FortiWAN Managing Bandwidth for Tunnel Routing and IPsec

Managing Bandwidth for Tunnel Routing and IPsec

Bandwidth Management is capable to control the original traffic that is encapsulated by Tunnel Routing or IPSec

VPN. Traffic that is going to be transferred outward through Tunnel Routing or IPSec VPN will be processed by

Bandwidth Management before encapsulating, and traffic that is transferred inward through Tunnel Routing or IPSec VPN is controlled by Bandwidth Management after decapsulating. In other words, FortiWAN’s Tunnel Routing and IPSec are transparent to Bandwidth Management (and the corresponding BM log and statistics). Bandwidth Management can only recognize the original applications (by matching a filter on the Service) that is going to be encapsulated or has been decapsulated by Tunnel Routing or IPSec. The GRE and ESP packets generated by FortiWAN are invisible to Bandwidth Management.

To control Tunnel Routing or IPSec transmission by Bandwidth Management, please make sure a Bandwidth Management filter is defined correctly (on the source, destination and service) to match its original packets. If you would like to control the overall Tunnel Routing or IPSec transmission no matter what the original services it is, try to classify the traffic by its Source and Destination; the Source and Destination of the Routing Rules of Tunnel Routing, or the Source and Destination of the Quick Mode selectors of IPSec Tunnel mode (See “How to set up routing rules for Tunnel Routing” and “IPSec VPN in the Web UI”).

Traffic shaping by Bandwidth Manage takes place before Tunnel Routing and IPSec encapsulations. Traffic of an application is counted together in BM logs no matter whether it is transferred through Tunnel Routing and IPSec, thus you cannot recognize the traffic statistics as a Tunnel Routing (includes Tunnel Routing over IPSec Transport mode), IPSec (Tunnel mode) or general transmission from the BM logs by the PROTO field (See “Log > View”). As for FortiWAN Reports, statistics of the traffic that is transferred through Tunnel Routing is indicated as GRE in the reports but it is unable to drill down to the individual services. On the other hand, you cannot recognize a traffic as FortiWAN’s IPSec in the service report pages, traffic that is transferred through FortiWAN

IPSec is separated into individual services. See “Traffic Statistics for Tunnel Routing and IPSec” for the details.

Note that during the period system applying the configurations of Bandwidth Management (click the Apply button on Web UI), traffic passing through FortiWAN will be blocked for a while.

Scenarios

Example 1 Inbound BM

The maximum bandwidth limited for internet users to transfer emails to mail server 211.21.48.197 in DMZ during both busy and idle periods is 128K on WAN1, 64K on WAN2, and 128K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero.

The maximum bandwidth limited for hosts in LAN zone to download data from internet web servers during both busy and idle periods is 128K on WAN1, 64K on WAN2, and 64K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero.

During the busy period, the maximum bandwidth limited for 192.168.0.100 to download data from internet FTP servers is 50K on WAN1, 30K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 20K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for 192.168.0.100 to download data from internet FTP servers is 50K on WAN1, 200K on WAN2 and WAN3. The guaranteed bandwidth is 20K on WAN1, 100K on WAN2 and WAN3. The bandwidth is prioritized as “High” during both busy and idle periods.

During the busy period, the maximum bandwidth limited for internet users to upload data to FTP server

211.21.48.198 in DMZ is 500K on WAN1, 256K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is

200K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for internet users to upload data to FTP server 211.21.48.198 in DMZ is 500K on WAN1, 300K on WAN2 and WAN3. The guaranteed bandwidth is 200K on WAN1, WAN2 and WAN3. The bandwidth is prioritized as “Low” during both busy and idle periods.

Name Link Busy Hour Settings   Idle Hour Settings  
    Guaranteed Max Kbps Kbps Priority Guaranteed Max Kbps Kbps Priority
Mail Server WAN1 0 128 Normal 0 128 Normal
WAN2 0 64 Normal 0 64 Normal
WAN3 0 128 Normal 0 128 Normal
For LAN Zone WAN1 0 128 Normal 0 128 Normal
WAN2 0 64 Normal 0 64 Normal
WAN3 0 64 Normal 0 64 Normal
For

192.168.0.100

WAN1 20 50 High 20 50 High
WAN2 0 30 High 100 200 High
WAN3 0 30 High 100 200 High
FTP Server WAN1 200 5000 Low 200 500 Low
WAN2 0 256 Low 200 300 Low
WAN3 0 256 Low 200 300 Low

Filter Settings

Source Destination Service   Classes
WAN 211.21.48.197 SMTP(25)   Mail Server
WAN LAN HTTP(80)   For LAN Zone
WAN 192.168.0.100 FTP(21)   For

192.168.0.100

WAN 211.21.48.198 FTP(21)   FTP Server

There are two possible scenarios for inbound data. One is local host downloading data from a remote FTP server in WAN, the other is a remote user in WAN uploading data to FTP in LAN. In both two scenarios data are sent from WAN to LAN. Thus it is necessary to configure BM rules for the scenarios on the Inbound BM page.

Example 2 Inbound BM

During the busy period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 128K on WAN1, 128K on WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero during both busy and idle periods.

During the busy period, the maximum bandwidth limited for hosts 192.168.0.10 ~ 192.168.0.50 in LAN zone to download data from internet web servers is 128K on WAN1, 256K on WAN2 and WAN3. The gauranteed bandwidth is zero on WAN1, 128K on WAN2 and 64K on WAN3. During the idle period, the maximum bandwidth limited for hosts 192.168.0.10 ~ 192.168.0.50 in LAN zone to download data from internet web servers is 128K on WAN1, 512K on WAN2 and WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3. The bandwidth is prioritized as “Low” on WAN2 and WAN3 during both busy and idle periods.

During the busy period, the maximum bandwidth limited for hosts in a subnet 192.168.100.0/24 in LAN to download data from internet FTP servers is 50K on WAN1, 64K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 20K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for hosts in a subnet 192.168.100.0/24 in LAN to download data from internet FTP servers is 20K on WAN1, 128K on WAN2 and WAN3. The guaranteed bandwidth is 20K on WAN1, 32K on WAN2 and WAN3. The bandwidth is prioritized as “High” during both busy and idle periods.

Configuring inbound BM class table

Name Link Busy Hour Settings   Idle Hour Settings  
    Guaranteed Max Kbps Kbps Priority Guaranteed Max Kbps Kbps Priority
For LAN Zone WAN1 0 128 Normal 0 512 Normal
WAN2 0 128 Normal 0 512 Normal
WAN3 0 64 Normal 0 512 Normal
For

192.168.0.10-50

WAN1 0 128 Normal 0 128 Normal
WAN2 128 256 Low 0 512 Low
WAN3 64 256 Low 0 512 Low
For

192.168.100.0/24

WAN1 20 50 High 20 50 High
WAN2 0 64 High 32 128 High
WAN3 0 64 High 32 128 High

Filter Settings

Source Destination Service Classes
192.192.10.10 LAN SMTP(25) For LAN Zone
WAN 192.168.0.10-192.168.0.50 HTTP(80) For

192.168.0.10-50

WAN 192.168.100.0/255.255.255.0 FTP(21) For

192.168.100.0/24

Example 3 Outbound BM

During the busy period, the maximum bandwidth limited for internet users to download data from FTP server 211.21.48.198 in DMZ is 128K on WAN1 and WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth limited for internet users to download data from FTP server 211.21.48.198 in DMZ is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero during both busy and idle period.

During the busy period, the maximum bandwidth limited for internet users to receive emails from mail server 211.21.48.197 in DMZ is 128K on WAN1 and WAN2, and 256K on WAN3. During the idle period, the maximum bandwidth limited for internet users to receive emails from mail server 211.21.48.197 in DMZ is 128K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero. The bandwidth is prioritized as “Low” during both busy and idle periods.

During the busy period, the maximum bandwidth limited for internet users to download data from a virture FTP server 192.168.0.100 in LAN is 200K on WAN1, 100K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 100K, and 50K on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for internet users to download data from a virture FTP server 192.168.0.100 in LAN is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth is on WAN1, WAN2 and WAN3 is zero. Note: When configuring filters on virtual servers, specify the private IP assigned to the virtual server and not the translated public IP.

During the busy period, the maximum bandwidth limited for hosts in a remote subnet 10.10.10.0/24 to download data from FTP server 211.21.48.198 in DMZ is 128K on WAN1 and WAN2 and 256K on WAN3. During the idle period, the maximum bandwidth limited for hosts in a remote subnet 10.10.10.0/24 to download data from FTP server 211.21.48.198 in DMZ is 256K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3, and the bandwidth is prioritized as “Low” during both busy and idle periods.

Settings for BM classes above

Name Link Busy Hour Settings   Idle Hour Settings  
    Guaranteed Max Kbps Kbps Priority Guaranteed Max Kbps Kbps Priority
Mail Server WAN1 0 128 Normal 0 512 Normal
WAN2 0 128 Normal 0 512 Normal
WAN3 0 64 Normal 0 512 Normal
For LAN Zone WAN1 0 128 Low 0 128 Low
WAN2 0 128 Low 0 128 Low
WAN3 0 256 Low 0 512 Low
For

192.168.0.100

WAN1 100 200 Normal 0 512 Normal
WAN2 50 100 Normal 0 512 Normal
WAN3 50 100 Normal 0 512 Normal
FTP Server WAN1 0 128 Low 0 256 Low
WAN2 0 128 Low 0 256 Low
WAN3 0 256 Low 0 512 Low

Filter Settings

Source Destination Service Classes
211.21.48.198 WAN FTP(21 FTP Server
211.21.48.197 WAN POP(110) Mail Server (POP3)

 

Connection Limit

Source Destination Service Classes
192.168.0.100 WAN FTP(21) For 192.168.0.100
211.21.48.198 10.10.10.0/255.255.255.0 Any For 10.10.10.0

Two possible scenarios for upstream data: e.g. FTP (scenario 1), is that local host uploads data from a remote

FTP server in the WAN. The other scenario is a remote user in WAN downloads data from a FTP server in the LAN. Both of these scenarios are sending data from LAN to WAN. Thus configuring BM rules for these two scenarios on the inbound BM page is necessary.

See also:

  • Busyhour Settings l Using the web UI l Log
  • Statistics: Bandwidth l Report: Bandwidth Usage
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.