Skip to main content
Xaak
Xaak
New Member
November 30, 2023
Solved

Trouble with dual wan setup

  • November 30, 2023
  • 3 replies
  • 7548 views

This is what I'm trying to set up on an Fortigate 60F with firmware version 7.41:

 

Wan1 - multiple static IPs

subnet 192.168.2.0/24 on vlan switch internal on internal 1 port

Administrative Distance: 10 via static route

various inbound and outbound policies.

this contains public facing servers, domain infrastructure and other servers with static ips mostly for inbound.

various inbound and outbound policies.

This part is working fine.

 

What I've set up on wan 2

Wan2 - DHCP

Subnet 192.168.3.0/24 on vlan switch internal1 on internal2 port

Distance 10 via wan2 interface

inbound policy block all ports

outbound policy allow all ports (for now, will lock down once things are working)

This would be PCs, phones and other devices for internet access, with addresses assigned by domain dhcp service.

 

What's happening (while playing around with various settings) is that either wan2 isn't working for internet, or the internet on both interfaces is completely hosed.

 

Also required, bidirectional access between vlan switches, which I haven't tried to set up yet.

 

What am I doing wrong?

 

 

 

 

 

 

Best answer by Toshi_Esumi

Have you configured like below already?
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/144044/policy-routes

3 replies

dbu
Staff
dbu
Staff
December 1, 2023

Hi @Xaak 

What is you intention ,do you want the dual WAN setup for redundancy ?

If Yes , than you need to change the administrative distance on WAN2 "Distance 10 via wan2 interface", because currently both WANs are configured with value 10. (the lower the value the higher the priority)

    Xaak
    XaakAuthor
    New Member
    December 1, 2023

    No, I want each wan port to have it's own vlan switch and subnet that can  access it.

    Servers use wan1 and pcs and other devices use wan2.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 1, 2023

    Your descriptions of set up is troubling me. You have to separate wan side and LAN side when you describe them, unless you configured policy routes to bind LAN1 subnet to use WAN1, and LAN2 subnet to use WAN2.

    For WAN side, WAN1's IP is configured statically out of multiple available IPs on the circuit, while WAN2 pulls an IP from your ISP via DHCP. This part is clear.

     

    For LAN side, by default the FG60F has "internal" VLAN switch interface configured and it includes all internal1 - 5 physical interfaces as members. And all VLAN subinterfaces you configure on "internal" would be spread/shared with those all internal1 - 5 interfaces (or ports, you might call them). So unless you remove "internal2" interface from the "internal" vlan switch, you can't (or can but not effective) configure an IP like 192.168.2.1/24 on internal2 interface.

     

    Is this what you configured, or different?

     

    Toshi

      Xaak
      XaakAuthor
      New Member
      December 1, 2023

      Vlan switch internal has only Internal1 (port 1 as I called it). Vlan switch internal1 has only internal2 (port 2 as I called it).  The remaining internal interfaces are currently unmapped.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      December 1, 2023

      I don't think you can use the same name "internal1" for a new VLAN switch interface while internal1 physical interface still exists as a member of internal vlan interface.

       

      Or maybe allowed, but it's confusing.

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        December 1, 2023

        And you looks like intending to bind LAN1 to wan1 and LAN2 to wan2. Then you have to have two policy routes.

         

        Make sure two default routes exist in routing-table in CLI "get router info routing-table all" for both wan1 and 2.

          Xaak
          XaakAuthor
          New Member
          December 1, 2023

          The second wan is dhcp.  From what I understand it automatically creates the route.

           

          Toshi_Esumi
          SuperUser
          Toshi_Esumi
          SuperUser
          December 1, 2023

          You still need to make sure it doesn't override the wan1 default route or isn't orverriden by it. It's just a simple CLI command to see it. It should show like below. It's at the top of the output. My case is SD-WAN with two static default routes and with different weight(20 and 1).

          fg40f-utm (root) # get router info routing-t all
          Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
          O - OSPF, IA - OSPF inter area
          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
          E1 - OSPF external type 1, E2 - OSPF external type 2
          i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
          * - candidate default

          Routing table for VRF=0
          S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
                              [1/0] via y.y.y.y, a, [1/1]

          ---<snip>----

          Toshi



            Terms & ConditionsAccessibility statement