|
Description |
This article describes how to set up a custom iPerf server to test connection speed. |
|
Scope |
FortiGate, Windows, Linux. |
|
Solution |
Even though there are public iPerf servers that can be used to test internet speed, these servers are often overloaded with requests to test speed from the around the world. As a result, the following error is often seen when performing a speed test on a Gate:
iperf3: error - unable to connect to server: Device or resource busy
To tackle this, FortiGate can be configured as an iPerf server, as shown in Troubleshooting Tip: Configure FortiGate as speed ... - Fortinet Community. However, this feature is only available from 7.0.0 onward and FortiGate only listens for the iPerf service on TCP port 5201, which cannot facilitate any tests using TCP on other ports or using UDP as the protocol
First, set up a test machine as an iPerf server by following the instructions in this article: Technical Tip: Setting up iperf server and client - Fortinet Community.
To eliminate any in-between devices that may interfere with the speed test result, the recommendation is to plug the test machine directly to the physical port on the FortiGate.
Set up the topology as follows:
Internet ---- (WAN) FortiGate (FGT) (LAN) ---- iPerf server
On the FortiGate, configure the VIP object mapping the external IP address (whether the WAN's IP of the FortiGate or any unused IP provided by the ISP) to the iPerf server's internal IP address. After that, configure a WAN to LAN policy with the source set to 'all', destination set to the VIP object, and (optionally) service set to the iPerf service (TCP and UDP port 5201 - 5209).
For the purpose of demonstration in this article, the topology will be followed and one Windows 10 host will be configured to act as the iPerf server in VLAN 101, with another Windows 10 machine acting as an external connection from the Internet:
Internet host (10.9.32.3) ---- (port4 - WAN - 10.9.32.7) FGT (port2 - LAN - 192.168.101.254) ---- iPerf server (192.168.101.5)
On the iPerf server created by following the instructions in Technical Tip: Setting up iperf server and client - Fortinet Community, enter 'iperf3.exe -S' in the iPerf directory and check to make sure that the Windows firewall allows iPerf to run on all types of network as needed.
On the FortiGate, create a custom server for iPerf:
Create a VIP object mapping port4's IP address of the FortiGate to port2's IP address of the iPerf (optionally, enable an optional filter to instruct the FortiGate on which condition DNAT translation should be used during):
Create a firewall policy from WAN to LAN to allow the Internet host to be able to access the iPerf server:
While performing the iPerf test on the internet host, make sure to access the iPerf server using the EXTERNAL IP address and not the internal one:
On the iPerf server, note the incoming traffic:
Here on the FortiGate, it can be verified that the traffic with the VIP object has been hit:
Note that the test can still be affected by the following elements:
Related articles: |
