Description
This article shows how to configure multiple Internet connections without load-balance.
The interfaces are set for failover using a link-monitor.
Scope
FortiGate.
Solution
This example is considering that both Internet connections are configured with static IP addresses and there is two default routes as static routes.The secondary WAN link will be a standby link and will trigger change once the primary WAN link will be down. If addressing mode on one of the wan interfaces is DHCP, refer to the end of the document.
wan1: 10.5.21.50.
wan2: 10.5.53.50.
Set the IP addresses under System -> Network -> Interfaces:
edit "wan1"
set vdom "root"
set ip 10.5.21.50 255.255.240.0
set allowaccess ping https
set type physical
next
edit "wan2"
set vdom "root"
set ip 10.5.53.50 255.255.240.0
set allowaccess ping https
set type physical
end
Create two default routes:
For the redundant Internet connections, both the default static routes have to be active in the routing table.
So, in order to achieve it, set the distance of both routes the same.
If wan1 is to be the primary link [active link], then set the lowest priority to that link.
And highest priority to the other wan interface.
The route with the least priority will be given the preference.
Example:
wan1 has a distance of 10 and a priority of 1.
wan2 has a distance of 10 and a priority of 10.
Here wan1 will be a selected route, as it has the least priority compared to wan2.
So, all the traffic will be handled by wan1. If wan1 goes down then the traffic will be shifted to wan2.
To configure these routes in the GUI, Go to Network -> Static Routes and create two default routes:
then add both WAN interfaces in 1 policy as shown below:
The following will ping a server of choice. If it stops receiving replies at the set rate, it will pull the static route from the routing table and the secondary connection will be used.
edit Wan1Failover
set srcintf port1 <----- Specify the port used for the WAN1 link.
set server 8.8.8.8
set protocol ping
set gateway-ip 10.5.31.254
set source-ip 0.0.0.0
set interval 5
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
next
edit Wan2Failover
set srcintf port2 <----- Specify the port used for WAN2 link
set server 4.2.2.2
set protocol ping
set gateway-ip 10.5.63.254
set source-ip 0.0.0.0
set interval 5
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
end
Note:
In v6.2 and above, 'interval' is a millisecond value between 500 and 3600000. In 6.0, the value is in seconds between 1 and 3600.
Check the link-monitor status via the CLI with:
diagnose sys link-monitor status
Link Monitor: 0, Status: alive, Server num(1), Flags=0x1 init, Create time: Fri Feb 12 01:52:09 2021
Source interface: port1 (3)
Source IP: 10.10.0.21
Interval: 500 ms
Peer: 8.8.8.8(8.8.8.8)
Source IP(10.5.21.50)
Route: 10.5.21.50 ->8.8.8.8/32, gwy(10.5.31.254)
protocol: ping, state: alive
Latency(Min/Max/Avg): 5.334/5.543/5.450 ms
Jitter(Min/Max/Avg): 0.002/0.122/0.050
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 104, received: 104, Sequence(sent/rcvd/exp): 105/105/106
When the WAN1 link goes down, navigate to the system event logs as below and verify the logs:
FortiGate GUI -> Log and Reports > System Event.
Log: the static route is removed Route (10.5.21.50 <-> 8.8.8.8 ping-down).
The above log means that the static route of wan1 is removed and the health check failed.
If the addressing mode on one of the wan interfaces is DHCP, configure the interface to use DHCP:
- Select Network -> Interfaces.
- Select the wan port to set DHCP on.
- Set the Addressing mode to DHCP.
- Check the Enable Retrieve default gateway from the server option.
- Set the Distance to be the same as the static route for WAN1.
- Select OK.
Use the CLI to set it up as follows:
config system interface
edit "port3"
set vdom "root"
set mode dhcp
set distance 10
set type physical
set snmp-index 3
next
end
Another option is to change the Administrative Distance to 5 on the existing provider interfaces (ports 1 and 2).
Administrative Distance (AD) is set to 5 by default in DHCP or PPPoE mode.
Port1:
Port2:
FortiGate will create a dynamic route when using DHCP as the addressing mode for the interface.
To configure the link-monitor:
config system link-monitor
edit WanDHCPFailover
set srcintf port3 <----- Specify the port used for the DHCP WAN link.
set server 8.8.8.8
set protocol ping
set gateway-ip 0.0.0.0 <----- Leave as 0.0.0.0: the system will add it dynamically.
set source-ip 0.0.0.0
set interval 500
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
end
Check the link-monitor status through the CLI with the following command:
diagnose sys link-monitor status
If any further assistance is required, contact Fortinet support.
Related article:
