Skip to main content
TiredOldGeek
TiredOldGeek
New Member
October 4, 2018
Question

Fortigate 100D 2 WAN/Lan routing problem

  • October 4, 2018
  • 2 replies
  • 9559 views

I have a Fortigate 100D.  There are 2 ISP connections 1 for each WAN port.  My primary lan goes out on the WAN1 port, standard setup.  Works fine.  I tried to create a second network using the DMZ port to go out the WAN2 port on the second ISP.  It is a completely isolated network, that will host my guest WIFI and my own connections for setting up and updating equipment so my downloads don't swamp our main line.

 

Lan 10.186.0.0/16 out on WAN1 4.4.4.2

Static Route out 0.0.0.0 on GW 4.4.4.1

 

DMZ 192,168.88.0/24 out on WAN2 5.5.5.2

Static Route out 0.0.0.0 on GW 5.5.5.1

 

The FW rules are in place, I can wire it up and turn on the route but it doesn't work.  If I disable the route for WAN1 temporarily the DMZ out on WAN2 works but of course that breaks LAN to WAN1 out.  Had no issues getting this to work on the Juniper FW we had before, but for the life of me I can't get this one going. I have seen several people on the boards asking about similar issues, nothing exactly like mine, but no answers that work.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 4, 2018

    Two options:

    1. create two vdoms and put wan1 and primary LAN into vdom1, and put wan2 and DMZ in vdom2. They can have individual default route since they're separate routers/FWs.

    2. use policy routes (PBR) to specify the source interface to choose either wan1 or wan2. You still need to have two default routes to both wan1 and wan2. distance/priority wouldn't matter if no other traffic exist other than from primary LAN and from DMZ.

     

    I prefer 1 because of simplicity and security to separate guest network from corp one (PCI-DSS audit proof), but I already know some disagree since there are multiple posts almost same as yours and I commented the same.

    TiredOldGeek
    TiredOldGeekAuthor
    New Member
    October 4, 2018

    Got a reminder to never do this stuff during working hours.  Thought creating the new second VDOM would not be an issue.  Turns out it killed our ability to connect to sites with SSL.  I had to delete it not long after I created it though I have no idea as to why it did this.   Any thoughts?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 4, 2018

    Which wan interface and IP is the SSL VPN built on? Once you split it into two vdoms both at two different router/FW so if you get in one side via the vpn, you can get to the other side unless you set up a vdom link and routes over it.

    This is not a minor change. Unless your 100% sure what would happen, don't make changes outside of a maintenance window.

    ilucas12
    ilucas12
    New Member
    October 9, 2018

    So the default route applies to the entire appliance. You will either have to attempt using some policy routes which I've found to only be semi-reliable or create a VDOM for your guest network. This creates a virtual "second" appliance that runs on the same hardware as the physical appliance. I've linked the Fortinet doc below because it does a much better job explaining than I can. Your current setup will become the "root" vdom and you can name the new vdom to whatever you like such as "guest" and manage them separately, including a separate default route. You will need to remove any references to  your wan2 interface and then "move" it in the config to your new vdom if you take this route.

    Hope that helps.

     

    Not sure which codebranch you are on, but this link is the 5.4.4 version for VDOM. So far as I know not much has changed: https://docs.fortinet.com/d/fortigate-virtual-domains-5

     

    Terms & ConditionsAccessibility statement