Skip to main content
WEQ-Technologies
WEQ-Technologies
Visitor III
April 15, 2022
Solved

Two default routes on one interface

  • April 15, 2022
  • 2 replies
  • 4169 views

Hello everyone,

I just wanted to make sure if this is going to work:

 

Our customer has two WAN subnets which are connected to one interface on the FortiGate. Therefore I need two default routes, one to each gateway. The secondary subnet is configured as secondary IP at the wan1 interface. Does the FortiGate know automatically which gateway it should choose? (See the attached images)

Unfortunately I cannot test this yet since it's not installed at the customer's site...

 

Thank you in advance!

 

2022-04-15_10-42_1.png2022-04-15_10-42.png

Best answer by aahmadzada

Hi,
By default, FortiOS will perform ECMP with such a setup.
Can you please tell me the reason you would like to assign these secondary IP addresses to the wan interface?
Are these IP addresses will be used in SNAT, DNAT?

 

Ahmad

2 replies

aahmadzada
Staff
aahmadzadaAnswer
Staff
April 15, 2022

Hi,
By default, FortiOS will perform ECMP with such a setup.
Can you please tell me the reason you would like to assign these secondary IP addresses to the wan interface?
Are these IP addresses will be used in SNAT, DNAT?

 

Ahmad

    WEQ-Technologies
    WEQ-TechnologiesAuthor
    Visitor III
    April 15, 2022

    Hi, thanks for the reply!

    This is because the previous firewall (Barracuda) had such a setup so I took it and transfered it 1:1 to the FortiGate. I have some VIPs that I guess would work just fine but ECMP of course is not what I want. So I guess I will use two seperate interfaces for the two subnets and use SD-WAN instead...

     

    Benedikt

    aahmadzada
    Staff
    aahmadzada
    Staff
    April 15, 2022

    Not sure how Barracuda does work, but on FortiOS If these IP addresses will be used for SNAT/DNAT, there is no need to "host" them on the wan interface.

    Ahmad

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 15, 2022

    You should dig into Barracuda config further to understand why it was configured that way. My instant guess is one of them was an old one and a secondary IP was used for transition, then it was never removed after it's completed. Means one of them might not be working now. You might need to talk to your ISP to figure it out.

     

    Toshi

    Terms & ConditionsAccessibility statement