hi friends,
i have an 61F + pppoe conection configured at my dmz port.My connection is not stable, i used iperf to test it and i receive good data from upload, but donwload is garbage.Searching here on forum, i found an topic talking about pppoe has some vlan on your process, id like to know if is bad.Cause i tried this command:
diag sniffing packet dmz 'none' 401 and i receive a lot of lines like these:
311.588744 pppoe printer hasn't been added to sniffer
311.594984 pppoe printer hasn't been added to sniffer
311.595047 pppoe printer hasn't been added to sniffer
311.628910 pppoe printer hasn't been added to sniffer
311.634131 pppoe printer hasn't been added to sniffer
311.668261 pppoe printer hasn't been added to sniffer
311.672826 802.1Q vlan#641 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672836 802.1Q vlan#642 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672844 802.1Q vlan#643 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672857 802.1Q vlan#644 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672862 802.1Q vlan#555 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672873 802.1Q vlan#698 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672888 802.1Q vlan#607 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672894 802.1Q vlan#605 P0 Ether type 0x88bf printer hasn't been added to sniffer.
311.672907 Ether type 0x88bf printer hasn't been added to sniffer.
so , i understand the provider is send me these vlans, but i dont know what this mean to my traffic.The correct would doesnt exist any vlan on this command?
I just wanna know if provider is giving me the correct bandwith but i cant measure it.
If you physically terminate the vender circuit at dmz physical interface and configured pppoe on the interface, the FGT creates a virtual/dynamic interface like pppx (x is a number) and send/receive traffic through it although you always use dmz for your config like policy, static routes, and so on.
Check your routing table with "get router info routing-table all" like below:
fg40f-utm (root) # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
[1/0] via y.y.y.y, a, [1/1]
<snip>
When you sniff traffic you have to specify that pppx interface.
fg40f-utm (root) # fg40f-utm (root) # diag sniffer packet ppp3 '' 4 0 l
interfaces=[ppp3]
filters=[]
2024-02-22 16:02:31.322494 ppp3 out x.x.x.x -> 8.8.8.8: icmp: echo request
2024-02-22 16:02:31.322576 ppp3 out x.x.x.x -> 8.8.4.4: icmp: echo request
2024-02-22 16:02:31.324959 ppp3 in 8.8.8.8 -> x.x.x.x: icmp: echo reply
2024-02-22 16:02:31.325251 ppp3 in 8.8.4.4 -> x.x.x.x: icmp: echo reply
2024-02-22 16:02:31.905243 ppp3 in 20.42.144.52.443 -> x.x.x.x.52558: psh 2767706795 ack 3910518768
2024-02-22 16:02:31.921560 ppp3 out x.x.x.x.52558 -> 20.42.144.52.443: psh 3910518768 ack 2767706854
2024-02-22 16:02:31.928095 ppp3 in 20.42.144.52.443 ->x.x.x.x.52558: ack 3910518834
2024-02-22 16:02:32.066713 ppp3 out x.x.x.x.61818 -> 54.188.200.251.443: psh 3347264005 ack 1944885608
2024-02-22 16:02:32.077669 ppp3 in 54.188.200.251.443 -> x.x.x.x.61818: ack 3347264059
2024-02-22 16:02:32.077942 ppp3 in 54.188.200.251.443 -> x.x.x.x.61818: psh 1944885608 ack 3347264059
2024-02-22 16:02:32.128765 ppp3 out x.x.x.x.61818 -> 54.188.200.251.443: ack 1944885664
And, if it's a cable circuit, you might see lots of your neighbors' traffic on the physical interface.
Toshi
hello, thanks for yourt help, but i didnt understand.I have a fiber on ont and a rj45 on my fg in dmz port.The dmz port is configured with pppoe ,ont is on bridge mode.I really dont understand why upload is ok and download doesnt perform ok.
You need to show/tell us "what you think NOT OK?" so that we can understand your problem. Upload bandwidth is much lower than what they're saying on the circuit? Is it 1G down/1G up and you're getting 900M down and 10M up?
Toshi
hello.
Bandwith is 50mbps ;p its an little provider in an remote region.Question is they send me a fiber on media conversion and we did the connection via pppoe on fg.Searching here on forum i found some topics abou pppoe deliverd with vlan(and i dont understand why could a problem) and found topics talking about hardware limitations on fg when use pppoe connections.So i did iperf test and upload is fine, but donwload is just 1mb,2, sometimes 3.So so so so so bad.I just want understand whats happend.
If 50M down v. 1-3M down, first thing you need to check is if there is a duplex mismatch then also any errors on the physical interface, in your case DMZ port.
Below is my 40F's wan port terminating Lumen fiber/converted copper with pppoe that I showed you the sniffing result yesterday.
fg40f-utm (global) # diag hardware deviceinfo nic wan
Description :FortiASIC NP6XLITE Adapter
Driver Name :FortiASIC NP6XLITE Driver
Board :40F
lif id :0
lif oid :64
netdev oid :64
Current_HWaddr e0:23:ff:22:d8:f4
Permanent_HWaddr e0:23:ff:22:d8:f4
========== Link Status ==========
Admin :up
netdev status :up
autonego_setting :1
link_setting :1
speed_setting :1000
duplex_setting :0
Speed :1000 <---
Duplex :Full <---
link_status :Up
============ Counters ===========
Rx Pkts :47100367
Rx Bytes :50963339622
Tx Pkts :30348916
Tx Bytes :8721205303
Host Rx Pkts :47048347
Host Rx Bytes :50226661295
Host Tx Pkts :30348916
Host Tx Bytes :8720541315
Host Tx dropped :0
FragTxCreate :0
FragTxOk :0
FragTxDrop :0
Depending on the model, visibility of error counter might be limited like my smallest FGT 40F. With another model, 1000D, I can see more. I see only Tx drop counter above.
If those look ok as you would expect, then next thing would be adjusting traffic character like MSS @hbac posted to see if it improves the number of TCP speed test.
Toshi
Hi @bobjonson,
For pppoe connection, I would suggest lowering the tcp-mss value. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.