Technical Tip: Setting priority on static default routes to create a primary (preferred) and a secondary path
Description
This article outlines specific scenarios where, due to Reverse Path Forwarding (RPF) considerations, the FortiGate must maintain two default static routes across two external interfaces. However, this setup must adhere to the following requirements:
- Allow incoming traffic on both interfaces (wan1 and wan2 in the following example).
- Have a preferred path for outgoing traffic (wan1 only), hence there is no requirement for ECMP (Equal Cost Multiple Path).
More information about RPF on FortiOS, also known as anti-spoofing, can be found in the related articles.
Scope
FortiGate.
Solution
The solution is to configure the two default routes with the same distance but different priorities, as shown below. The route with the lowest value in the priority field is considered the best and is also the primary route.
config router static
edit 1
set device "wan1"
set gateway 10.160.0.160
next
edit 2
set device "wan2"
set gateway 192.168.183.254
set priority 10
next
end
set device "wan1"
set gateway 10.160.0.160
next
edit 2
set device "wan2"
set gateway 192.168.183.254
set priority 10
next
end
Note:
Defining no priority in route 1 will set a default value of 1. Prior to FortiOS 7.0.3, the default value of the priority is 0. After FortiOS 7.0.3, the minimum value for the priority changed to 1, which means the default value of priority is 1.
The FortiGate will hold both routes in the routing table, but use only wan1 to send out traffic. The route over wan2 will take over if wan1 fails.
Defining no priority in route 1 will set a default value of 1. Prior to FortiOS 7.0.3, the default value of the priority is 0. After FortiOS 7.0.3, the minimum value for the priority changed to 1, which means the default value of priority is 1.
The FortiGate will hold both routes in the routing table, but use only wan1 to send out traffic. The route over wan2 will take over if wan1 fails.
get router info routing-table all
S* 0.0.0.0/0 [10/0] via 10.160.0.160, wan1, [1/0]
[10/0] via 192.168.183.254, wan2, [10/0]
C 10.160.0.0/23 is directly connected, wan1
C 192.168.183.0/23 is directly connected, wan2
[10/0] via 192.168.183.254, wan2, [10/0]
C 10.160.0.0/23 is directly connected, wan1
C 192.168.183.0/23 is directly connected, wan2
The following command can be used to display the current priorities:
diagnose ip route list
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.160.0.160 dev=2(wan1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.183.254 dev=4(wan2)
tab=254 vf=0 scope=0 type=1 proto=11 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.183.254 dev=4(wan2)
If two routes have the same administrative distance and the same priority, then they are Equal Cost Multi Path (ECMP) routes.
Related articles:
Technical Tip: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing