Two default routes and SD-WAN

Forum|Forum|6 years ago
March 19, 2020
1 reply
14819 views

Hello,

I have two WAN interfaces in SD-WAN and a third WAN interface alone. I want to have two default routes, one over SD-WAN with distance 20 and one over the third interface with distance 10. The FortiGate does not allow me to do so, with a message: "You cannot have duplicated routes on SD-WAN and non SD-WAN interfaces.".

Now, I remember that in the past, in the same FG but in different FortiOS version, I could do that. Now me FG is running 6.0.8. Has something change? Besides, I don't understand why shouldn't FortiOS allow me the option to have two default routes with different distance, no matter if I use SD-WAN or not.

Thanks

Jamie

New Member

Hi,

The reason is because the system handles policy routes taking precedence over the static routes. In this case policy routes meaning SD-WAN rules. What Fortinet wants us to do is have 1 default route to SD-WAN zone and then use the rules to route the traffic. For better or worse.

Your answer is somewhere in here...

https://docs.fortinet.com/document/fortigate/6.2.3/technical-tip-multiple-default-routes-where-sdwan-rules-are-not-preferred/20/fd47747

I've been in a couple situations as yours and what I do is add the 3rd WAN interface into the SD-WAN zone.

boneyard

Valued Contributor

Fortinet also allows to to default routes to the different interfaces that are part of sd-wan (and then no default route to the sd-wan interface itself).

Jirka1

Explorer II

Yes, I had to set this on our devices on the advice of the TAC - if the DR is set to SD-WAN, self-originated traffic (DNS, FortiGuard etc.) does not work. Although everywhere in KB it is stated that DR should be set to SD-WAN only - it's a mess :\

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded