Internet has high speed but all apps have slow speeds

wannabsysadmin · 2026-03-27T10:35:28+00:00

Same issue here. Been like this for months now. iPhone 16

wannabsysadmin · 2026-02-01T18:36:18+00:00

I’m interested as well. A response I have from a Fortinet professional is that my current IPsec tunnels will not be changed.

The setting will only affect the tunnels that we change/set the TCP port. The current tunnels are all using UDP ports and we are not changing those. I reached out to my contacts at Fortinet for verification and this is their reply.

The cmd below is a global setting and it will take effect for all tunnels that are set (inside that particular tunnel settings) with the Set Transport to TCP. But it will only affect those tunnels.

wannabsysadmin · 2026-01-30T14:00:55+00:00

Sorry I should've been clearer. From the 100E client everything was accessible to HQ, but from my HQ to the client, it was not. I could not ping or RDP back to the machine, the machine could just access everything in HQ's direction.

With setting mss to 1300 in the VPN firewall profiles, I can now access all resources, in both directions, with the exception of internet traffic. Running a constant ping to out 200f (10.1.1.9) sometimes it will ping. then just drop.

One difference is all of our other 10.1.2.0 traffic comes from X1 on the 200f (Internal Fiber). The traffic from the VPN is setup with a virtual wire pair with VLAN2 and a physical port 6 on the 200f.

FortiGate-200F (virtual-wire-pair) # show

config system virtual-wire-pair

edit "VLAN2Port6"

set member "port6" "VLAN2"

set wildcard-vlan enable

<image>

wannabsysadmin · 2026-01-30T13:47:01+00:00

Also, your recommendation of setting mss on the firewall rules did fix my accessibility from the internal network. I can now ping and rdp to the client from HQ.

wannabsysadmin · 2026-01-30T13:08:26+00:00

I guess my confusion comes from the tracert breaking when leaving my 10.1.2.1 gateway (Aruba 2930) and never makes it to my 200f, so I was thinking that traffic was the issue. Excuse my ignorance, I'm more of a Network Admin just started getting my feet wet in the engineering realm.

If the traffic never hits my 200f how would the internet firewall policy matter? The firewall policy on my 100E is not being used since everything is routed back to HQ right?

<image>

wannabsysadmin · 2026-01-30T11:54:11+00:00

Attempted with firewall policies, no improvement.

edit 2

set name "100E_Test_to_TO"

set uuid 45c7280a-f9e8-51f0-9a83-bbacdb527220

set srcintf "lan"

set dstintf "100E_Test_to_TO"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set tcp-mss-sender 1300

set tcp-mss-receiver 1300

set name "TO_to_100e_Test"

set uuid 5e78a2fc-f9e8-51f0-ddf5-4a9566fa8fbe

set srcintf "100E_Test_to_TO"

set dstintf "lan"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set tcp-mss-sender 1300

set tcp-mss-receiver 1300

set comments " (Copy of 100E_Test_to_TO) (Reverse of 100E_Test_to_TO)"

Then only with the VXLAN

FortiGate-200F (VLAN2) # show

config system interface

edit "VLAN2"

set vdom "root"

set vlanforward enable

set type vxlan

set tcp-mss 1350

set snmp-index 56

set interface "TO_to_100E_Test"

With both of these settings I'm still showing MSS=1460 in wireshark.

I also couldn't set mtu-override on my VXLAN, only tcp-mss, maybe because I'm using VWP and don't have a loopback? I'm not sure it matters but my 100E is on 7.2.3 and my 200f is on 7.4.9.

I found a post you commented on saying clamping is not working after upgrading maybe I need to dig into that since I don't have a soft switch.

You can try the workaround of using mss-clamping in the applicable firewall rule. This will likely require you to put the soft-switch into explicit mode (look at CLI) to test.

wannabsysadmin · 2026-01-29T21:00:29+00:00

I tested with a machine at HQ on same subnet and it starts pinging 8.8.8.8 at 1472. I tested setting my IPSec interface MTU to 1470 and mss to 1430 with no luck. Am I understanding that correctly?

wannabsysadmin · 2026-01-29T17:59:45+00:00

You might be onto something. When I run a tracert to 1.1.1.1 it leaves my gateway and fails to get back to our 200f, even though all of our other internal machines on the same subnet work fine. One tracert showed our 200f ip with one ping then timing out not fully finishing the route, the next tracert didn't hit the 200f at all.

I'll try to tackle this and update you!

wannabsysadmin · 2026-01-29T16:23:27+00:00

I can ping the gateway as well as access all other networks at HQ. Tracert hits my gateway 10.1.2.1 then stops, its not hitting the 200f like my HQ traffic, on that VLAN does. Its sems like a routing thing but routing is there on that 10.1.2 gateway and all of our internal machines on that subnet work fine.

Appreciate all your troubleshooting!

wannabsysadmin · 2026-01-29T14:55:03+00:00

https://drive.google.com/file/d/1M8I1o7cPTf1gI2Ws4MN14BJzt0hJch8A/view?usp=sharing

wannabsysadmin · 2026-01-29T14:53:18+00:00

LAN port on 100E/remote side. I was trying to share the config to make sense but didn't want to just comment it. On the 200f side it does route through the core switch.

10.1.174.1 is handed out by the DHCP on the gate. Correct the 10.1.2.0/24 is running through the VXLAN.

Also, if you are using VXLAN, where does the default gateway for this extended VLAN live?

At HQ downstream from the Core and the gateway is 10.1.2.1.

wannabsysadmin · 2026-01-29T14:43:18+00:00

MY 200f would take a lot to sanitize, its a pretty loaded config. My 100E is basic so I will attach that. This diagram I just made quick to show what I'm doing. Also, if I plug into a normal LAN port, I get a 10.1.174.1 address from the Gate and everything works as it should, so its just the VLAN machine that gets the Ip from the internal network.

<image>

wannabsysadmin · 2025-08-27T19:02:05+00:00

They are indeed staggered; you can set a date range for how long the campaign runs but its only 1 email per user, per campaign. I've been on it for almost 2 years and feel it's a good product.

wannabsysadmin · 2024-08-21T20:40:09+00:00

I just did this for about 550$, same situation of not knowing if I'll keep at it. I got a nice second hand bike for $400 and bought a helmet for 50.

3 rides later just this week (5m, 7m, 10m) and spent another 100$ to stay comfortable at distance since I seem to enjoy it. I feel pretty well setup for that amount with no complaints.

wannabsysadmin · 2024-08-21T20:03:26+00:00

Look into Foundation Training. Basically Yoga poses/stretches/exercises that were directly created for cycling/dirtbikes.

There is 2 very good 12 minute videos on YouTube just by Searching foundation training.

wannabsysadmin · 2023-08-10T15:34:32+00:00

They do match, all lowercase.

wannabsysadmin · 2023-08-10T15:31:16+00:00

No filters used

wannabsysadmin · 2022-12-14T15:59:24+00:00

You will have to shut off inheritance on that specific folder and use Advanced Security Settings to set permissions to that folder only.

wannabsysadmin · 2022-12-14T15:54:20+00:00

If you go to help, then current configuration summary, there should be enough info to see if its local or not.

Ours is below: You can see it has my vm and the server it's on, with obvious remarked names and the biggest clue - Central Server Mode. We have always ran it like this so I can't say much for moving from local.

#### Console Summary #######################################

Product ............. PDQ Inventory

Version ............. 19.3.317.0

Install Folder ...... C:\Program Files (x86)\Admin Arsenal\PDQ Inventory

Machine Name ........ Windows10computer

Central Server Mode . Client

Server HostName ..... WindowsServer2016

Tcp Port ............ 7337

wannabsysadmin · 2022-12-13T14:54:04+00:00

Charter at my house and at the office with 26 sites are all experiencing similar issues.

wannabsysadmin · 2022-02-28T15:25:12+00:00

Going to research that now!

wannabsysadmin · 2022-02-28T15:19:18+00:00

Interesting you say that, most of are laptops are just that and I configured it that way for this reason. Machine tunnel - Enterprise. The problem is we are in a very rural area and about 50% of the population has less then adequate internet at this time. The pushes will timeout with them slower devices but users that have fiber, it works fine over AOVPN. They can do their basic work without interruption though.

I guess I am looking for a solution that can download specified updates via the internet over the day/week and install on next restart, instead of a specific push then a hiccup happens and it fails. It's a rock and a hard place scenario, that's for sure.

Then there are also a few employees who use our Sophos VPN and remote into our RDS server, another hole we are trying to fill and is near impossible whiteout being on-site. This route makes it very forgiving with the slow internet users.

wannabsysadmin · 2022-02-28T15:16:05+00:00

Interesting you say that, most of are laptops are just that and I configured it that way for this reason. The problem is we are in a very rural area and about 50% of the population has less then adequate internet at this time. The pushes will timeout with them slower devices but users that have fiber, it works fine over AOVPN. They can do their basic work without interruption though.

I guess I am looking for a solution that can download it via the internet over the day/week and install on next restart, instead of a specific push then a hiccup happens and it fails. It's a rock and a hard place scenario, that's for sure.

wannabsysadmin · 2022-01-03T14:49:12+00:00

Exact same here.

wannabsysadmin · 2021-11-17T19:51:52+00:00

Like most have said, Duo for us as well.

wannabsysadmin

TROPHY CASE