Technical Tip: Configuring Dual Internet Links (Design Considerations)

There are two separate considerations when using two Internet uplinks: Link Redundancy and Load Sharing.

These two features can be combined or implemented separately.

All FortiOS.

Check also the related article:

Technical Note : Configuring link redundancy - traffic load-balancing - ECMP (Equal Cost Multiple Pa...

In each scenario, it is necessary to configure the appropriate firewall policies between the interfaces in question to allow the traffic - this document focuses on the routing issues.

Design Scenario #1: Link Redundancy (only).

If Internet access is no longer available on one link, it is necessary that traffic uses the other link.

Routing.
One default route is needed for each interface.

Indicate which route is preferable by specifying the distance - the lower distance route is declared active and placed in the routing table.

Determining whether link is down (ping servers).
Define the ping server - this is a device that will respond to ping thereby indicating whether that link is up.

It is usually recommended that is using the next hop / gateway device as the ping server.

Define the ping server under System -> Network -> Edit Interface.

Firewall policies.
It is is necessary to define duplicate firewall policies to ensure that after traffic fails over, it is permitted through the firewall. For example, Internal -> WAN1 & Internal -> WAN2.

Design Scenario #2: Load Sharing (only).

Use of both Internet links simultaneously but do not have any requirements for failing traffic over in the event of link failure.

What is the minimum needed as far as routing is concerned?

- one default route for the primary link

- direct other traffic over the other link using specific static routes.

For more information, see the article Load sharing between two WAN interfaces.

Design Scenario #3: Link Redundancy and Load Sharing.

While both links are available, distribute the Internet traffic over both links.

In the event that a link fails, send all traffic over the active link.

Use default routes with equal distance.

This is similar to scenario #1, except that both default routes must have equal distance.

The end result is that both routes will remain in the active routing table and and can be viewed in the Routing Monitor (see GUI).

The presence of both routes is needed to satisfy reverse path lookup (anti-spoofing feature).

Set the distance:

- when defining the static route.

Or.

- For interfaces acquiring IP dynamically (DHCP or PPPoE), it is possoble to set the distance for the interface System -> Network -> Interface and configure the following:

- Check 'retrieve gateway' (adds default route automatically).

- Enter value in distance field.

To guarantee that 1 link is always preferred:

Use a default policy route to indicate which interface is the preferred interface for accessing the Internet.

** Warning -- Configure this with care! **

If a policy route matches traffic, this policy route overrides all entries in the routing table including connected routes.

Consequently, it is maybe necessary to add specific policy routes that override these default policy routes.

The policy routing table will be read top to bottom.

To redirect traffic over the secondary link:

To make use of the secondary link, it is necessary to use policy routes to direct some of the traffic onto it rather than onto the primary link.

When defining the policy route, it is best to only define the outgoing interface and leave the gateway blank. Leaving the gateway field blank ensures that the policy route will not be active when the link is down (it is affected by the ping server status).

Special Cases.

1) Monitoring both WAN interfaces simultaneously.

To be able to ping both WAN interfaces in order to demonstrate that the links are up, it is necessary  to set the distance on both default routes to be the same.

Note.

This is the same requirement as for Design Scenario #3.

2. Routing of traffic directed at VIPs.
Sessions associated with VIPs are handled in a special way.

Case Scenario #1 (VIP on non-default interface):
Let say that there is a FortiGate-60, and the default gateway is pointing to WAN 1 but there is a VIP on WAN 2 that points to the web server in the DMZ.

In this case, it is not necessary to create an additional static route or policy route for this VIP because a route cache entry is made which tells the FortiGate unit which interface it should use on the return path.

Case Scenario #2 (Redundancy VIPs).
If there are redundant VIPs defined on each of the WAN interfaces (WAN1 and WAN2 in the case of a FortiGate-60):

- inbound sessions will be handled as discussed in case scenario #1.

- Outbound sessions (initiated by the server) will have the server IP modified according to one of the 2 VIPs -- which VIP is selected depends on which interface has the preferred default route.

Conclusion.

(redundant VIPs): make sure a policy route directs the server traffic out the desired interface.