Hi,
Setup
I use a Fortigate 60E (WAN Router) to split our internet connection to a 2nd location.
On the 2nd location we also have a Fortigate 60E.
I used a traffic shaper on the WAN Router to limit there speed to 100Mbit.
Both run FortiOS 6.2.10
The Issue:
On the 2nd location for one reason or another, 1 user can use up 100% of that 100MBit during a download.
Any other device at that point will not be able to internet untill the download is done.
Has anyone seen this before? it feels like the 2nd Fortigate doesn't know the line speed, even though I set the Estimated Bandwidth to 100000 kbps.
I don't understand why its not balancing the connection.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Many unknowns for your set up.
- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.
- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.
- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper
- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).
I recommend you read the cookbook again.
Toshi
Created on 03-08-2022 08:07 AM Edited on 03-08-2022 08:08 AM
Sure, no problem.
Debug flow didn't show my an direct issue.
Connected
FGT61E-WAN-Router # show firewall shaper per-ip-shaper PerIP-100Mbit
config firewall shaper per-ip-shaper
edit "PerIP-100Mbit"
set max-bandwidth 102400
next
end
FGT61E-WAN-Router # show firewall policy
config firewall policy
edit 2
set name "DMZ_OUT"
set uuid 0cb0eda0-e1a7-51e8-71d7-61c1dec713ab
set srcintf "STH_DMZ"
set dstintf "wan1"
set srcaddr "WAN_IPs_100Mbit" "WAN_IPs_50Mbit" "WAN_IPs_20Mbit" "WAN_IPs_10Mbit"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
edit 3
set name "DMZ_IN"
set uuid 279d2a02-e1a7-51e8-6baa-b86febaf6734
set srcintf "wan1"
set dstintf "STH_DMZ"
set srcaddr "all"
set dstaddr "WAN_IPs_100Mbit" "WAN_IPs_50Mbit" "WAN_IPs_20Mbit" "WAN_IPs_10Mbit"
set action accept
set schedule "always"
--More-- set service "ALL"
--More-- set fsso disable
--More-- next
end
Many unknowns for your set up.
- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.
- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.
- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper
- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).
I recommend you read the cookbook again.
Toshi
Hi Toshi,
I think I get what you are saying.
1. Yes sorry location 2 needs to go through location 1.
2. Apparently my college made that mistake of using Memory 1024 bits, kind of a habit working with Virtual Machines, Will fix that.
3. Got it, will plan to reconfigure it.
4. Thanks for that, I think we know what to do now.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1557 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.