Skip to main content
SassiVeeran
Staff
SassiVeeran
Staff
September 26, 2024

Technical Tip: How to steer SD-WAN traffic using Blackhole routes

  • September 26, 2024
  • 0 replies
  • 2064 views
Description This article describes how to use Blackhole routes to control SD-WAN traffic failover.
Scope FortiGate.
Solution

Blackhole routes are primarily static routes configured with a higher Administrative Distance (AD) and are used to silently drop the traffic.

 

In this article, blackhole routes are used to influence SD-WAN traffic. The requirement is to forward traffic as follows:

 

From source subnet 10.0.0.0/24 to destination IP 8.8.8.8 via WAN1 interface only.

From source subnet 11.0.0.0/24 to destination IP 1.1.1.1 via WAN2 interface only.

 

Expected behavior:

Once the WAN2 interface goes down, the traffic route to destination IP 1.1.1.1 will be forwarded via WAN1.

 

Requirement:

Traffic should not failover from WAN2 to WAN1 or vice versa when one of the WAN links goes down. The traffic should be solely forwarded via the configured interface.

 

Solution:

  1. To route the traffic via a specific direction/interface, it is necessary to configure a blackhole route. If any of the WAN interfaces (WAN1 or WAN2) goes down, traffic will not be failover or load balance between WAN ports, and FortiGate will silently drop the packet due to the blackhole route.

  2. In order to achieve this setup, the following steps should be configured:
  • Create two SD-WAN zones - one zone for the WAN1 interface and another zone for the WAN2 interface.
  • Create two SD-WAN rules - one rule to route traffic to 1.1.1.1 via the WAN1 interface and the second rule to route traffic to 8.8.8.8 via WAN2 interface. Specify the source subnets in the SDWAN rule. In this example, source subnets are 10.0.0.0/24 and 11.0.0.0/24.
  • Create six static routes as follows:

(i) Two static routes pointing to destination 0.0.0.0/0 for two SD-WAN zones.
(ii) Two static routes pointing to 1.1.1.1/32 and 8.8.8.8/32 for two SD-WAN zones.
(iii) Two static blackhole routes pointing to 1.1.1.1/32 and 8.8.8.8/32 for two SD-WAN zones.

 

  • Finally, add the two SD-WAN zones to the firewall policy.

 

  1. Outcome:

  • When bringing down the WAN1 interface, traffic to 1.1.1.1 will not failover to the WAN2 interface.
  • When bringing down the WAN2 interface, traffic to 8.8.8.8 will not failover to the WAN1 interface.
    Terms & ConditionsAccessibility statement