer> in kbps (0-16776000; 0 for unlimited)

Peddy1976 · ‎02-21-2018

Hi Roman,

we tried set inbandwidth and outbandwidth on the tunnel interface (we are using version 5.4.1) but it doesnt'work.

Below the commands:

set indbandwidth 128Kbps

set outdbandwidth 128Kbps

Trying with iperf the bandwidth is not limited

poundy · ‎11-10-2019

Peddy1976 wrote:

set indbandwidth 128Kbps
set outdbandwidth 128Kbps

Did those commands report an error? Based on the above post, I would have just done

set indbandwidth 128

set outdbandwidth 128

rwpatterson · ‎02-20-2018

toshiesumi wrote:
I don't know what version you're running on the FG but with 5.4 they created "shaping-policy" in addition to firewall policies. Then in your case you have to create a shaping-policy per VPN (probably as srcint or [not and] dstint depending on with direction you wan to drop packets beyond the limit) and apply a shaper to it.
It seems that it would still work when you apply a sharper to a firewall policy but we starting using shaping-policy for our QoS config.

@Toshi

I'm old school. They're in my signature.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Applying traffic shaping or rate limit directly on a tunnel interface

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website