New Member

Question

Fortigate FG60D two WAN routing issue

Forum|Forum|7 years ago
September 3, 2018
2 replies
11324 views

God day.

Need help in configuring my fortigate with 2 WAN ports One network through port wan1 have office internet and mail server with VIPs second network through port WAN2 have wifi guest network The problem is that from WAN2 it is impossible go to WAN1 mail server OWA page.

WAN`s taken from one internet provider with different IP and have different distance, internet to WAN2 set up through Routing policy.

Can anyone help?

live89

Explorer III

Let me see if I understood your question :

You're saying that Guest users are not able to surf to OWA page ?

OWA page uis behind the WAN1 interface with VIP configured.

Guest users are surfing the inernet through WAN2.

Correct me if I understood your question incorrectly !

- Why should the guest user go outside to internet and then ge back to you FGT device and search for the VIP to OWA page ?

You can just create DNS database with static resolve to the internal IP and assign the DNS database to the WAN2 interface:

for example:

FW (dns-server) # show config system dns-server edit "WAN2" next end

FW # config system dns-database FW (dns-database) # show config system dns-database edit "OWA" set domain "yourdomain.com" set authoritative disable config dns-entry edit 1 set hostname "owa" set ip 172.16.1.12 next end

DanieZAuthor

New Member

Thanks for the answer. Yes, in general, you understood correctly. The question why users from the guest network access - many users use corporate mail on smartphones, and at the moment it does not work on the guest wifi. If I can clarify, for that moment no access to Fortinet portal, Exchange OWA and Exchange and Exchange ActiveSync from WAN 2 to WAN 1.

LAN 1 192.168.0.1 go outside to WAN1 1.1.1.1

LAN 2 192.168.5.1 go outside to WAN2 1.1.5.1

Ashik_Sheik

New Member

Hi,

You need U turn policy from guest to LAN with destination mail VIP .This will work .

Regds,

Ashik

Ashik_Sheik

New Member

Hi ,

I have similar design . Explain with Eg:

( Lan) interface Port 1 : 172.16.1.1/24

( Guest_Network_Subnet )Interface: Port2 : 10.10.10.1/24

WAN1 :100.100.100.1/24

OWA Server Ip :172.16.1.10/24 GW :172.16.1.1

OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)

Now Policy :

Create a Destination NAT Policy for OWA from internet :

Incoming interface : WAN1

Sourse Sunet :All

Destination Interface :Port1(LAN)

Destination Subnet :OWA-VIP

Set Service :All

Set action :Allow

NAT "Disbaled"

Create a PolicyGuest to access OWA from Guest Network:

Incoming interface : Port2

Sourse Subnet :Guest-Network_Subnet

Destination Interface :Port1(LAN)

Destination Subnet :OWA-VIP

Set Service :All

Set action :Allow

Nat :Disabled

Hope this is clear.You just need U turn policy from guest network .

Regds

Ashik

DanieZAuthor

New Member

ashik wrote:
Hi ,

I have similar design . Explain with Eg:

( Lan) interface Port 1 : 172.16.1.1/24
( Guest_Network_Subnet )Interface: Port2 : 10.10.10.1/24
WAN1 :100.100.100.1/24
OWA Server Ip :172.16.1.10/24 GW :172.16.1.1
OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)

Now Policy :

Create a Destination NAT Policy for OWA from internet :
Incoming interface : WAN1
Sourse Sunet :All
Destination Interface :Port1(LAN)
Destination Subnet :OWA-VIP
Set Service :All
Set action :Allow
NAT "Disbaled"

Create a PolicyGuest to access OWA from Guest Network:
Incoming interface : Port2
Sourse Subnet :Guest-Network_Subnet
Destination Interface :Port1(LAN)
Destination Subnet :OWA-VIP
Set Service :All
Set action :Allow
Nat :Disabled

Hope this is clear.You just need U turn policy from guest network .

Regds

Ashik

Hi

I have a difference from your configuration, guest lan using physical WAN2 with another subnet.

According to your example, something like the following :

( Lan) interface Port 1 : 172.16.1.1/24

( Guest_Lan )Interface: Port2 : 10.10.10.1/24

WAN1 :100.100.100.1/29

WAN2 :100.200.200.1/29

OWA Server Ip :172.16.1.10/24 GW :172.16.1.1

OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)

Static routes:

WAN1 :100.100.100.1/29 distance 10

WAN2 :100.200.200.1/29 distance 20

Routing policy

(guest lan) routed from Port2: 10.10.10.1/24 to WAN2 : 100.200.200.1/29

Ipv4 Policy :

Create a Destination NAT Policy for OWA from internet :

Incoming interface : WAN1

Sourse Sunet :All

Destination Interface :Port1(LAN)

Destination Subnet :OWA-VIP

Set Service :All

Set action :Allow

NAT "Disbaled"

The decision that was proposed a really worked with only WAN1 for both subnets, but in my configuration I need something else.

Ashik_Sheik

New Member

Hi ,

You don't have to worry about WAN2 , coz traffic is internally routing between guest and lan network .Yes , may be you have policy route 0.0.0.0/0 from guest network to reach WAN2 , this may affect your traffic to reach to LAN .

Just create a another policy route on top of 0,0.0.0/0 to LAN or Sever network and select stop policy route option .

Finally u need below policy only

Create a PolicyGuest to access OWA from Guest Network: Incoming interface : Port2 Sourse Subnet :Guest-Network_Subnet Destination Interface :Port1(LAN) Destination Subnet :OWA-VIP Set Service :All Set action :Allow Nat :Disabled

Hope you understood the configuration .

Regds,

Ashik

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded