Skip to main content
Agent_1994
Agent_1994
New Member
August 4, 2016
Question

dual WAN, but not load balancing nor ECMP

  • August 4, 2016
  • 1 reply
  • 8362 views

Hello!

 

 I've the following situacion on a customer's site:

[ul]
  • Fortigate connected to two WAN links, both via an ethernet cable. Let's call them WAN_A and WAN_B.
  • These links are connected to the same VDOM.
  • WAN_A is the default gateway. WAN_B will just listen for connections to a SSL VPN and will have certain virtual IPs, it wont be used as a default gateway nor load balancer.
  • There is a 0.0.0.0/0.0.0.0 (default) static route pointing to GW_WAN_A on WAN_A's interface.
  • For the time being, i've enabled PING on WAN_B.[/ul]

     How do i make this work?, i've tried:

    [ul]
  • Another default route to GW_WAN_B with a higher administrative distance. Didn't work (can't ping).
  • A policy route with the following specs: [ul]
  • Incoming interface: WAN_B
  • Protocol: ANY
  • Source Address/Mask: 0.0.0.0/0.0.0.0
  • Destination Address/Mask: WAN_B_IPS/MASK
  • Action: Forward traffic
  • Outgoing interface: WAN_B
  • Gateway Address: GW_WAN_B[/ul]
  • The policy route triggered the RPF, i've disabled it but it didn't work either.[/ul]

     I'd appreciate if anyone can point me in the right direction.

     

     Greets.

     

     

      • 1 reply

      MikePruett
      MikePruett
      New Member
      August 8, 2016

      What version of code are you using?

       Are you wanting to load balance the outgoing traffic as well?

      Agent_1994
      Agent_1994Author
      New Member
      August 8, 2016

      Thanks for replying!

      The customer has 5.2.8, but can be upgraded to 5.4 (it's planned).

       

      We're not trying to load balance, all outgoing connections will go through WAN_A. WAN_B is for incoming connections only (SSL_VPN and some virtual ips).

       

       

      MikePruett
      MikePruett
      New Member
      August 8, 2016

      Ahh ok, I read the original title as you have dual WAN setup but it wasn't loadbalancing lol.

      Now I see that you were saying that you don't want the typical deployment. My bad...it's a Monday morning.

       

      The routes you are configuring (policy based ones) would be for traffic going outbound. Not return traffic for incoming listeners.

       

      If you remove the policy route and the default route relating to WANB does it try to go back out the WANA interface when responding? (asynchronous route?)

      Terms & ConditionsAccessibility statement