Description
If there are multiple separate default routes, e.g., a Default route to SD-WAN interfaces and default routes via separate WAN interfaces (interface mode set as DHCP) that are not part of SD-WAN, FIB lookup will take place, and there is a possibility that traffic goes outbound via a non-SD-WAN interface.
In such a case, sdwan rules (proute) do not match/not take preference over the routing table.
FIB lookup takes place, which is pushing the traffic out of a non-SD-WAN interface.
This behavior can be observed when WAN interfaces part of SD-WAN are not present.
Enable ‘set default enable’ and ‘set gateway enable’ under sdwan rules to avoid FIB lookup and ensure that sdwan rule matches and is preferred for the traffic.
This article describes how to configure this feature.
Scope
FortiGate.
Solution
Interface configuration.
config system interface
edit "wan"
set vdom "root"
set mode dhcp <- Configured as DHCP, so the default route would be pushed.
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
next
edit "wwan"
set vdom "root"
set mode dhcp <- Configured as dhcp so default route would be pushed.
set allowaccess ping fgfm
set type physical
set snmp-index 2
next
SD-WAN configuration.
WAN interfaces are not a part of SD-WAN:
config system virtual-wan-link
set status enable
config members
edit 1
set interface "HUB-X-1_0"
set gateway 172.16.1.1
next
edit 2
set interface "HUB-X-2_0"
set gateway 172.17.1.1
next
edit 5
set interface "HUB-Y-1_0"
set gateway 172.16.2.1
next
edit 6
set interface "HUB-Y-2_0"
set gateway 172.17.2.1
next
end
SD-WAN rule:
config service
edit 1
set name "Web-server"
set mode sla
set dst "172.100.0.1"
set src "192.168.0.0/16"
set default enable <----- Set default set to enable.
set gateway enable <----- Set gateway set to enable.
set priority-members 5 1 6 2
next
Static route:
config router static
edit 1
set distance 5
set virtual-wan-link enable
next
end
Routing table:
S 0.0.0.0/0 [5/0] via 172.16.1.1, HUB-X-1_0 active sdwan routes
[5/0] via 172.17.1.1, HUB-X-2_0 active
[5/0] via 172.16.2.1, HUB-Y-1_0 active
[5/0] via 172.17.2.1, HUB-Y-2_0 active
[5/0] via 1.1.1.1, wan active wan interface routes
[5/0] via 2.2.2.2, wwan active
In the above configuration, there are 6 default routes for traffic:
- 4 via SD-WAN.
- 2 via DHCP WAN interfaces.
SD-WAN rule settings:
set default disable and set gateway disable:
By default, in the sdwan rules, ‘set default disable and set gateway disable’ are configured.
Multiple default routes are present as per the above configuration, where the WAN interfaces are not part of the SD-WAN, the FIB lookup takes place, and it is not guaranteed that the traffic is forwarded via the sdwan member configured in the rule.
The traffic is matching the FIB and uses an outbound interface accordingly.
In case all interfaces are present with a default route as the sdwan member, the interface that is configured in the sdwan rule is used after the FIB lookup.
Set default enable and set gateway enable:
With ‘set default enable’ and ‘set gateway enable’ as per the above config, where the WAN interfaces are not part of the SD-WAN, the traffic is skipping the FIB lookup and is forwarded to the SD-WAN member configured in the rule.
If all interfaces are present with a default route as the SD-WAN member, the interface that is configured in the SD-WAN rule is used, as no FIB lookup is done.
Related document:
