Balance 380 Troughput Issue


#1

Good Afternoon,

Recently we obtained a balance 380 and several hd2 series routers. The balance is set up in drop in mode and has an additional wan connection. The drop in lan port connects to a fortigate firewall. The primary route is set on the peplink. The route addresses the subnet of the internal lan and points to the external ip of the fortigate. The rule is set to allow internal access. In speed fusion the remote sites are able to access internal services at the headquarters location. We do have additional ip addresses on the wan 1 connection that is in drop in mode. I have not added them as additional wan side ip addresses, as currently the firewall is nat routing them to its dmz. Do I need to add them to the balance?

Anyway I am experiencing some pretty hard throughput issues.

The hd units primary internet connections will be cellular. I have one of the hd units connected with lte speeds, and it is able to get 40mg down and 30 mg up. Albeit through a speed test website. When the speed fusion vpn connects to headquarters, I am lucky if I can get a mg a second. When doing the internal speed fusion test, I get roughly 5 mgs to the balance unit. To zero out the firewall itself I have created an IPsec vpn on it, I can achieve 5 mgs a second from fortigate to fortigate. I have also enable tests to different interfaces on the firewall. The speed fusion configuration is set to use both wan connections on the balancer device. These connections are 10/10 and 5/5. They are point to point microwave connections. I can see that traffic is going through the wan interfaces but cant explain or seem to resolve the speed fusion connection to the lan side of the balancer.

I am hoping that someone has seen this before, or has an idea of where I can look.

I should add that there is no traffic shaping setup on either end. The balance is pretty much set up as default incoming and outgoing traffic. Other then a few rules blocking web traffic.

Thanks,

Steve


#2

Hi Steve,

Recently we obtained a balance 380 and several hd2 series routers. The balance is set up in drop in mode and has an additional wan connection. The drop in lan port connects to a fortigate firewall. The primary route is set on the peplink. The route addresses the subnet of the internal lan and points to the external ip of the fortigate. The rule is set to allow internal access. In speed fusion the remote sites are able to access internal services at the headquarters location. We do have additional ip addresses on the wan 1 connection that is in drop in mode. I have not added them as additional wan side ip addresses, as currently the firewall is nat routing them to its dmz. Do I need to add them to the balance?

You may add static route to firewall if additional ip addresses are not accessible from internet.

Based on my understanding, you have done the testing below. Do correct me if I am wrong.

When the speed fusion vpn connects to headquarters, I am lucky if I can get a mg a second.

On site SpeedFusion throughput test between HD2 (using LTE) and B380 (Unknown WAN connection). Get <1Mbps throughput.

When doing the internal speed fusion test, I get roughly 5 mgs to the balance unit.

Lab (different location) SpeedFusion throughput test between HD2 (using LTE) and B380 (Unknown WAN connection). Get about 5Mbps throughput.

To zero out the firewall itself I have created an IPsec vpn on it, I can achieve 5 mgs a second from fortigate to fortigate.

You get 5Mbps throughput. You do this testing on-site or lab? Both Fortigates behind B380 and HD2? The internet connection for B380 and HD2 are same as test 1 and 2 above?

  1. Can you share how you measure the throughput? Using specific tool?

The speed fusion configuration is set to use both wan connections on the balancer device. These connections are 10/10 and 5/5. They are point to point microwave connections.

May I know where you connect these 2 point to point microwave connections? Based on understanding HD2 is using LTE. Can you provide network diagram for your testing in steps 1,2,3 and 5 which clearly stated when you use LTE or point to point microwave connections?


#3

Sorry for the delay in response.

The 2 point to point microwave connections connect to the balancer wan1 and wan 2 port. Wan 1 is in passthrough to the lan port of the balancer. Wan 2 is routing with nat on the balancer to the lan port. There is no special configurations set up on wan2…that is another post for later. The isp is the same for both internet connections that plug to the balancer. They are on seperate towers. Wan1 10/10 wan2 5/5 on the balancer unit. Main ip (Wan1-Passthrough) of the balancer is a public routable static ip, we have 10 all in the same subnet. The same for the wan 2 connection but they are not in use except for the wan2 connection on the blancer. The lan side of the balancer is plugged into the wan1 port of the fortigate. I have a firewall rule allowing access from the lan side of the balancer to the main subnet of the fortigate. In troubleshooting i also added the remote internals subnets of the hd units to the firewall rule. The main subnet is allowed to talk to the lan side of the balancer. Non natted. No issues from what i can tell.

I use iperf for checking speeds. roughly 2m a sec from all hd2 units. We have 4, After upgrading the firmware on the balance unit i can get 2m/sec per unit. with fluctuation of 25% at times. This is adequate for my needs. I just have to set up ad sites and services still. I have iperf running on server on the internal subnet of the fortigate unit. i run the client of iperf through the vpn connections from a computer on the remote subnet of the fussion tunnel.

i think the hd4 unit is causing the slow down. Right now all the fusion ips are routing to each other. But i cant get the lan ports on the hd4 to light green. I have reset the device to defaults, even reinstalled firmware. When it is connected to speed fusion it actually slows down all the routed networks. I think i have found the issue. Unfortunate its brand new out of the box.

Map:

Balancer.

Wan1 tower > dish > Balance 380 wan1 (Same subnet mask Different octet)
Wan2 tower > dish > Balance 380 wan2 (Same subnet mask Different octet)
Balance 380 single lan port > Fortigate wan1>Route on balancer lan (internal lan subnet > Fortigate wan1 ip address)
Fortigate Rules to internal from (lan1 on balancer-Its in dropin), internal subnets of remote hd2, and hd4 ip subnets) allowing primary subnet access. Non natted.

4 HD2 2 data sim cards no other connections. > LTE + 3G > public routable ips Decent signal
1 HD4 4 data sim cards no other connections. > LTE + 3G > public routable ips Decent signal

Balancer is not in a test environment. It is live. No data flow issues to fortigate virtual ips. Dns is pointing properly, and data flow is ok.


#4

Hi Steve,

Please open ticket for us to check further.

We need to access B380 and HD2. Please help to enable Remote Assistance on both units when you open ticket.

Thank you.