I use a Fortigate 60E (WAN Router) to split our internet connection to a 2nd location. On the 2nd location we also have a Fortigate 60E. I used a traffic shaper on the WAN Router to limit there speed to 100Mbit.
Both run FortiOS 6.2.10
The Issue: On the 2nd location for one reason or another, 1 user can use up 100% of that 100MBit during a download. Any other device at that point will not be able to internet untill the download is done. Has anyone seen this before? it feels like the 2nd Fortigate doesn't know the line speed, even though I set the Estimated Bandwidth to 100000 kbps.
I don't understand why its not balancing the connection.
- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.
- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.
- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.
- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).
So you have the Per-IP traffic shaping applied on the F60E that splits your internet access ? Correct
and is there just 1 user that is able to by pass the shaping policy?
No, the shaper is applied on Location 2, the user can use 100MBps max, just leaving none of the 100MBps for the internet radio for example. The internet radio at Location 2 just stops and resumes after the download.
Have you tried to use some of the debug commands to see if the sessions coming from the location 2 have the shaper applied to it ? Yes, the shapper applied, i will check the debug flow again.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.