Routing with two wan int

Hi,

We have a simple architecture :

- a wan int for incoming request to our servers with static nat

- several int for internal servers and users ressources

- a single default route for outgoing and reverse traffic

- several static routes for different ressources and sites

All goes well.

We recently had to manage a new public range, with new internal servers. For different internal reasons, the two public wan have to be separated and using the same vdom.

We dedicated a wan int to the new range. Default route is still on the old one.

When we try to reach the new public int from outside, the famous "msg="reverse path check fail, drop"" raised.

Doc : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Detailed-Guide-on-dual-WAN-setup-for-targeted/ta-p/276308 was very good information, but does it apply only for egress traffic, or is it for ingress traffic too ?

In other words, we want to expose services on internet on two separates wan int on the same vdom. But the second seems to be unreacheable as the default route is mapped on the first one : packets arrive on second int but do not reach internal servers with "reverse patch check". When adding a static route on the external requesting address, it works. But we cannot list all internet address on our routing table...

Adding a second default route (with higher priority - then policy route to forward wanted traffic on second wan) seems to be the solution, but we are afraid that it should disturb the original workflow.

Are we on the good way ? Adding a second default route with higher priority and policy routes should it be safe for the old working system ?

BR