Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jadron
New Contributor

Traffic shaping a static NAT'd policy.

Hello, 

 

Running into an issue with traffic shaping. It works fine on typical policies using outbound NAT etc. However we have a unique situation where shaper policies don't seem to apply at all to an inbound policy on our WAN2 with a static 1:1 NAT to a server host.

 

VIP setup - 

Interface: WAN2

Type: Static NAT

External IP: x.x.x.x (Single IP in our external IP block)

Mapped IP: y.y.y.y (Internal LAN IP of the server receiving the static NAT. )

(No port forwarding or filters in place, 1:1 here only).

 

Policy setup using the above VIP -

Incoming interface - WAN2

Outgoing: Internal

Destination: <The VIP above>

Service: <single custom port>

NAT: Disabled (Static nat done on the VIP only).

 

What I see in Fortiview is:

Source: <1 of 20,000 external IP's connecting to us>, Destination: <x.x.x.x> (Our Nat'd external). (Repeat by 20K basically).

Fortiview sees little to no traffic to y.y.y.y which is the internal IP of the server pumping the TB's of upload through reverse inbound sessions (Think reverse SSH tunnel here), which makes sense due to the static 1:1 NAT. Per the above Fortiview observation it's basically seeing all this bandwidth consumed in 20,000 individual sessions which reads Source: WAN2 to Destination: WAN2....

 

Does shaping just not work with 1:1 NAT?

Should we try PNAT instead?

 

I suspect something simple, or with the given configuration shaping is not possible. I've tried various combinations of shaping policies from shared (preferred in this scenario) to per IP using the single Nat'd IP x.x.x.x, to getting desperate and just doing shaping policy reading "all to all, WAN2, <custom service port>" still does not seem to limit this.

 

We have shaping on other outbound items which workfine.

 

No SDWAN in this scenario.

1 REPLY 1
Toshi_Esumi
SuperUser
SuperUser

I don't think NAT(SNAT) or VIP(DNAT) would affect anything for traffic shaping as long as your shapers match the conditions the FGT can see.  I'm not exactly following what you're describing about FortiView.

But the question is 1) what kind of shaper (per-ipshaper or traffic-shaper(poer-policy or shared)) you configured, then 2) what kind of conditions you set up with the shaping-policy (dstintf/src&dstaddr/service, etc).

Then if they're correct, I would keep checking "diag firewall shaper traffic-shapler list" while injecting the traffic looking for. If matching, you would see traffic under "current-bandwidth" like below.

 

# diag firewall shaper traffic-shaper list name GuestWiFiShaper maximum-bandwidth 1875 KB/sec guaranteed-bandwidth 500 KB/sec current-bandwidth 9 KB/sec priority 3 tos ff packets dropped 1328705 bytes dropped 1845480582

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors