Skip to main content
saharhod
saharhod
New Member
April 8, 2019
Question

Multiple WAN And VIP Routing

  • April 8, 2019
  • 1 reply
  • 7268 views

Hi, All.

I have a Fortigate 201E, with multiple WAN interfaces,

I am trying to change "Administrative Distance" on the static routes i have, so that some of the WAN interfaces are used more frequently than others.

Whenever I do that, VIP that is not pointed to the lowest "Administrative Distance" (or at least equal) will not work.

Do I have to use policy route?

Thank you

Sahar

    1 reply

    boneyard
    boneyard
    Valued Contributor
    April 20, 2019

    yeah, you can't and shouldn't use distance for that.

     

    if you want to spread traffic over multiple interfaces have a look what is currently called SD WAN

     

    https://cookbook.fortinet.com/redundant-internet-with-sd-wan-60/

    saharhod
    saharhodAuthor
    New Member
    April 21, 2019

    Thank you for the reply,

    I am using SD-WAN interface as well, I have a lot of WAN interfaces not all are used in the SD-WAN.

    What I don't understand is how administrative distance influences VIP, and incoming traffic.

    I was trying to change distance to avoid using Policy Route, to use a specific outbound interface for a specific network.

    But I guess Policy Route is the way to go.

     

     

    boneyard
    boneyard
    Valued Contributor
    April 22, 2019

    saharhod wrote:

    What I don't understand is how administrative distance influences VIP, and incoming traffic.

    for incoming traffic the issue lies with the reverse path check, it is a feature that makes sure that traffic only enters on an interface it is expected.

     

    see https://kb.fortinet.com/kb/documentLink.do?externalID=FD30543

     

    when you have two routes towards the internet with different administrative distances then only one is in the routing table. which means that traffic on the other interface will be dropped because of the reverse path check as it compares the routing table with the traffic seen.

     

    so you need to keep the same administrative distance and different priorities to make this work for incoming traffic.

     

    for outgoing traffic you then use SD-WAN and perhaps policy routes, depending if you want to load balance outgoing traffic or determine what interface is used.

    Terms & ConditionsAccessibility statement