Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

Routing issues with vdoms and dual ISPs

Hello,

I am having issues in getting this dual-ISP set up to work with vdoms.
There are currently two vdoms in the virtual fortigate root & vdom-1.
Each vdom has a seperate ISP with different IP-ranges.
Traffic through ISP1 is directly NAT:ed through VIP described and default route is pointed towards ISP1.

My issues are that when people connect on the VIP that is on ISP2 all traffic seems to route from server out on ISP1 because of default route.
Is it possible to have a setup like this and do utilize both ISPs to connect to the local server 172.0.10.17?

This time around we need to source NAT everything comming in on ISP2 to the vlink-interface 10.0.0.1 for the traffic to return to ISP2.
However this is not a valid solution as we need to see original-source IP logged on the server etc.

It seems like the TCP-sessions dosen't return the traffic from it original source when we do not use source NAT.
Is there anyway to solve this problem and to use both ISPs communication with the local server?

MessageImages_0f5aaea73c0a4ae091e5673b66657e63.png
1 REPLY 1
seshuganesh
Staff
Staff

Hi Team,

Can you share this output:

get router info routing-table details 8.8.8.8

 

When the packet comes from VIP2 to root VDOM without NAT, traffic should get dropped at root vdom because of reverse path check fail, as you have only active root towards ISP1.

But you mentioned packet reply is going towards ISP1? it should not happen.

 

The solution i can think at this point is to create default route towards 10.0.0.1 with high priority, so reply traffic it will take that route.

At the same time your LAN to WAN traffic will prefer the existing ISP1 as it has less priority

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.