Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Peddy1976
New Contributor II

Applying traffic shaping or rate limit directly on a tunnel interface

Hello,

 

we have a VPN concentrator with a lot of VPN connection.

 

My doubt is if there is a possibility to limit the bandwith directly on the tunnel interface instead of applying traffic shaping on the policy.

 

Any suggestions will be really apprecciated.

 

Maurizio

11 REPLIES 11
Toshi_Esumi
Esteemed Contributor III

What is exactly the problem and why do you want to control bandwidth by tunnel?

Peddy1976

I have a FG that act as a VPN concentrator. Every VPN is contractualized with different bandwidth. So, i want to know if I can limit the bandwidth for every VPN and if this can done directly on the tunnel interface.

 

rwpatterson
Valued Contributor III

For each tunnel there is a policy allowing traffic. On this policy you can apply the bandwidth limiters to the tunnel. In essence it is doing the same thing, just in a roundabout way.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Toshi_Esumi
Esteemed Contributor III

I don't know what version you're running on the FG but with 5.4 they created "shaping-policy" in addition to firewall policies. Then in your case you have to create a shaping-policy per VPN (probably as srcint or [not and] dstint depending on with direction you wan to drop packets beyond the limit) and apply a shaper to it.

It seems that it would still work when you apply a sharper to a firewall policy but we starting using shaping-policy for our QoS config. 

romanr
Valued Contributor

Hi,

 

you can set inbandwidth and outbandwidth parameters directly on the interface on the CLI. This should work for tunnel interfaces as well afaik.

 

Br,

Roman

Toshi_Esumi
Esteemed Contributor III

I see. That's much easier solution.

 

xxx-fg (IKEv2Test1) # get | grep band inbandwidth         : 0 outbandwidth        : 0 estimated-upstream-bandwidth: 0 estimated-downstream-bandwidth: 0 xxx-fg (IKEv2Test1) # set inbandwidth ? bandwidth-limit    <integer> in kbps (0-16776000; 0 for unlimited) xxx-fg (IKEv2Test1) # set outbandwidth ? bandwidth-limit    <integer> in kbps (0-16776000; 0 for unlimited)

Peddy1976
New Contributor II

Hi Roman,

 

we tried set inbandwidth and outbandwidth on the tunnel interface (we are using version 5.4.1) but it doesnt'work. 

 

Below the commands:

 

set indbandwidth 128Kbps

set outdbandwidth 128Kbps

 

Trying with iperf the bandwidth is not limited

poundy

Peddy1976 wrote:

 

set indbandwidth 128Kbps

set outdbandwidth 128Kbps

 

Did those commands report an error? Based on the above post, I would have just done

set indbandwidth 128

set outdbandwidth 128

 

rwpatterson
Valued Contributor III

toshiesumi wrote:

I don't know what version you're running on the FG but with 5.4 they created "shaping-policy" in addition to firewall policies. Then in your case you have to create a shaping-policy per VPN (probably as srcint or [not and] dstint depending on with direction you wan to drop packets beyond the limit) and apply a shaper to it.

It seems that it would still work when you apply a sharper to a firewall policy but we starting using shaping-policy for our QoS config. 

@Toshi

 

I'm old school. They're in my signature.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors