Skip to main content
farroar
farroar
New Member
May 8, 2020
Question

Dual ISPs - VIP question

  • May 8, 2020
  • 1 reply
  • 3203 views

I'm sure this has been asked before, but I'm not finding anything that helps quite yet.

 

I've got two ISPs connected to a 201. One is a standard business class circuit (where you share a block of addresses with the ISP's gateway), the other is a routed block of addresses (where there is a /30 between you and the ISP and they route you a block of addresses).

 

I know that a VIP can be used on the routed block to proxy arp for IPs and to forward them along to a private IP. No issues there. The trouble I'm having is with RPF. Since the standard connection is currently being used as the default gateway, connections coming in and hitting the VIP are getting blocked due to the egress route being a different physical interface. I figured that the FortiGate would have the incoming interface in its' session table and be able to return traffic that way, but it looks like it does a route lookup on the way out.

 

I don't need to load balance across these two links, having one as a backup would be nice but I need both to accept traffic at the same time. I'm sure multi-VDOM can do this but I'd like to avoid it if at all possible.

 

Thanks!

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 8, 2020

First, if those public subnets are from your ISPs, meaning owned by the ISPs, incoming VIP traffic can't be failed over. When one ISP's circuit goes down, that side of public subnet wouldn't be reachable from the internet.

But for the VIP access from the second interface, you need to have two default routes and set priority on that side lower (higher number) than the primary. Then the FGT would route back on the same interface the original access came in. BTW, FGTs check return route's existence, or not, at the time when the original packet comes in then drop it if the returning interface is not the same as  the incoming. So-called "asymmetric paths or routing". Not at the time on the way out. There is a setting to disable the check but without it you need to expect most of FW features would stop working. You generally don't want to do if you're using the FGT as a FW, not only as a router.

 

farroar
farroarAuthor
New Member
May 8, 2020

I don't mean to fail over the functionality behind the VIPs, as you say it wouldn't work unless you own the public block and are peeing with the providers. All I'm wanting to do is to be able to use the second connection for VIPs while still using the first connection for default egress traffic. 

 

I'll give the two defaults a try to see if that works. Thanks for the input!

Terms & ConditionsAccessibility statement