Throughput problem with FGT 60D and PPPoE connection
The unit is set up with FortiOS 5.2.2 and has the wan1 port connected to the ISP with PPPoE (1Gb subscription).
If I connect the laptop or computer directly with PPPoE to the ISP I get ~800 Mb throughput (tested with speedtest, ISP's own speedtest and torrents). When I connect the Fortigate unit the throughput is capped at ~190 Mb (~140 with 5.2.5) and the unit stops responding (CPU 100%).
I tried the following configurations:
- internal lan in switch mode or in interface mode (hardware switch)
- tried with firmwares 5.0.10 and 5.2.1
The MTU for the PPPoE is 1492 so I also tried with mtu-overrride 1492 and still the same
The unit behaves the same in every situation high cpu and capped througput.
All the UTM features are turned off. All the tests are done with the basic configuration, just a policy from internal to wan1..
Also another strange thing is that when I test with the download limited ~100Mb so that the unit doesn't completely freeze I can see from the top command that the CPU is 50% hogged by the system, however there is no process in the list with that high of a load (if you add all the processes they add up to max 10%).
Any ideas would be greatly appreciated ..
I also noticed that the traffic is not going through the NP4Lite so I guess the 'Supports firewall acceleration across all packet sizes for maximum throughput' on the FGT 60D spec sheet on Fortinet website might be false advertising.
Update: There is no way that I found for a 60D to reach gigabit speeds on PPPoE connection. Max throughput is 140 Mb.
A workaround is to have another router in front of the 60D to do the PPPoe connection ( i got a Ubiquiti Edgemax Lite router for 100E that works amazing)
I had the same issue with the 60d and gigabit internet with PPPOE. I never found a good solution, so I decided to upgrade. After weighing my options, sticking with an upgraded Fortigate seemed like the best bet (as opposed to going with a PFSense box, which would probably have been at least as expensive, or a Ubiquity EdgeRouter). My only question was would the 60e be able to handle the traffic.
I ended up going with the 80e for the extra ports, but the 60e should perform similarly. And yes, this device can more than handle PPPOE encapsulation and hit gigabit speeds without coming close to maxing out.
Hope that helps anyone considering an upgrade but not wanting to because they don't know if it will solve their bottleneck.
I'm not saying FTNT does NOT have a problem, but these are not apple-2-apples comparisons. If anybody has a bigger unit it would be nice to see what performance issues exists. TCP will be hampered by the smaller MTU and resulting tcp-MSS value and inserting a PPPoE frame is surely to cause a greater performance impact.
No different if it was a IPSEC header or GRE all of which would be lesser in thru-put.
Anybody figured this out or do you have any ideas that I could try? I am on 5.2.4 now but still the same issue. Can someone try with the 5.4 beta?
The answer is above.. It's an issue caused by using PPPoE and the unit not being able to offload away from the CPU.
Probably the easiest solution short of a larger unit is to put a device capable of holding up the PPPoE circuit in the middle and doing IP-passthru to the FortiGate unit. The FortiGate can then do all your cool UTM stuff.
AFAIK, cheaper ubnt edgerouter lite does support the PPPoE(up to 900~940Mbps or up) offloading and other formats:
1. IPv4 routing/NAT
2. IPv6 routing/NAT
that small box uses the CN5020 SoC; MIPS64, dual-core, @500MHz, with application acclerator...
it's older SoC chip, but I believe it's powerful than FortiSoC2...
Can you tell me if the edgerouter X is able to make a PPPoE connection on a VLAN and be transparent mode (it must provide the public IP in the WAN Fortigate Interface)?
ONT -> UBNT -> Fortigate
"NP4 session fast path requirements:
Layer2 type/length must be 0x0800 (IEEE 802.1q VLAN specification is supported); link aggregation between any network interfaces sharing the same network processor(s) may be used (IEEE 802.3ad specification is supported)"
0x0800 is Ethertype of IPv4 over Ethernet.
Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames inside Ethernet frames and has ethertype 0x8863 and 0x8864, meaning that it cannot be offloaded.
So all traffic hits CPU and throughput reached is much smaller due to CPU getting high when packets are handled by it (throughput values in the unit specifications are for offloaded traffic to NPU).
In order to have better transfer results you will have to migrate from PPPOE type of external connectivity or use a bigger unit.
Or, as you noted, you can use another unit in front of the FortiGate in bridge mode, to perform the PPPOE encapsulation.
I believe that the above explanation is sufficient and I am moving the case to Pending Close Confirmation.
Donc je cherche un appareil capable de me gérer le PPOE en mode bridge sur le vlan 835
If you use a bridging modem in front of your FGT you should not see any performance issues anymore.
In bridge mode, the credentials for the PPPoE connection are specified on the FGT.
You could also use a router in front, with a transfer network between router and FGT.
From your last sentence I understand that you expect tagged VLAN 835 on your ethernet data. The modem will de-encapsulate the PPPoE stream to ethernet frames. If you create a VLAN subinterface on the WAN port of your FGT, ID 835, you should be able to receive data.
I guess Thomas is doing exactly what I'm trying to achieve.
Here, in France, Orange forces us to have their own router (LiveBox Pro v3 in my case) to connect to the ONT.
VLAN 835 is used for Internet traffic, VLAN 838 and 840 are for TV and VLAN 851 is for SIP.
Problem is this box can not be used as a bridge, so my FortiGate unit (currently 60C) is just in the DMZ of the Livebox. It works just fine from a routing point of view, but you have an approximately 2ms performance hit on all connections, and the FTG unit does not carry the public IP address. You also can not get the SIP VLAN internally, as they are not routed.
My connections are still good, topping 970 Mb/s down, 260 Mb/s up, which is close to the commercial fiber offering they provide (through the ONT -> Livebox -> FTG path)
I started to look at ways for connecting directly to the ONT. Using the PPPoE client of the FGT unit works just fine, except for performance that drops dramatically to approx. 130/30 Mb/s up/down. Remember the 60C is pretty old in terms of CPU.
Apparently, performance is just perfect, maybe even a bit faster than the router from Orange. At least, it is a "true" router. The Orange one is just derived from consumer series, and can not do 5% of what you can do with any proper router on the market.
PS to Thomas : if the UBNT is the PPPoE client on VLAN 835 (which it will be), it will carry the public IP address, there can not be a notion of "transparent mode".
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.