Managing Bandwidth for Tunnel Routing and IPsec
Bandwidth Management is capable to control the original traffic that is encapsulated by Tunnel Routing or IPSec
VPN. Traffic that is going to be transferred outward through Tunnel Routing or IPSec VPN will be processed by
Bandwidth Management before encapsulating, and traffic that is transferred inward through Tunnel Routing or IPSec VPN is controlled by Bandwidth Management after decapsulating. In other words, FortiWAN’s Tunnel Routing and IPSec are transparent to Bandwidth Management (and the corresponding BM log and statistics). Bandwidth Management can only recognize the original applications (by matching a filter on the Service) that is going to be encapsulated or has been decapsulated by Tunnel Routing or IPSec. The GRE and ESP packets generated by FortiWAN are invisible to Bandwidth Management.
To control Tunnel Routing or IPSec transmission by Bandwidth Management, please make sure a Bandwidth Management filter is defined correctly (on the source, destination and service) to match its original packets. If you would like to control the overall Tunnel Routing or IPSec transmission no matter what the original services it is, try to classify the traffic by its Source and Destination; the Source and Destination of the Routing Rules of Tunnel Routing, or the Source and Destination of the Quick Mode selectors of IPSec Tunnel mode (See “How to set up routing rules for Tunnel Routing” and “IPSec VPN in the Web UI”).
Traffic shaping by Bandwidth Manage takes place before Tunnel Routing and IPSec encapsulations. Traffic of an application is counted together in BM logs no matter whether it is transferred through Tunnel Routing and IPSec, thus you cannot recognize the traffic statistics as a Tunnel Routing (includes Tunnel Routing over IPSec Transport mode), IPSec (Tunnel mode) or general transmission from the BM logs by the PROTO field (See “Log > View”). As for FortiWAN Reports, statistics of the traffic that is transferred through Tunnel Routing is indicated as GRE in the reports but it is unable to drill down to the individual services. On the other hand, you cannot recognize a traffic as FortiWAN’s IPSec in the service report pages, traffic that is transferred through FortiWAN
IPSec is separated into individual services. See “Traffic Statistics for Tunnel Routing and IPSec” for the details.
Note that during the period system applying the configurations of Bandwidth Management (click the Apply button on Web UI), traffic passing through FortiWAN will be blocked for a while.
Scenarios
Example 1 Inbound BM
The maximum bandwidth limited for internet users to transfer emails to mail server 211.21.48.197 in DMZ during both busy and idle periods is 128K on WAN1, 64K on WAN2, and 128K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero.
The maximum bandwidth limited for hosts in LAN zone to download data from internet web servers during both busy and idle periods is 128K on WAN1, 64K on WAN2, and 64K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero.
During the busy period, the maximum bandwidth limited for 192.168.0.100 to download data from internet FTP servers is 50K on WAN1, 30K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 20K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for 192.168.0.100 to download data from internet FTP servers is 50K on WAN1, 200K on WAN2 and WAN3. The guaranteed bandwidth is 20K on WAN1, 100K on WAN2 and WAN3. The bandwidth is prioritized as “High” during both busy and idle periods.
During the busy period, the maximum bandwidth limited for internet users to upload data to FTP server
211.21.48.198 in DMZ is 500K on WAN1, 256K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is
200K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for internet users to upload data to FTP server 211.21.48.198 in DMZ is 500K on WAN1, 300K on WAN2 and WAN3. The guaranteed bandwidth is 200K on WAN1, WAN2 and WAN3. The bandwidth is prioritized as “Low” during both busy and idle periods.
| Name | Link | Busy Hour Settings | Idle Hour Settings | ||||
| Guaranteed Max Kbps Kbps | Priority | Guaranteed Max Kbps Kbps | Priority | ||||
| Mail Server | WAN1 | 0 | 128 | Normal | 0 | 128 | Normal |
| WAN2 | 0 | 64 | Normal | 0 | 64 | Normal | |
| WAN3 | 0 | 128 | Normal | 0 | 128 | Normal | |
| For LAN Zone | WAN1 | 0 | 128 | Normal | 0 | 128 | Normal |
| WAN2 | 0 | 64 | Normal | 0 | 64 | Normal | |
| WAN3 | 0 | 64 | Normal | 0 | 64 | Normal | |
| For
192.168.0.100 |
WAN1 | 20 | 50 | High | 20 | 50 | High |
| WAN2 | 0 | 30 | High | 100 | 200 | High | |
| WAN3 | 0 | 30 | High | 100 | 200 | High | |
| FTP Server | WAN1 | 200 | 5000 | Low | 200 | 500 | Low |
| WAN2 | 0 | 256 | Low | 200 | 300 | Low | |
| WAN3 | 0 | 256 | Low | 200 | 300 | Low | |
Filter Settings
| Source | Destination | Service | Classes | |
| WAN | 211.21.48.197 | SMTP(25) | Mail Server | |
| WAN | LAN | HTTP(80) | For LAN Zone | |
| WAN | 192.168.0.100 | FTP(21) | For
192.168.0.100 |
|
| WAN | 211.21.48.198 | FTP(21) | FTP Server |
There are two possible scenarios for inbound data. One is local host downloading data from a remote FTP server in WAN, the other is a remote user in WAN uploading data to FTP in LAN. In both two scenarios data are sent from WAN to LAN. Thus it is necessary to configure BM rules for the scenarios on the Inbound BM page.
Example 2 Inbound BM
During the busy period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 128K on WAN1, 128K on WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero during both busy and idle periods.
During the busy period, the maximum bandwidth limited for hosts 192.168.0.10 ~ 192.168.0.50 in LAN zone to download data from internet web servers is 128K on WAN1, 256K on WAN2 and WAN3. The gauranteed bandwidth is zero on WAN1, 128K on WAN2 and 64K on WAN3. During the idle period, the maximum bandwidth limited for hosts 192.168.0.10 ~ 192.168.0.50 in LAN zone to download data from internet web servers is 128K on WAN1, 512K on WAN2 and WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3. The bandwidth is prioritized as “Low” on WAN2 and WAN3 during both busy and idle periods.
During the busy period, the maximum bandwidth limited for hosts in a subnet 192.168.100.0/24 in LAN to download data from internet FTP servers is 50K on WAN1, 64K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 20K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for hosts in a subnet 192.168.100.0/24 in LAN to download data from internet FTP servers is 20K on WAN1, 128K on WAN2 and WAN3. The guaranteed bandwidth is 20K on WAN1, 32K on WAN2 and WAN3. The bandwidth is prioritized as “High” during both busy and idle periods.
Configuring inbound BM class table
| Name | Link | Busy Hour Settings | Idle Hour Settings | ||||
| Guaranteed Max Kbps Kbps | Priority | Guaranteed Max Kbps Kbps | Priority | ||||
| For LAN Zone | WAN1 | 0 | 128 | Normal | 0 | 512 | Normal |
| WAN2 | 0 | 128 | Normal | 0 | 512 | Normal | |
| WAN3 | 0 | 64 | Normal | 0 | 512 | Normal | |
| For
192.168.0.10-50 |
WAN1 | 0 | 128 | Normal | 0 | 128 | Normal |
| WAN2 | 128 | 256 | Low | 0 | 512 | Low | |
| WAN3 | 64 | 256 | Low | 0 | 512 | Low | |
| For
192.168.100.0/24 |
WAN1 | 20 | 50 | High | 20 | 50 | High |
| WAN2 | 0 | 64 | High | 32 | 128 | High | |
| WAN3 | 0 | 64 | High | 32 | 128 | High | |
Filter Settings
| Source | Destination | Service | Classes |
| 192.192.10.10 | LAN | SMTP(25) | For LAN Zone |
| WAN | 192.168.0.10-192.168.0.50 | HTTP(80) | For
192.168.0.10-50 |
| WAN | 192.168.100.0/255.255.255.0 | FTP(21) | For
192.168.100.0/24 |
Example 3 Outbound BM
During the busy period, the maximum bandwidth limited for internet users to download data from FTP server 211.21.48.198 in DMZ is 128K on WAN1 and WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth limited for internet users to download data from FTP server 211.21.48.198 in DMZ is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero during both busy and idle period.
During the busy period, the maximum bandwidth limited for internet users to receive emails from mail server 211.21.48.197 in DMZ is 128K on WAN1 and WAN2, and 256K on WAN3. During the idle period, the maximum bandwidth limited for internet users to receive emails from mail server 211.21.48.197 in DMZ is 128K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero. The bandwidth is prioritized as “Low” during both busy and idle periods.
During the busy period, the maximum bandwidth limited for internet users to download data from a virture FTP server 192.168.0.100 in LAN is 200K on WAN1, 100K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 100K, and 50K on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for internet users to download data from a virture FTP server 192.168.0.100 in LAN is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth is on WAN1, WAN2 and WAN3 is zero. Note: When configuring filters on virtual servers, specify the private IP assigned to the virtual server and not the translated public IP.
During the busy period, the maximum bandwidth limited for hosts in a remote subnet 10.10.10.0/24 to download data from FTP server 211.21.48.198 in DMZ is 128K on WAN1 and WAN2 and 256K on WAN3. During the idle period, the maximum bandwidth limited for hosts in a remote subnet 10.10.10.0/24 to download data from FTP server 211.21.48.198 in DMZ is 256K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3, and the bandwidth is prioritized as “Low” during both busy and idle periods.
Settings for BM classes above
| Name | Link | Busy Hour Settings | Idle Hour Settings | ||||
| Guaranteed Max Kbps Kbps | Priority | Guaranteed Max Kbps Kbps | Priority | ||||
| Mail Server | WAN1 | 0 | 128 | Normal | 0 | 512 | Normal |
| WAN2 | 0 | 128 | Normal | 0 | 512 | Normal | |
| WAN3 | 0 | 64 | Normal | 0 | 512 | Normal | |
| For LAN Zone | WAN1 | 0 | 128 | Low | 0 | 128 | Low |
| WAN2 | 0 | 128 | Low | 0 | 128 | Low | |
| WAN3 | 0 | 256 | Low | 0 | 512 | Low | |
| For
192.168.0.100 |
WAN1 | 100 | 200 | Normal | 0 | 512 | Normal |
| WAN2 | 50 | 100 | Normal | 0 | 512 | Normal | |
| WAN3 | 50 | 100 | Normal | 0 | 512 | Normal | |
| FTP Server | WAN1 | 0 | 128 | Low | 0 | 256 | Low |
| WAN2 | 0 | 128 | Low | 0 | 256 | Low | |
| WAN3 | 0 | 256 | Low | 0 | 512 | Low | |
Filter Settings
| Source | Destination | Service | Classes |
| 211.21.48.198 | WAN | FTP(21 | FTP Server |
| 211.21.48.197 | WAN | POP(110) | Mail Server (POP3) |
Connection Limit
| Source | Destination | Service | Classes |
| 192.168.0.100 | WAN | FTP(21) | For 192.168.0.100 |
| 211.21.48.198 | 10.10.10.0/255.255.255.0 | Any | For 10.10.10.0 |
Two possible scenarios for upstream data: e.g. FTP (scenario 1), is that local host uploads data from a remote
FTP server in the WAN. The other scenario is a remote user in WAN downloads data from a FTP server in the LAN. Both of these scenarios are sending data from LAN to WAN. Thus configuring BM rules for these two scenarios on the inbound BM page is necessary.
See also:
- Busyhour Settings l Using the web UI l Log
- Statistics: Bandwidth l Report: Bandwidth Usage
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!