Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JavierM_CL
Staff
Staff

Created on ‎08-22-2024 11:03 PM Edited on ‎08-23-2024 05:50 AM By Moderator

Article Id 335733

Technical Tip: Configure SD-WAN local break-out (DIA) on 2 or more WAN links with overlapping address allocation

Description

This article describes how to deploy 2 or more WAN links in the scenario where the WAN subnets have the same gateway, given it is the same Service Provider (for example: Starlink with 2 antennas), or when 2 Service Providers assign the same WAN IP address (for example: FortiGate behind the same 192.168.1.0/24 on both WANs).

 

This approach makes use of multiple VRFs, one for each WAN. In this example, it will be deployed 3 VRFs. Finally, implement SD-WAN using those available links.    
Scope

Scenarios Covered:

 

Scenarios covered.png
Solution

Multi-VRF-DIA.png

 

  1. Configure the desired amount of WAN VRF, each for one link plus one main vrf for LAN connectivity (vrf 0 can be used).

 

On Network -> Interfaces: assign wan1 to vrf 1 and wan2 to vrf 2, leave lan interface with vrf 0.

 

  1. Create the 2 inter-vdom links. Follow the TT: Technical Tip: VRFs route leaking.

 

In this example, use:

 

VDOM-LINK1:  vdl-SP1- 

Interface0: vdl-SP1-0

                Virtual Domain: root

                vrf: 1

                IP netmask: 10.10.10.1/30

Interface1: vdl-SP1-1

                Virtual Domain: root

                vrf: 0

                IP netmask: 10.10.10.2/30

 

VDOM-LINK2:  vdl-SP2- 

Interface0: vdl-SP2-0

                Virtual Domain: root

vrf: 2

                IP netmask: 10.10.10.5/30

Interface1: vdl-SP2-1

                Virtual Domain: root

vrf: 0

                IP netmask: 10.10.10.6/30

 

  1. Configure Static Routes between the VRFs.
    Go to Network -> Static Routes -> Create New:
    1. 2x Default routes each for vdl-SP1-1 vdl-SP2-1 interfaces.
    2. 2x routes for lan subnet, each for vdl-SP1-0 vdl-SP2-0 interfaces.

  2. Configure NAT Policies.
    Policy & Objects -> Firewall Policy -> Create New

-policy:

Name: lanVRF-outbound

Incoming interface: lan, 

Outgoing interface: vdl-SP1-1, vdl-SP2-1

Source, Destination: all

Service: ALL

NAT: disabled

 

-policy:

Name: lanVRF-inbound

Incoming interface: vdl-SP1-1, vdl-SP2-1

Outgoing interface: lan

Source, Destination: all

Service: ALL

NAT: disabled

 

-policy:

Name: NatInternet

Incoming interface: vdl-SP1-0, vdl-SP2-0

Outgoing interface: wan1

Source, Destination: all

Service: ALL

NAT: enabled

 

  1. Configure SD-WAN to use both links with the desired SD-WAN strategy. Refer to: Technical Tip: Configuring SD-WAN.

In this example, use vdl-SP1-1 and vdl-SP2-1 as virtual-wan-link members.

  1. Test.
    1. With a host connected to the internal network test connectivity to the Internet.
    2. Verify Policy counters.
    3. Verify SD-WAN health checks.
Labels:
337
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.