Helpful ReplyThroughput problem with FGT 60D and PPPoE connection

Page: < 12 Showing page 2 of 2
Author
storaid
Platinum Member
  • Total Posts : 760
  • Scores: 13
  • Reward points: 0
  • Joined: 2012/09/24 20:19:19
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2015/11/12 19:52:58 (permalink)
0
AFAIK, cheaper ubnt edgerouter lite does support the PPPoE(up to 900~940Mbps or up) offloading and other formats:
1. IPv4 routing/NAT
2. IPv6 routing/NAT
3. VLAN
4. GRE
5. DPI(IPv4)
6. IPsec(crypto)
 
that small box uses the CN5020 SoC; MIPS64, dual-core, @500MHz, with application acclerator...
it's older SoC chip, but I believe it's powerful than FortiSoC2...
post edited by storaid - 2015/11/12 19:57:33

FWF60D x2
FWF60C x3
FGT80C rev.2
FGT200B-POE
FAP220B x3
FAP221B x2
FSW224B x1
#21
emnoc
Expert Member
  • Total Posts : 5178
  • Scores: 335
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2015/11/12 20:47:02 (permalink)
0
And none of thee above are firewalls
 
I'm not saying FTNT does NOT have a problem, but these are not apple-2-apples comparisons. If anybody has a bigger unit it would be nice to see what performance issues exists. TCP will be hampered by the smaller MTU and resulting tcp-MSS value and inserting a PPPoE frame is surely to cause a greater performance impact.
 
No different if it was a IPSEC header or GRE all of which would be lesser in  thru-put.
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#22
andrei123
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/12/22 22:29:20
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2015/11/30 04:48:55 (permalink)
0
Anybody figured this out or do you have any ideas that I could try? I am on 5.2.4 now but still the same issue. Can someone try with the 5.4 beta?
 
Thank you,
BR
post edited by andrei123 - 2015/11/30 05:02:45
#23
josh
Bronze Member
  • Total Posts : 21
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/09/01 18:57:13
  • Location: Auckland, New Zealand
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/01/24 17:37:32 (permalink)
0
andrei123
Anybody figured this out or do you have any ideas that I could try? I am on 5.2.4 now but still the same issue. Can someone try with the 5.4 beta?
 
Thank you,
BR




The answer is above.. It's an issue caused by using PPPoE and the unit not being able to offload away from the CPU.
 
Probably the easiest solution short of a larger unit is to put a device capable of holding up the PPPoE circuit in the middle and doing IP-passthru to the FortiGate unit. The FortiGate can then do all your cool UTM stuff.
post edited by josh - 2016/02/04 12:35:35
#24
Thomas
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/29 00:36:29
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/02/29 01:41:26 (permalink)
0
Hi
Same problem for me with 90D and ALCATEL or HUAWEI ONT
The brandwith between PPOE session and interface is limit to 200Mbps
 
Anyone have test to config the PPOE session in the Orange ONT ?
I think that you we can configure the ONT in transparent mode.
#25
Thomas
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/29 00:36:29
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/03/02 01:16:01 (permalink)
0
storaid
AFAIK, cheaper ubnt edgerouter lite does support the PPPoE(up to 900~940Mbps or up) offloading and other formats:
1. IPv4 routing/NAT
2. IPv6 routing/NAT
3. VLAN
4. GRE
5. DPI(IPv4)
6. IPsec(crypto)
 
that small box uses the CN5020 SoC; MIPS64, dual-core, @500MHz, with application acclerator...
it's older SoC chip, but I believe it's powerful than FortiSoC2...




Hello Storaid

Can you tell me if the edgerouter X is able to make a PPPoE connection on a VLAN and be transparent mode (it must provide the public IP in the WAN Fortigate Interface)?

ONT -> UBNT -> Fortigate
 
Thanks
#26
ithierack
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/11 06:37:25
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/03/02 22:34:28 (permalink)
0
Hi,
any one experience with an 80D or and 92D and PPPoE. Can we get her > 200 Mbit without overload the Device?
 
 
 
#27
Thomas
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/29 00:36:29
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/03/09 03:48:02 (permalink)
0
Réponse du support fortinet :
 
According to http://docs.fortinet.com/uploaded/files/2151/fortigate-hardware-accel-526.pdf page 74:
"NP4 session fast path requirements:
//...//
Layer2 type/length must be 0x0800 (IEEE 802.1q VLAN specification is supported); link aggregation between any network interfaces sharing the same network processor(s) may be used (IEEE 802.3ad specification is supported)"
0x0800 is Ethertype of IPv4 over Ethernet.
Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating PPP frames inside Ethernet frames and has ethertype 0x8863 and 0x8864, meaning that it cannot be offloaded.
So all traffic hits CPU and throughput reached is much smaller due to CPU getting high when packets are handled by it (throughput values in the unit specifications are for offloaded traffic to NPU).
In order to have better transfer results you will have to migrate from PPPOE type of external connectivity or use a bigger unit.
Or, as you noted, you can use another unit in front of the FortiGate in bridge mode, to perform the PPPOE encapsulation.
I believe that the above explanation is sufficient and I am moving the case to Pending Close Confirmation.
 
Donc je cherche un appareil capable de me gérer le PPOE en mode bridge sur le vlan 835
Merci pour vos pistes.
:-)
#28
ede_pfau
Expert Member
  • Total Posts : 5986
  • Scores: 472
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/03/10 03:47:31 (permalink)
0
If you use a bridging modem in front of your FGT you should not see any performance issues anymore.
In bridge mode, the credentials for the PPPoE connection are specified on the FGT.
You could also use a router in front, with a transfer network between router and FGT.
 
From your last sentence I understand that you expect tagged VLAN 835 on your ethernet data. The modem will de-encapsulate the PPPoE stream to ethernet frames. If you create a VLAN subinterface on the WAN port of your FGT, ID 835, you should be able to receive data.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#29
Philippe ASTIER
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/04/03 10:32:00
  • Location: France
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/04/11 04:53:01 (permalink)
0
Hi all,
 
I guess Thomas is doing exactly what I'm trying to achieve.
 
Here, in France, Orange forces us to have their own router (LiveBox Pro v3 in my case) to connect to the ONT. 
VLAN 835 is used for Internet traffic, VLAN 838 and 840 are for TV and VLAN 851 is for SIP.
 
Problem is this box can not be used as a bridge, so my FortiGate unit (currently 60C) is just in the DMZ of the Livebox. It works just fine from a routing point of view, but you have an approximately 2ms performance hit on all connections, and the FTG unit does not carry the public IP address. You also can not get the SIP VLAN internally, as they are not routed.
 
My connections are still good, topping 970 Mb/s down, 260 Mb/s up, which is close to the commercial fiber offering they provide (through the ONT -> Livebox -> FTG path)
 
I started to look at ways for connecting directly to the ONT. Using the PPPoE client of the FGT unit works just fine, except for performance that drops dramatically to approx. 130/30 Mb/s up/down. Remember the 60C is pretty old in terms of CPU.
 
I also have an Ubiquiti Edgerouter-5, currently used as a PoE injector and PPTP client in interface mode (I wish Fortinet would offer this...). I will try and modify my configuration to connect it to the ONT. Details can be found here : https://lafibre.info/remplacer-livebox/en-cours-remplacer-sa-livebox-par-un-routeur-ubiquiti-edgemax/2496/
 
Apparently, performance is just perfect, maybe even a bit faster than the router from Orange. At least, it is a "true" router. The Orange one is just derived from consumer series, and can not do 5% of what you can do with any proper router on the market. 
 
 
PS to Thomas : if the UBNT is the PPPoE client on VLAN 835 (which it will be), it will carry the public IP address, there can not be a notion of "transparent mode". 
 
I'll keep you posted.
#30
Thomas
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/29 00:36:29
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/04/15 01:14:40 (permalink)
0
Hello Philippe,


I advanced a little on my config:

The Edgerouter X works very well in PPOE client on the ONT (MSS 1452)

My results speeds in v1.6 ~  250/180 v1.8~370/250 .

With my livebox ~500 / 250

In fact the offload is not available on this model.

After consultation with the UBNT support (which is very reactive !!!), he confirmed to me that the offload was planned on this model and had to buy on a Edgerouter Lite to use offload pppoe and forward


To access FG I'll have to forward ports from UBNT but at least I got hold of it and I can do what I want to like these F..... livebox!
 
Regards
#31
Justinb
New Member
  • Total Posts : 10
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/06/22 23:16:09
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2016/05/27 00:45:43 (permalink)
0
PPPoE is very slow, at least on the < 100 series.
With Gigabit Ethernet and an ActionTec device to handle the PPPoE, I get speedtest.net results of over 900Mbps up and down on both my old FWF-60c as well as my current 90D (all IPS / logging disabled for all tests)
 
When I remove the ActionTec from the path and use PPPoE directly from the 90D, measurements drop down to approximately 280Mbps.  While SSH'd into the 90D and attempting to run diag sys top or diag sys top-summary, the top session doesn't update until the speedtest is complete.
 
I have a demo 300D that I'll test with over the weekend to see if the NP6 does a better job than NPLite, but the short version is: The lower end Fortigate's don't do well with fast PPPoE connections.
 
(I ran into the issue and this thread after getting frustrated with implementing IPv6 with the ActionTec in the middle, so I took it out)
post edited by Justinb - 2016/05/27 00:46:51
#32
freb
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/07/18 12:48:32
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2018/02/06 10:19:29 (permalink) ☄ Helpfulby ede_pfau 2018/02/06 10:51:50
0
I had the same issue with the 60d and gigabit internet with PPPOE. I never found a good solution, so I decided to upgrade. After weighing my options, sticking with an upgraded Fortigate seemed like the best bet (as opposed to going with a PFSense box, which would probably have been at least as expensive, or a Ubiquity EdgeRouter). My only question was would the 60e be able to handle the traffic.
 
I ended up going with the 80e for the extra ports, but the 60e should perform similarly. And yes, this device can more than handle PPPOE encapsulation and hit gigabit speeds without coming close to maxing out.
 
Hope that helps anyone considering an upgrade but not wanting to because they don't know if it will solve their bottleneck.
#33
josh
Bronze Member
  • Total Posts : 21
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/09/01 18:57:13
  • Location: Auckland, New Zealand
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2018/02/06 11:11:27 (permalink)
0
I'd be interested to know whether FortiGates of any model support PPPoE off-loading. It appears from the 60E onward the devices are equipped with an NP6-Lite:
 
fwl-01 # get hardware status
Model name: FortiWiFi-60E
ASIC version: SOC3
ASIC SRAM: 64M
CPU: ARMv7
Number of CPUs: 4
RAM: 1864 MB
EMMC: 3662 MB(MLC) /dev/mmcblk0
Hard disk: not available
USB Flash: not available
Network Card chipset: FortiASIC NP6LITE Adapter (rev.)
WiFi Chipset: Atheros
WiFi firmware version: 0.9.17.1
jf-akl-fwl-01 # diagnose npu np6lite port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
------ ---- ------- ----- ----------
np6lite_0
3 wan1 1000M NO
7 wan2 1000M NO
1 dmz 1000M NO
1 internal1 1000M NO
1 internal2 1000M NO
1 internal3 1000M NO
1 internal4 1000M NO
1 internal5 1000M NO
1 internal6 1000M NO
1 internal7 1000M NO

versus:
 
fwl-01 # get hardware status
Model name: FortiGate-50E
ASIC version: not available
CPU: ARMv7
Number of CPUs: 2
RAM: 2024 MB
MTD Flash: 128 MB /dev/mtd
Hard disk: not available
USB Flash: not available
Network Card chipset: Marvell NETA Gigabit Ethernet driver 00000010 (rev.)
 
That being said, I haven't got around to breaking apart the software switching on my 60E at home to confirm, though I can confirm the default configuration of having the software switch enabled does prevent offloading of data for at least the AV/IPS/SSL inspection processing in my experience.
 
#34
Philippe ASTIER
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/04/03 10:32:00
  • Location: France
  • Status: offline
Re: Throughput problem with FGT 60D and PPPoE connection 2018/02/09 08:07:35 (permalink)
0
Hi all !
 
Since I upgraded to a from my FGT-60C HA cluster to a FortiGate-61E, I wanted to do tests again.
 
With my LiveBox Pro v4 (ISP provided router), I get approx. 900 / 240 down/up Mb/s, with a 10.8 ms latency to Google.
 
Through my FGT-61E, I could not get more than 570/240, with an improved 9.9 ms latency.
 
So 61E can still not cope with a full Gb/s of PPPoE. It just helps reduce the latency by the approximate 2 ms need to go through the router.
 
Or maybe I'm missing some options to get faster PPPoE ? I haven't seen any...
 
 
#35
Page: < 12 Showing page 2 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5