Easy one - I think

Forum|Forum|7 years ago
August 6, 2018
1 reply
3406 views

New to Fortinet and need a little help. I have a 200D with 2 WAN ports to 2 ISPs. One has been in use for all traffic and now we have added the 2nd and want to use it for only public WiFi traffic. I have the public WiFi LAN connected on port 8 (192.168.129.x). I want all traffic on this network to go to WAN 2. I have created a policy to allow traffic. My question is, do I need to add a static route from the192.168.129.0 network or does the policy handle that? If so, does it need the default gateway IP added? Thanks in advance! Tim

Toshi_Esumi

SuperUser

I assume no traffic is needed/allowed from the guest wifi to other internal subnets on different ports, and vice versa.

The easiest, and thus the best, way to do it is separating vdom and put only wan2 and port8 in the new vdom. Otherwise you need to deal with policy routes, which get in your way every time you need to change something. Because you're going to have two default routes and route everything based on source subnets/IPs.

ede_pfau

SuperUser

hmmpf...@Toshi is trading one complication for another...

Of course it all depends, on how much experience you have with firewalls, routing and Fortigates. Setting up a policy route is not more complicated than setting up a regular route. The only difference is that you have the PR match source addresses, a regular route only matches destination addresses.

My advice: set it up, document it briefly, and you're done.

VDOMs have advantages but are a pita in general - a VDOM is a complete virtual firewall within the same hardware. Every (!) time you change something in the config, you will have to specify which VDOM is concerned. Or it might be an item which is only configurable in the 'global' realm.

IMHO way too much hassle for this particular problem. But, YMMV.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded