Helpful ReplyHot!priorize vpn traffic?

Author
sw2090
Gold Member
  • Total Posts : 397
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: online
2019/07/09 23:47:11 (permalink)
0

priorize vpn traffic?

We run a Loadbalancer (SD-WAN) on our FGT that balances internet traffic. 
We also have several IPSec Tunnels. Those have to be connected to a specific wan interface and cannot use SD-WAN.
I set the Loadbalancer volume based and it is set o not use all avaiable bandwith.
Thus big downloads affect the performance on ipsec. 
Since I cannot use SD-WAN rules here - is there a way to priorize ipsec traffc before internet traffic?
#1
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: priorize vpn traffic? 2019/07/10 03:06:12 (permalink)
0
What software version do you use? Every version have many new features 5.6 vs 6.0 vs 6.2.0 s 6.2.1.
How many WAN links do you have? If more than one I'd try to separate VPN traffic from the Internet, I think you could use PBR.
Is there any reason you can't add WAN dedicated for VPN to the SD-WAN? By creating rules you can totally separate traffic between two or or more groups of interfaces.
 
#2
sw2090
Gold Member
  • Total Posts : 397
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: online
Re: priorize vpn traffic? 2019/07/10 03:09:07 (permalink)
0
We still have 5.4. 
We have two WAN Lines and both are in SD-WAN.
IPSec doesn't use SD-WAN because it needs a unique termination.
So how could any SD-WAN rules affect VPN Traffic that goes either directly to the wan line or the vpn interface?
#3
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: priorize vpn traffic? 2019/07/10 03:37:19 (permalink) ☄ Helpfulby sw2090 2019/07/10 04:21:44
5 (1)
Let's assume you have WAN1 and WAN2. You have some IPsec tunnels on WAN2. 
In SD-WAN definition I'd try to set the load balancing method 'sessions' to send 2x more traffic over WAN1 than via WAN2.
Is it something what you are looking for?
#4
sw2090
Gold Member
  • Total Posts : 397
  • Scores: 21
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: online
Re: priorize vpn traffic? 2019/07/10 04:21:34 (permalink)
0
Hubertzv thanks for your reply. I think you got me onto the right path.
Alas I think session based is not the right decision since it does the same as volume based (which we had) just counting sessions instead of packets and distributing procentual by weight. This would not prevent the Loadbalancer from exhausting too much bandwith.
I've now changed it to use spillover and set the ingress/egress threholds for the lines so that the loadbalancer cannot exhaust all bandwith. In fact it can to on line 2 because that has the bigger bandwith and is only secondaryly used by tunnels. So atm its thresholts are at maximum. I thus set Line 1 (primary Wan for the tunnels) to threshold at half of its bandwith in/out (that is a symetric line!).
So accoarding to the descriptions at Fortinet Site internet traffic should not be able to use up more than this on that line.
I'll monitor that and see...
 
thanks so far.
#5
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: priorize vpn traffic? 2019/07/10 05:50:12 (permalink)
0
Yes please let us know if you achieve it. Thanks
#6
Jump to:
© 2019 APG vNext Commercial Version 5.5