Skip to main content
farhad_plasma
farhad_plasma
New Member
December 5, 2016
Question

Dual WAN Load Balancing or Policy route with redundant interface

  • December 5, 2016
  • 2 replies
  • 26201 views

hi,

I have a situation in my network which there is 2 WAN links and I have to use both of them for internet as described bellow:

servers must use WAN1 primarily which has public ip addresses and serves remote access vpn and other public services,

clients must use WAN2 primarily which does not have public ip address.

both links must failover to the other for internet usage. Also both links receive their ip and gateway from pppoe connection.

So for this implementation I first tried WAN LLB. this implementation works really fine but the problem is that in this situation I lose incoming connections like VPN. I don't know why. I even defined a specific LLB Rule to prefer WAN1 for vpn address range, but again no luck.

The other way crossed my mined is using policy routes. I defined WAN2 default route distance with lower value and defined a policy route saying that all client traffic default route is WAN2. in this situation I have vpn and services working fine but when WAN2 goes down, clients lose internet access because policy route does not track any link state or something else to detect it. If I could write such a track like a router the problem is solved.

or I could find problem related to situation one again problem is solved.

can anyone help me in this situation please?

2 replies

tanr
tanr
New Member
December 5, 2016

Your options are a little different if you're running FortiOS 5.2.x or 5.4.x.  What is your version?

 

To do load balancing with policy routes you need to set the default static routes with the *same* distance, but with different priorities.  That way they both stay in the routing table and the policy route can force you to one or the other interface.

 

Some documentation:

 

http://kb.fortinet.com/kb/viewContent.do?externalId=FD32103  http://kb.fortinet.com/kb/documentLink.do?externalID=FD36462  http://kb.fortinet.com/kb/documentLink.do?externalID=100116

 

You'll also need to set up something to check if the link is down to allow you to failover by removing the route to that interface from the table when it is down.  A discussion of this is https://forum.fortinet.com/tm.aspx?m=139366#139478.  There are somewhat different options for this between 5.2.x and 5.4.x.

 

Most of this has been discussed in the forums, so you should be able to find more detail with some searches.

farhad_plasma
farhad_plasmaAuthor
New Member
December 5, 2016

hi tanr

thank you for replying, first I should say that the os is 5.4.

You provided very useful links in your reply. as I understood I should do a policy route without specifying GW and also write same distance default routes with higher priority to WAN1 so that servers and services prefer this route and client choose WAN2 due to the policy route. And when WAN2 goes down clients failover to WAN1. And when WAN1 goes down servers outgoing traffic failover to WAN2. (using this link http://kb.fortinet.com/kb/documentLink.do?externalID=100116)

With this everything seems correct except that fail link detection must be done using link-monitor (as mentioned in this post https://forum.fortinet.com/tm.aspx?m=139366#139478), am I right?

tanr
tanr
New Member
December 5, 2016

I believe that's it.  I'm off site right now so can't verify my actual config that implements this in 5.4.

 

There is one difference I ran into that might be 5.4 specific.

In 5.4 I found that I needed to have the policy route specify not just the gateway interface but also the gateway IP. That is, I couldn't leave 0.0.0.0 as the GW IP or it wouldn't properly policy route.

 

Ronen_c
Ronen_c
New Member
July 17, 2017

did anyone had the chance to solve this issue correctly ? 

I am trying something similar even without failover 

while WAN1 has pppoe with some static IP's

and WAN2 has regulat internet 

 

the incoming traffic is quite easy issue - since it all being routed throw VIP and FW policy

the problem is with the outgoing traffic 

trying to define who's is going throw which WAN by using policy routing - seems to be working fine except one big problem

when defining the routing using policy route - then the local LAN cannot access any other networks in the LAN since all its traffic goes throw the WAN interface

while normally with only one WAN activate connection - it works just fine and I can set the traffic using FW rules...  ( to the WAN and to the local interfaces and networks...)

 

any suggestions ?

 

thanks

 

 

 

Baptiste
Baptiste
New Member
July 20, 2017

Ronen.c wrote:

when defining the routing using policy route - then the local LAN cannot access any other networks in the LAN since all its traffic goes throw the WAN interface

You have to create a new rule before the one routing outside in order to exempt internal traffic from policy routing

example :

1 - From LAN Z to LAN Y, action stop policy routing. <- Create rules to exempt your inernal traffic 

2 - From LAN Z to WAN 3, gateway a.b.c.d <- your policy routing for outgoing traffic thru a specific WAN

 

hint : in 5.2.x, there is no sequence number, the one on top is the first, second from top is the second, etc... don't remember if there is a sequence number in 5.4.x

So you have to put exempt rules on top and specific routes after.

 

 

 

Terms & ConditionsAccessibility statement