Hi,
Setup
I use a Fortigate 60E (WAN Router) to split our internet connection to a 2nd location.
On the 2nd location we also have a Fortigate 60E.
I used a traffic shaper on the WAN Router to limit there speed to 100Mbit.
Both run FortiOS 6.2.10
The Issue:
On the 2nd location for one reason or another, 1 user can use up 100% of that 100MBit during a download.
Any other device at that point will not be able to internet untill the download is done.
Has anyone seen this before? it feels like the 2nd Fortigate doesn't know the line speed, even though I set the Estimated Bandwidth to 100000 kbps.
I don't understand why its not balancing the connection.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Many unknowns for your set up.
- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.
- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.
- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper
- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).
I recommend you read the cookbook again.
Toshi
Hello,
Have you checked the traffic shaping policy to see if it's configured properly ?
Is it applied in the LAN or WAN interface ?
Maybe the user is somehow able to passthrough the policy, and consume all the available bandwidth.
This link will help you to see if something is wrong:
If its all as you intended, we can do a debug flow to see what is happening behind the curtains.
Best regards.
Created on 03-08-2022 04:17 AM Edited on 03-08-2022 04:19 AM
Hi,
We have a 1000MBps internet speed on the WAN router.
We should be fine there.
We created a VLAN on de DMZ poort with a /24 subnet.
location 2 got 1 fixed IP and we applied a By IP Traffic Shaper on that IP adres
The idea is that if we get a 3rd building we can give that a fixed IP in the same subnet with a By IP Shaped as well.
Looking through the Cookbook it looks fine.
Still think its because the Fortigate at the 2nd location doesn't know there is a 100MBit limit.
Ok, I'm starting to understand the situation.
So you have the Per-IP traffic shaping applied on the F60E that splits your internet access ? and is there just 1 user that is able to by pass the shaping policy ?
Have you tried to use some of the debug commands to see if the sessions coming from the location 2 have the shaper applied to it ? Just to be sure.
Best regards.
Created on 03-08-2022 05:24 AM Edited on 03-08-2022 05:26 AM
So you have the Per-IP traffic shaping applied on the F60E that splits your internet access ?
Correct
and is there just 1 user that is able to by pass the shaping policy?
No, the shaper is applied on Location 2, the user can use 100MBps max, just leaving none of the 100MBps for the internet radio for example. The internet radio at Location 2 just stops and resumes after the download.
Have you tried to use some of the debug commands to see if the sessions coming from the location 2 have the shaper applied to it ?
Yes, the shapper applied, i will check the debug flow again.
Hope this helps, Both routers are 60E's
Sure does, thank you for that, it helps to have a more clear picture.
Are you using DSCP ? in the traffic shaper ?
We have no DSCP applied on the Traffic Shaper
Ok just wanted to check, can you see anything in the debugs ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.