Route Guest traffic out WAN2 & still have failover for WAN1

Forum|Forum|10 years ago
October 6, 2015
1 reply
8822 views

Hello,

I have a client with 2 WAN connections. They would like to use WAN2 as a "failover only" for WAN1 (i.e., no load balancing).

They would also like to route Guest VLAN traffic out WAN2 only.

I have searched the KB articles and the forum, and I am still a bit confused as to how to properly implement this scenario.

I believe I need to do the following:

[ul]

Set wan1 and wan2 static routes with same distance and priority

Configure link health monitor/dead gateway detection for wan1

Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)

Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)

Create policy-based route for Guest VLAN to go out wan2

Modify default LAN firewall policy to allow traffic (except guest VLAN) out wan1 and wan2 interface

Modify Guest VLAN firewall policy to allow traffic out wan2[/ul]

Is this the correct way to implement the scenario I described above? Am I missing anything?

Thank you so much for your time.

-Jon

Best answer by Allwyn_Mascarenhas

gschmitt wrote:
VSI wrote:
[ul]
Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)
Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]
Skip these two steps :)
Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route

The doc says : The route with the lowest value in the priority field is considered the best route. It is also the primary route.

So the default route priority which is wan1 here should be less.

gschmitt

New Member

VSI wrote:
[ul]
Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)
Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]

Skip these two steps :)

Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route

VSIAuthor

New Member

Thanks for the reply!

As I understand policy routes they are applied before static and connected routes. So, if we have a route with destination 0.0.0.0/0.0.0.0 it will route all traffic using this policy route. When I enter the policy route using "source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.

This would not achieve the desired result, so my thought was to specify policy routes for all other internal LAN traffic to go out WAN1, and put these policies at the top of the order list.

Does this make sense or am I still wrong?

This post might explain it better: https://forum.fortinet.com/tm.aspx?m=112840

Thanks again for your reply and assistance!

gschmitt

New Member

VSI wrote:
"source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.

No, it shouldn't. Policy Routes only affect the selected Source Interfaces and since it's a Guest VLAN your normal internal LAN shouldn't be affected.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded