Description
This article explains how to avoid misrouting by associating each of the WAN interfaces comprising an SD-WAN to its corresponding physical interface if there is a NAT pool for each.
Scope
FortiGate.
Solution
If Two IP Pools are configured on a firewall policy, the FortiGate will only use the first IP Pool configured. It will cause connectivity issues on WAN2 since the FortiGate will use the IP Pool on WAN1 while exiting to interface WAN2.
Sample Case:
IP Assignment:
WAN1 IP Pool: 10.47.4.104
WAN2 IP Pool: 10.47.20.104
Sniffer output while running a ping test to 4.2.2.2 from LAN and using Port2(WAN2) as the outgoing interface.
The ping test was not completed due to the packet exited WAN2 but it uses the IP Pool of WAN1.
Create both IP pool objects at Policy & Objects -> IP Pools.
Add these two IP pools to the firewall policy that gives user’s access to the Internet via the SD-WAN:
- Go to Policy & Objects -> IPv4 Policy
- Create or edit the corresponding policy and in the Firewall/Network Options enable the NAT option.
- In the IP Pool Configuration, select 'Use Dynamic IP Pool' and add the two IP Pools created previously.
Via CLI only:
To associate each of the IP Pools used in the firewall policy with their corresponding physical interface open a CLI session and type:
config firewall ippool
edit <IP_Pool_1>
set associated-interface <portX>
next
edit <IP_Pool_2>
set associated-interface <portY>
next
end
