FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to configure VIP on secondary PPPoE WAN interface.
Design example:
Primary WAN interface with a default route, admin distance of 10, and priority 1.
Secondary PPPoE WAN interface for redundancy, with admin distance of 50 and no set priority, defaultgw enabled.
Requirement:
Configure VIP to use the PPPoE interface.
Problem:
Inbound traffic matching the VIP is getting dropped, debug flow shows 'reverse path check failed, drop'.
Scope
FortiGate.
Solution
Set the PPPoE interface distance similar to the primary WAN interface default route admin distance, and set the PPPoE interface priority to a higher priority than the primary WAN default route priority.
Do not configure an additional default route via the PPPoE interface with a similar distance and higher priority than the WAN interface.
Example:
Primary WAN default route config.
# config router static
edit 1
set device wan1
set distance 10
set priority 1
end
PPPoE interface config:
# config system interface
edit <pppoe-interface>
set distance 10
set priority 20
set defaultgw enable
end
The PPPoE default route in the FortiGate routing table should be available, with a higher priority value which means will be less preferred than the WAN1 interface.
# get router info routing all
Verify if the PPPoE interface is configured in the VIP and add the VIP to the firewall policy then retest.
