Description
This document describes why and how to use Policy Based Routing with a Static VIP (Virtual IP) in a dual WAN scenario.
Scope
Solution
Expectations, Requirements:
In the setup above, the expectations and requirements are:
Failover of SMTP services and VIP is not in the scope of this article. This can be achieved with a second MX record and/or with dynamic routing protocols. For this last option, see 'Static NAT VIP accessible from 2 external interfaces with E-BGP peerings' in the related articles at the bottom of this article.
Note that this could apply to other services than SMTP, like HTTP or HTTPS for example.
Configuration:
The CLI configuration given below describes only the parts relevant to this article.
config firewall vip
edit "VIP_SMTP"
set extip 172.31.224.58
set extintf "wan2"
set mappedip 10.160.0.10
next
end
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 3
set srcintf "wan2"
set dstintf "dmz1"
set srcaddr "all"
set dstaddr "VIP_SMTP"
set action accept
set schedule "always"
set service "ANY"
next
edit 4
set srcintf "internal"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 7
set srcintf "dmz1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "SMTP"
next
edit 5
set srcintf "dmz1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 6
set srcintf "dmz1"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end
config router static
edit 1
set device "wan1"
set gateway 192.168.183.254
next
edit 2
set device "wan2"
set gateway 172.31.225.254
set priority 10
next
end
config router policy
edit 1
set input-device "dmz1"
set protocol 6
set start-port 25
set end-port 25
set output-device "wan2"
next
end
Verification:
Verification condition when wan1 and wan2 are up:
The routing table must include both default routes, where the default route over wan2 is primarily used for accepting ingress traffic, and secondly to ensure failure in case of wan1 failure.
FGT # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan2, [10/50]
[10/0] via 192.168.183.254, wan1
C 10.140.0.0/23 is directly connected, internal
C 10.160.0.0/23 is directly connected, dmz1
C 172.31.224.0/23 is directly connected, wan2
C 192.168.182.0/23 is directly connected, wan1
FGT # diagnose sniffer packet any "host 10.160.0.10" 4
12.229670 dmz1 in 10.160.0.10.1407 -> 10.1.1.1.25: syn 3277362429
12.230192 wan2 out 172.31.224.58.1407 -> 10.1.1.1.25: syn 3277362429
15.202517 dmz1 in 10.160.0.10.1407 -> 10.1.1.1.25: syn 3277362429
15.202565 wan2 out 172.31.224.58.1407 -> 10.1.1.1.25: syn 3277362429
21.127111 dmz1 in 10.160.0.10.1407 -> 10.1.1.1.25: syn 3277362429
21.127170 wan2 out 172.31.224.58.1407 -> 10.1.1.1.25: syn 3277362429
FGT # diagnose sniffer packet any "host 10.160.0.10 or port 80 or port 53" 4
6.100873 dmz1 in 10.160.0.10.1417 -> x.2.2.2.53: udp 41
6.100986 wan1 out 192.168.182.106.59661 -> x.2.2.2.53: udp 41
6.263140 wan1 in x.2.2.2.53 -> 192.168.182.106.59661: udp 100
6.263200 dmz1 out x.2.2.2.53 -> 10.160.0.10.1417: udp 100
96.824258 dmz1 in 10.160.0.10.1410 -> x.70.202.225.80: psh 8827644 ack 2365598618
96.824319 wan1 out 192.168.182.106.60166 -> x.70.202.225.80: psh 8827644 ack 2365598618
See from both traces above that traffic with destination TCP port 25 sourced from 'dmz1' is sent on wan2 while all other traffic is sent on wan1.
It is important to note that the SMTP traffic is source on wan2 NATed with the VIP address 172.31.224.58.
FAILOVER TEST 1: WAN1 DOWN.
FGT # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan2, [10/50]
C 10.140.0.0/23 is directly connected, internal
C 10.160.0.0/23 is directly connected, dmz1
C 172.31.224.0/23 is directly connected, wan2
FGT # diagnose sniffer packet any "port 25 or port 80 or port 53 or icmp" 4
12.652540 dmz1 in 10.160.0.10.1422 -> 10.1.1.1.25: syn 3775067211
12.652705 wan2 out 172.31.224.58.1422 -> 10.1.1.1.25: syn 3775067211
36.183922 dmz1 in 10.160.0.10.1423 -> x.2.2.2.53: udp 41
36.184095 wan2 out 172.31.224.58.1423 -> x.2.2.2.53: udp 41
40.397406 dmz1 in 10.160.0.10.1425 -> x.70.202.225.80: syn 3025064714
40.397570 wan2 out 172.31.224.58.1425 -> x.70.202.225.80: syn 3025064714
43.029569 internal in 10.140.0.132 -> 10.1.1.1: icmp: echo request
43.029608 wan2 out 172.31.224.106 -> 10.1.1.1: icmp: echo request
See from above that ALL traffic is routed via wan2, and that:
FAILOVER TEST 2: WAN2 DOWN.
Note that in this scenario, the traffic destined to the SMTP server and normally ingressing wan2 must be re-routed via wan1. This routing backup consideration is not covered in this article.
FGT # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1
C 10.140.0.0/23 is directly connected, internal
C 10.160.0.0/23 is directly connected, dmz1
C 192.168.182.0/23 is directly connected, wan1
FGT # diagnose sniffer packet any "port 25 or port 80 or port 53" 4
2.835204 dmz1 in 10.160.0.10.1446 -> 10.1.1.1.25: syn 3777327276
8.166812 dmz1 in 10.160.0.10.1447 -> 10.1.1.1.25: syn 858679722
25.762376 dmz1 in 10.160.0.10.1436 -> x.2.2.2.53: udp 41
25.762535 wan1 out 192.168.182.106.36632 -> x2.2.2.53: udp 41
35.876978 dmz1 in 10.160.0.10.1459 -> x.39.139.170.80: syn 3828525805
35.877144 wan1 out 192.168.182.106.54583 -> x.39.139.170.80: syn 3828525805
36.088958 wan1 in x.39.139.170.80 -> 192.168.182.106.54583: syn 1378868659 ack 3828525806
See from above that ALL traffic is routed via wan1, except SMTP which is blocked by Firewall Policy 7:
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.