Skip to main content
przemo
przemo
New Member
August 7, 2015
Question

Two simple scenarios with two WAN links

  • August 7, 2015
  • 2 replies
  • 6541 views

Good Morning,

 

Since 1 month I'm the owner FireGate 60D and learn its features so I turn to you for help in solving probably a simple task - to properly configure two WAN ports.

I have two ISP with static IP and would like to implement one of the following scenarios.

 

Scenario 1. - All HTTPS traffic goes through WAN1, - All other traffic goes through WAN2, - when WAN1 (WAN2) goes down, all traffic goes through WAN2 (WAN1),

 

Scenario 2.

- All traffic goes through WAN1, - An external access by the WAN2 (WAN2-> internal LAN) - when WAN1 goes down all traffic goes through WAN2,

Can you simply describe me the differences between the WAN Link Load Balancing (System-> Network-> WAN Link Load Balancing) and ECMP Load Balancing Method (Router-> Settings) ? I would be very grateful for any guidance.

 

p.s. sorry for my simple language

    2 replies

    hallodri
    hallodri
    New Member
    August 7, 2015

    Hi,

     

    you may want to have a look at this:

     

    http://kb.fortinet.com/kb/documentLink.do?externalID=FD32103

    which will explain which static route will be in the forwarding table depending on route priority and distance.

    And also this may be useful:

    http://help.fortinet.com/fos50hlp/52data/index.htm#FortiOS/fortigate-advanced-routing-52/Routing_Advanced_Static/adv_static_example.htm%3FTocPath%3DChapter%25203%2520-%2520Advanced%2520Routing%7CAdvanced%2520Static%2520Routing%7C_____6

     

    For your first scenario:

    You can do this by using policy based routing, which I would always try to avoid and Link Health Monitor (Router > Static > Settings)

     

    The second one is a very classic scenario where you will need two default routes (same distance and prio) and ECMP as described in the handbook (second link).

     

    Hope this helps you along...

    Have fun and bye bye,

    hallodri

    rpedrica
    rpedrica
    Visitor III
    August 7, 2015

    Hi @przemo

     

    First you need to add default routes - one for each wan link. Depending on whether you need incoming services on both wan links ( eg. 1:1 NAT, Port Forward ), you will need to have distance equal on both default routes; priority will determine preference for outbound traffic.  If you don't require incoming services on both links, set shorter distance for preferred link and/or link where general traffic will egress.

     

    Use policy routing to bend specific egress traffic through particular link - eg.

    wan1 - general traffic - distance 10 / priority 0

    want2 - http/https - distance 20 / priority 0 - policy route: src net -> all, type: 6, port http/https, gateway wan2

    ... do not set a specific gateway address if fail-over is required ie. use 0.0.0.0

     

    Otherwise use load-balancing with same distance, priority for both links

     

    Create policies to allow traffic and assign security profiles

    int -> wan1 -> all services

    int -> wan2 -> http/https

     

    Create ecmp entries for fail-over

    Create fail-over policies in case of fail-over

     

    Hope that helps ...

    Robby

     

     

     

     

     

     

    przemo
    przemoAuthor
    New Member
    August 11, 2015

    Hello! Guys, thank you very much for all very useful tips and links. In addition, I found and read other explanations from Fortinet's database, and so far I was able to run two wan links in the fail-over configuration (the second scenario).

     

    @robby,

    can you explain to me precisely how to configure the device to get the first scenario? I can not understand your following tips:

    "src net -> all, type: 6, port http/https, gateway wan2 ... do not set a specific gateway address if fail-over is required ie. use 0.0.0.0".

     

    you mean the settings in: Router->Static->Policy Routes?

    Terms & ConditionsAccessibility statement