Skip to main content
LiaoYuRuei
LiaoYuRuei
New Member
July 2, 2018
Solved

Route branch local traffic to Internet via HQ's FGT without VPN ?

  • July 2, 2018
  • 2 replies
  • 30273 views

Topology:

 

Hello All, I have the privilege to manage two FGTs.

(I can control NAT, Route... etc on two FGTs.)

 

Question:

1.Can I route local traffic to 8.8.8.8 via following path ?

   [ Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> ISP2 -> Internet ]

   In other words, when local PCs visit Internet, they have to go through FGT2 first.

2.If possible, how to implement it?

 

    Best answer by ede_pfau

    Yes, 'site-to-site' is rubbish, sorry. SSLVPN using FortiClient.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 2, 2018

    Not possible. Once the traffic hits the GW at your ISP, they have no idea where to route packets destined to 192.168.x.y.

    LiaoYuRuei
    LiaoYuRueiAuthor
    New Member
    July 2, 2018

    toshiesumi wrote:

    Not possible. Once the traffic hits the GW at your ISP, they have no idea where to route packets destined to 192.168.x.y.

    Hello Toshi Esumi, thanks your reply.

    In order to avoid misunderstandings, I modified the question.

    I want to route local traffic to Internet (via FGT1 -> ISP1 -> ISP2 -> FGT2 -> Internet),

    In other words, I want to local PC visit Internet via FGT2, does it possible?

    p.s. I can manage two FGTs (include the NAT feature)

    rwpatterson
    rwpatterson
    New Member
    July 2, 2018

    An aside: You have the same private subnet on both units. CHANGE ONE (or both!). You will run into more issues down the road if you use the common subnets when you set up networks. 192.168.0, 192.168.1, 192.168.2, 192.168.3. These ship on a majority of devices from the factory, so if/when you meet someone down the road you need to connect to and they do the same, you are going to have issues.

     

    Onto the main question: Cannot be done without a VPN. No ISP will allow the RFC 1918 subnets onto the Internet. End of story. So, no VPN = no remote gateway Internet routing.

     

    Look up "RFC 1918" (https://tools.ietf.org/html/rfc1918) for yourself, superseded by RFC 3330 (https://tools.ietf.org/html/rfc3330) then by RFC 5735 (https://tools.ietf.org/html/rfc5735).

     

    More reading material on the subject could be found here: [link]https://en.wikipedia.org/wiki/Bogon_filtering[/link]

    LiaoYuRuei
    LiaoYuRueiAuthor
    New Member
    July 2, 2018

    rwpatterson wrote:

    Read the linked materials on BOGONs.

     

    No

     

    You cannot route to any 192.168/16 network over the Internet without a VPN. End of story.

    Hello, rwpatterson, Thanks your reply.

    I'm sorry. It's my fault. I think that I do not express my question clearly on the title.

    All I want to do is that routing local traffic to Internet via FGT2.

    The traffic path what I want is: Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> Internet,

    and I don't care where the FGT2's local subnet is reachable or not,

    I just want the traffic of local PC visiting Internet should go to FGT2 first.

     

    If it is possible? If possible, could you tell me how to implement it?

    Terms & ConditionsAccessibility statement