config firewall vip edit "VIP_SMTP" set extip 172.31.224.58 set extintf "wan2" set mappedip 10.160.0.10 next end config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 3 set srcintf "wan2" set dstintf "dmz1" set srcaddr "all" set dstaddr "VIP_SMTP" set action accept set schedule "always" set service "ANY" next edit 4 set srcintf "internal" set dstintf "wan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 7 set srcintf "dmz1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set schedule "always" set service "SMTP" next edit 5 set srcintf "dmz1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 6 set srcintf "dmz1" set dstintf "wan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next end config router static edit 1 set device "wan1" set gateway 192.168.183.254 next edit 2 set device "wan2" set gateway 172.31.225.254 set priority 10 next end config router policy edit 1 set input-device "dmz1" set protocol 6 set start-port 25 set end-port 25 set output-device "wan2" next end |
Verification condition when wan1 and wan2 are up |
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan2, [10/50] [10/0] via 192.168.183.254, wan1 C 10.140.0.0/23 is directly connected, internal C 10.160.0.0/23 is directly connected, dmz1 C 172.31.224.0/23 is directly connected, wan2 C 192.168.182.0/23 is directly connected, wan1 |
12.229670 dmz1 in 10.160.0.10.1407 -> 10.1.1.1.25: syn 3277362429 12.230192 wan2 out 172.31.224.58.1407 -> 10.1.1.1.25: syn 3277362429 15.202517 dmz1 in 10.160.0.10.1407 -> 10.1.1.1.25: syn 3277362429 15.202565 wan2 out 172.31.224.58.1407 -> 10.1.1.1.25: syn 3277362429 21.127111 dmz1 in 10.160.0.10.1407 -> 10.1.1.1.25: syn 3277362429 21.127170 wan2 out 172.31.224.58.1407 -> 10.1.1.1.25: syn 3277362429 |
6.100873 dmz1 in 10.160.0.10.1417 -> x.2.2.2.53: udp 41 6.100986 wan1 out 192.168.182.106.59661 -> x.2.2.2.53: udp 41 6.263140 wan1 in x.2.2.2.53 -> 192.168.182.106.59661: udp 100 6.263200 dmz1 out x.2.2.2.53 -> 10.160.0.10.1417: udp 100 96.824258 dmz1 in 10.160.0.10.1410 -> x.70.202.225.80: psh 8827644 ack 2365598618 96.824319 wan1 out 192.168.182.106.60166 -> x.70.202.225.80: psh 8827644 ack 2365598618 |
FAILOVER TEST 1 : WAN1 DOWN |
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan2, [10/50] C 10.140.0.0/23 is directly connected, internal C 10.160.0.0/23 is directly connected, dmz1 C 172.31.224.0/23 is directly connected, wan2 |
12.652540 dmz1 in 10.160.0.10.1422 -> 10.1.1.1.25: syn 3775067211 12.652705 wan2 out 172.31.224.58.1422 -> 10.1.1.1.25: syn 3775067211 36.183922 dmz1 in 10.160.0.10.1423 -> x.2.2.2.53: udp 41 36.184095 wan2 out 172.31.224.58.1423 -> x.2.2.2.53: udp 41 40.397406 dmz1 in 10.160.0.10.1425 -> x.70.202.225.80: syn 3025064714 40.397570 wan2 out 172.31.224.58.1425 -> x.70.202.225.80: syn 3025064714 43.029569 internal in 10.140.0.132 -> 10.1.1.1: icmp: echo request 43.029608 wan2 out 172.31.224.106 -> 10.1.1.1: icmp: echo request |
FAILOVER TEST 2 : WAN2 DOWN |
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1 C 10.140.0.0/23 is directly connected, internal C 10.160.0.0/23 is directly connected, dmz1 C 192.168.182.0/23 is directly connected, wan1 |
2.835204 dmz1 in 10.160.0.10.1446 -> 10.1.1.1.25: syn 3777327276 8.166812 dmz1 in 10.160.0.10.1447 -> 10.1.1.1.25: syn 858679722 25.762376 dmz1 in 10.160.0.10.1436 -> x.2.2.2.53: udp 41 25.762535 wan1 out 192.168.182.106.36632 -> x2.2.2.53: udp 41 35.876978 dmz1 in 10.160.0.10.1459 -> x.39.139.170.80: syn 3828525805 35.877144 wan1 out 192.168.182.106.54583 -> x.39.139.170.80: syn 3828525805 36.088958 wan1 in x.39.139.170.80 -> 192.168.182.106.54583: syn 1378868659 ack 3828525806 |
Related Articles
Technical Note : Policy Based Routing example to redirect HTTP traffic to a Proxy
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.