Hot!Applying traffic shaping or rate limit directly on a tunnel interface

Author
Peddy1976
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/28 06:32:36
  • Status: offline
2018/02/16 05:31:07 (permalink)
0

Applying traffic shaping or rate limit directly on a tunnel interface

Hello,
 
we have a VPN concentrator with a lot of VPN connection.
 
My doubt is if there is a possibility to limit the bandwith directly on the tunnel interface instead of applying traffic shaping on the policy.
 
Any suggestions will be really apprecciated.
 
Maurizio
#1

10 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1747
    • Scores: 143
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/16 08:55:26 (permalink)
    0
    What is exactly the problem and why do you want to control bandwidth by tunnel?
    #2
    Peddy1976
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/12/28 06:32:36
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/16 09:12:35 (permalink)
    0
    I have a FG that act as a VPN concentrator. Every VPN is contractualized with different bandwidth. So, i want to know if I can limit the bandwidth for every VPN and if this can done directly on the tunnel interface.
     
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8418
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/16 10:16:37 (permalink)
    0
    For each tunnel there is a policy allowing traffic. On this policy you can apply the bandwidth limiters to the tunnel. In essence it is doing the same thing, just in a roundabout way.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 1747
    • Scores: 143
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/16 10:42:18 (permalink)
    0
    I don't know what version you're running on the FG but with 5.4 they created "shaping-policy" in addition to firewall policies. Then in your case you have to create a shaping-policy per VPN (probably as srcint or [not and] dstint depending on with direction you wan to drop packets beyond the limit) and apply a shaper to it.
    It seems that it would still work when you apply a sharper to a firewall policy but we starting using shaping-policy for our QoS config. 
    #5
    romanr
    Platinum Member
    • Total Posts : 911
    • Scores: 32
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/16 12:41:05 (permalink)
    5 (1)
    Hi,
     
    you can set inbandwidth and outbandwidth parameters directly on the interface on the CLI. This should work for tunnel interfaces as well afaik.
     
    Br,
    Roman
    #6
    Toshi Esumi
    Expert Member
    • Total Posts : 1747
    • Scores: 143
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/16 12:48:35 (permalink)
    0
    I see. That's much easier solution.
     
    xxx-fg (IKEv2Test1) # get | grep band
    inbandwidth         : 0
    outbandwidth        : 0
    estimated-upstream-bandwidth: 0
    estimated-downstream-bandwidth: 0

    xxx-fg (IKEv2Test1) # set inbandwidth ?
    bandwidth-limit    <integer> in kbps (0-16776000; 0 for unlimited)

    xxx-fg (IKEv2Test1) # set outbandwidth ?
    bandwidth-limit    <integer> in kbps (0-16776000; 0 for unlimited)



    #7
    rwpatterson
    Expert Member
    • Total Posts : 8418
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/20 05:15:37 (permalink)
    0
    toshiesumi
    I don't know what version you're running on the FG but with 5.4 they created "shaping-policy" in addition to firewall policies. Then in your case you have to create a shaping-policy per VPN (probably as srcint or [not and] dstint depending on with direction you wan to drop packets beyond the limit) and apply a shaper to it.
    It seems that it would still work when you apply a sharper to a firewall policy but we starting using shaping-policy for our QoS config. 


    @Toshi
     
    I'm old school. They're in my signature.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #8
    Toshi Esumi
    Expert Member
    • Total Posts : 1747
    • Scores: 143
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/20 13:19:21 (permalink)
    0
    No worry. That part of my question was for Peddy. There was the best answer provided by romanr so my comment didn't matter anyway. 
    #9
    Peddy1976
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/12/28 06:32:36
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2018/02/21 06:49:23 (permalink)
    0
    Hi Roman,
     
    we tried set inbandwidth and outbandwidth on the tunnel interface (we are using version 5.4.1) but it doesnt'work. 
     
    Below the commands:
     
    set indbandwidth 128Kbps
    set outdbandwidth 128Kbps
     
    Trying with iperf the bandwidth is not limited
    #10
    poundy
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: Applying traffic shaping or rate limit directly on a tunnel interface 2019/11/10 19:16:03 (permalink)
    0
    Peddy1976
     
    set indbandwidth 128Kbps
    set outdbandwidth 128Kbps
     

    Did those commands report an error? Based on the above post, I would have just done
    set indbandwidth 128
    set outdbandwidth 128
     
    #11
    Jump to:
    © 2019 APG vNext Commercial Version 5.5