Skip to Content

How to limit the internet bandwidth for specific users based on their device’s MAC address on FortiGate

This article describes how to block a particular user’s internet usage to control the bandwidth on a FortiGate firewall using a MAC address. This configuration can be useful in managing the needed network resources, in a way that will limit a certain device to a particular amount of bandwidth.

Scope

FortiOS.

Solution

Prerequisites:

  • It is necessary to have access to the FortiGate management interface.
  • The MAC addresses are the identities of the devices whose bandwidth is to be restrained.
  • An understanding of how to create address objects and policies in FortiGate is required.

The process of Bandwidth Limiting can be described as follows:

Step 1: Creating an Address Object with the MAC Address.

In the GUI:

  1. Run the FortiGate device in the browser by entering the management interface.
  2. Navigate to Policy & Objects > Addresses menu.
  3. Select Create New.
  4. Specify the Name for the given address object (for instance, User_MAC_1).
  5. In the Type field, choose MAC Address.
  6. Now, the user will be required to input the MAC Address of the device to be connected to the internet.
  7. To save the address object, select the OK button.

Creating an Address Object with the MAC Address

In the CLI:

config firewall address
edit "MAC_Addr"
set type mac
set macaddr "02:09:0f:00:01:03"
next
end

Step 2: Create a Traffic Shaper.

In the GUI:

  1. Go to Policy & Objects and then Traffic Shapers.
  2. Go to Create New and choose Shared Shaper.
  3. Set the Name for the traffic shaper (for example, Limit_10Mbps).
  4. Go to Configuration > Maximum bandwidth and then enter the Maximum Bandwidth (for example, 10000 Kbps).
  5. Fill in the other settings that are necessary as appropriate for the network configuration.

Create a Traffic Shaper

In the CLI:

config firewall shaper traffic-shaper
edit "TEST"
set guaranteed-bandwidth 10
set maximum-bandwidth 100
next
end

Step 3: Create the IPv4 Policy and Add the Traffic Shaper.

In the GUI:

  1. Go to Policy & Objects and then IPv4 Policy.
  2. Select Create New.
  3. Specify the name for the policy. For example, Limit_User_MAC_1.
  4. Replace the default values of Incoming Interface and the Outgoing Interface.
  5. Under the Source, select the + sign and choose the address object created in step 1.
  6. Specify that the Destination is set as needed (e.g. All or selected).
  7. In the Traffic Shaping section, turn on Apply Shaper Per Policy.
  8. Choose the Traffic Shaper established in Step 2 for In and Out to optimize Internet traffic parameters.
  9. To save the changes, select OK.

Create the IPv4 Policy and Add the Traffic Shaper.

In the CLI:

config firewall policy
edit 1
set name "LAN-WAN"
set srcintf "port3"
set dstintf "port2"
set action accept
set srcaddr "MAC_Addr"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set traffic-shaper "TEST"
set traffic-shaper-reverse "TEST"
next
end

Step 4: Verify the Configuration.

To ensure the configuration is working as expected, navigate to Policy & Object > Traffic Shaping > Traffic Shapers.

Verify the Configuration.

Verify the traffic matching traffic shapers and bandwidth usage or drops by session list as mentioned below:

di sys session filter dst 51.158.1.21
di sys session list

session info: proto=1 proto_state=00 duration=189 expire=60 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=TEST prio=2 guarantee 1250Bps max 12500Bps traffic 3706Bps drops 0B
reply-shaper=TEST prio=2 guarantee 1250Bps max 12500Bps traffic 3706Bps drops 0B
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty os rs f00
statistic(bytes/packets/allow_err): org=347320/190/1 reply=345492/189/1 tuples=2
tx speed(Bps/kbps): 2077/16 rx speed(Bps/kbps): 2077/16
orgin->sink: org pre->post, reply pre->post dev=5->4/4->5 gwy=10.0.0.254/0.0.0.0
hook=post dir=org act=snat 172.16.10.1:5->51.158.1.21:8(10.0.0.1:60422)
hook=pre dir=reply act=dnat 51.158.1.21:60422->10.0.0.1:0(172.16.10.1:5)
misc=0 policy_id=1 pol_uuid_idx=15849 auth_info=0 chk_client_info=0 vd=0
serial=00000177 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session: 1

Note: The address object configured with the ‘mac’ type cannot be used in the traffic shaper policy. Instead, this can be accomplished using an IPv4 policy, as outlined in the steps provided above.