New Member

Question

WAN2 on 60D

Forum|Forum|10 years ago
March 21, 2016
2 replies
10366 views

Hi there,

We're currently using FortiWiFi 60D, running OS v5.0 build 4459.

We previously has one internet line connected to WAN1 with a fixed IP - say 172.1.2.10 ; All internet traffic is working fine with a static route for 0.0.0.0 to WAN1. External parties can Ping this IP successfully.

Now we added a 2nd internet line, again with a fixed IP - say 172.1.2.20. The line was installed and we've set up a laptop with the given IP, submask and DNS details and connected to the modem. All is working fine, the laptop an browse internet and can be Ping from external.

However, when I set up the fixed IP on WAN2 port and connected WAN2 to the modem. I cannot Ping the IP address from external parties. The line status is up and all seems working.

Do I have to do other set up? or need to upgrade the OS?

Thanks,

KW

Toshi_Esumi

SuperUser

Your pinging from outside is coming into WAN2 but the response is trying to go out WAN1 by following the default route, but dropped because of asymmetric route. If you're just testing, you can set a /32 route toward WAN2 for the ping source. But you likely want to set at least another default route with higher priority value (the higher, the lower the priority is) like 10 via CLI toward WAN2, so that WAN2 would act as a backup internet.

If you want to set load-balancing, there are other documentations available. I would just google it.

KWKe-corpAuthor

New Member

Thanks for your reply Toshi.

I've now added another default route for 0.0.0.0 to WAN2, with priority = 10. The original default route for WAN1 has priority = 0. Both have distance = 10.

I've also added another policy to all internal LAN to allow ALL thru WAN2 interface too.

I tried to ping the WAN2 line's gateway IP, and it ping successfully. The Policy screen on Firewall also shows increasing number of packets going thru that WAN2 policy.

I tried to ping the fixed IP on WAN2 interface from internal, but ping failed.

I can ping the fixed IP on WAN1 interface successfully from internal and also from outside.

Ping to WAN2 IP also failed from outside.

I'd more research on google, and all was suggesting just needing to add default route and duplicate the policies - which I did. I don't need to set up failover, as all I want is a NAT thru WAN2 IP to an internal web server.

Just not sure why it still fail, and any suggestions?

Thanks,

KW

Toshi_Esumi

SuperUser

doublecheck 1) ping is allowed on WAN2 interface, then 2) any trusthosts are configured. If so you need to add the ping source to it. Likely 2). Pinging interface doesn't require a policy.

To allow just one web site to go through WAN2, you don't need the default route but need a specific static route toward WAN2.

Gianluca_Caldi

New Member

Hi KW,

a firmware upgrade is the first step I'd suggest. We also had a smimilar problem some time ago on a 60C and it turned out to be a firmware bug in managing the "double wan routing". It was some 5.x version..

Now the box is running 5.2.6 and we got no problem anymore.

Bye

Gianluca

ede_pfau

SuperUser

At least it can't hurt to update to 5.0.13 (current). Stay with the 5.0 line (not 5.2) and please follow the recommended upgrade path - it might require intermediate firmware versions to keep the config intact. (Get hints from search in the forums "Upgrade Matrix").

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded