This article describes how to block a particular user’s internet usage to control the bandwidth on a FortiGate firewall using a MAC address. This configuration can be useful in managing the needed network resources, in a way that will limit a certain device to a particular amount of bandwidth.
Scope
FortiOS.
Solution
Prerequisites:
- It is necessary to have access to the FortiGate management interface.
- The MAC addresses are the identities of the devices whose bandwidth is to be restrained.
- An understanding of how to create address objects and policies in FortiGate is required.
The process of Bandwidth Limiting can be described as follows:
Step 1: Creating an Address Object with the MAC Address.
In the GUI:
- Run the FortiGate device in the browser by entering the management interface.
- Navigate to Policy & Objects > Addresses menu.
- Select Create New.
- Specify the Name for the given address object (for instance, User_MAC_1).
- In the Type field, choose MAC Address.
- Now, the user will be required to input the MAC Address of the device to be connected to the internet.
- To save the address object, select the OK button.
In the CLI:
config firewall address edit "MAC_Addr" set type mac set macaddr "02:09:0f:00:01:03" next end
Step 2: Create a Traffic Shaper.
In the GUI:
- Go to Policy & Objects and then Traffic Shapers.
- Go to Create New and choose Shared Shaper.
- Set the Name for the traffic shaper (for example, Limit_10Mbps).
- Go to Configuration > Maximum bandwidth and then enter the Maximum Bandwidth (for example, 10000 Kbps).
- Fill in the other settings that are necessary as appropriate for the network configuration.
In the CLI:
config firewall shaper traffic-shaper edit "TEST" set guaranteed-bandwidth 10 set maximum-bandwidth 100 next end
Step 3: Create the IPv4 Policy and Add the Traffic Shaper.
In the GUI:
- Go to Policy & Objects and then IPv4 Policy.
- Select Create New.
- Specify the name for the policy. For example, Limit_User_MAC_1.
- Replace the default values of Incoming Interface and the Outgoing Interface.
- Under the Source, select the + sign and choose the address object created in step 1.
- Specify that the Destination is set as needed (e.g. All or selected).
- In the Traffic Shaping section, turn on Apply Shaper Per Policy.
- Choose the Traffic Shaper established in Step 2 for In and Out to optimize Internet traffic parameters.
- To save the changes, select OK.
In the CLI:
config firewall policy edit 1 set name "LAN-WAN" set srcintf "port3" set dstintf "port2" set action accept set srcaddr "MAC_Addr" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set traffic-shaper "TEST" set traffic-shaper-reverse "TEST" next end
Step 4: Verify the Configuration.
To ensure the configuration is working as expected, navigate to Policy & Object > Traffic Shaping > Traffic Shapers.
Verify the traffic matching traffic shapers and bandwidth usage or drops by session list as mentioned below:
di sys session filter dst 51.158.1.21 di sys session list session info: proto=1 proto_state=00 duration=189 expire=60 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper=TEST prio=2 guarantee 1250Bps max 12500Bps traffic 3706Bps drops 0B reply-shaper=TEST prio=2 guarantee 1250Bps max 12500Bps traffic 3706Bps drops 0B per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty os rs f00 statistic(bytes/packets/allow_err): org=347320/190/1 reply=345492/189/1 tuples=2 tx speed(Bps/kbps): 2077/16 rx speed(Bps/kbps): 2077/16 orgin->sink: org pre->post, reply pre->post dev=5->4/4->5 gwy=10.0.0.254/0.0.0.0 hook=post dir=org act=snat 172.16.10.1:5->51.158.1.21:8(10.0.0.1:60422) hook=pre dir=reply act=dnat 51.158.1.21:60422->10.0.0.1:0(172.16.10.1:5) misc=0 policy_id=1 pol_uuid_idx=15849 auth_info=0 chk_client_info=0 vd=0 serial=00000177 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000100 no_ofld_reason: npu-flag-off total session: 1
Note: The address object configured with the ‘mac’ type cannot be used in the traffic shaper policy. Instead, this can be accomplished using an IPv4 policy, as outlined in the steps provided above.