FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkirollos
Staff
Staff
Description

This article describes how to configure VIP on secondary PPPoE WAN interface.

 

Design example:

Primary WAN interface with a default route, admin distance of 10, and priority 1.

Secondary PPPoE WAN interface for redundancy, with admin distance of 50 and no set priority, defaultgw enabled.

 

Requirement:

Configure VIP to use the PPPoE interface.

 

Problem:

Inbound traffic matching the VIP is getting dropped, debug flow shows 'reverse path check failed, drop'.

Scope FortiGate.
Solution

Set the PPPoE interface distance similar to the primary WAN interface default route admin distance, and set the PPPoE interface priority to a higher priority than the primary WAN default route priority.

 

Do not configure an additional default route via the PPPoE interface with a similar distance and higher priority than the WAN interface.

 

Example:

Primary WAN default route config.

 

# config router static

    edit 1

        set device wan1

        set distance 10

        set priority 1

    end

 

PPPoE interface config:

 

# config system interface

    edit <pppoe-interface>

        set distance 10

        set priority 20

        set defaultgw enable

    end

 

The PPPoE default route in the FortiGate routing table should be available, with a higher priority value which means will be less preferred than the WAN1 interface.

 

# get router info routing all

 

Verify if the PPPoE interface is configured in the VIP and add the VIP to the firewall policy then retest.

Contributors