Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Divide a 50mbit Leased Line to 2 10mbit and 40mbit Lines

Hello, i have a following scenario. A new WAN Leased Link with 50mbit/s should be somehow divided into 2 Lines for 2 different Lans. so that LAN1 get allways 10mbit/s and LAN2 get allways 40mbit/s Network should look like this: See the attached jpeg So how should i design it right? Should i replace those Lancome Routers? is it more complex when my 2 LANS are behind this NAT Routers? could i have problems with reverse path detection? i thought to do Traffic Shaping to guarantee 40mbit to LAN1 and 10Mbit to LAN2 is there a better way to divide a 50mbit line? Lancome router 2 has also a Internet Connection via a 2mibt/s Line. Should i better implement it into Fortigate and do Load Balancing for LAN2 or use it as Failover Link? how would you design in? Thank you in advance
Esteemed Contributor III

I would personally look at TrafficShaper on the HP for vlan1 and vlan2 or the router. TS are placed by policies so that could be a bear with applying TS @ the firewall.




PCNSE NSE StrongSwan
New Contributor

so it not a good way to create 2 Policies: LAN1 > WAN and apply TS with 40mbit/s Maximum bandwith and another Policy LAN2 > WAN and apply TS with 10Mbit/s Maximum bandwith? why it is a bear with applying TS @ the firewall?
Esteemed Contributor III

If you only have just 2 fwpolicies than yes, but is that really the case? & in your setup? Other things to think about; Do you have any other QoS concerns ( voice, sip,skype, video )? Do you have traffic prioritization concerns? Do you have any vips ?




PCNSE NSE StrongSwan
New Contributor

i really have only a task to divide a 50mbit/s line into 2 Lines. 10 mbit/s and 40mbit/s for different vlans. its a very small company about 35 users. and they dont use voip. so it would for the way i described it? why vip´s should be a problem?
Esteemed Contributor III

Because VIPs would be another firewall policy inbound and typically they are hosting a services. So yes if you have 2 vlans, than apply a traffic policer for the firewall traffic that matches the policy. I would start here and research all that' s required and the steps and options that you have. Also you should look at the set inbandwidth and set outbandwidth interfaces commands. if the 2 vlans paths you represent are two unique interfaces, this might be an easier approach. But you can starve critical traffic flows and should use priority to ensure real-time and business applications have access at a higher priority.




PCNSE NSE StrongSwan
New Contributor

Hi, i did some tests . i tried it out with policies and with set inbandwidth and set oubandwidth trough CLI. So i tested it with the download rate is pretty accurate and stops on 40 - 42mbit/s but upload.... with traffic shaping via policy only the test delivers allways different numbers. 1 time it is 40mbit/s another time it is 80mbit/s and so one. only if i combine policy shaping and CLI Comand set bandwifth it works almost properly. but still sometimes raise the upload rate to 50 - 56 mbit/s. is that a generall problem with Traffic Shaping and uploads? because Download rate shaping , working very well
Esteemed Contributor III

Without seeing your actual setup and config, it hard to guess but let recap what a policer and TrafficShaper are. A policer policed traffic at the set rate , anything above that is clipped A TS shape traffic and provide traffic up to the CIR and allow buffering ( queue ) , at a dis-advantage of induce delay for the traffic in queue. Typically a shaper does not drop packets but queue them for later delivery ( the scheduler ). Both have a " guarantee conform" rate but the act totally different in regards to burst excess. And then with the traffic queue & scheduling, you have traffic that can exhibit different flow rates. If you doing pure policing, that the set limits define should police traffic to that level. The in/out max bandwidth are a true policer ( not sure what it is or the time transmit interval on a fortigate ) So in your case, if vlan1 was an actually vlan sub-interface on the fortigate, you can set the maxIn to 40mbits. And on vlan2 you would do the same, but specified 10mbit. note: be aware of the rate-measuremet in the command it should be in kilobits iirc bandwidth-limit <integer> in kbit/s (0-16776000; 0 for unlimited)
only if i combine policy shaping and CLI Comand set bandwifth it works almost properly. but still sometimes raise the upload rate to 50 - 56 mbit/s.
Next, you can apply a traffic-shaper on the output interface of the FGT WAN for the fwpolicy(s) and set prioritization. How many policies do you have? for vlan1>>>wan and vlan2>>>wan traffic ? MaxOut would not help you in this interface ( WAN ) since you have 2 different QoS strategy for vlan1 & 2 LAN traffic, BUT you could set a maxlimit of 50mbits if you wanted to stay in contract with your ISP CIR ( the combined 40+10mbits ) and if you being billed by peak or 95th percentile and was afraid of going over subscribed rates. So basically you will need to play around, but I would start with the TS/QOS document and read any notes pertaining to Fortigate Versions. I found the low end gear are not 100% accurate when compared to a bigger unit. YMMV Also I would suggest iperf/jperf on local attach interfaces in a a client+server model for testing actually data rates and flows using both udp/tcp. This concept reduces any external networks or systems. If you had a spare or lab FGT, you could set max in/out and a single policy and run testing to see how accurate these values are. And lastly, keep in the back of you mind any UTM features will impact the measurements & thru-puts.




PCNSE NSE StrongSwan

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors