FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the solution for an unstable connection with the WWAN interface when using the Vodafone network in a 3G/4G LTE modem with FortiGate.
Scope
FortiGate-40F-3G4G.
Solution
Example scenario:
An SD-WAN zone is configured with a WAN/MPLS interface and an IPsec tunnel on the WWAN interface as members. The IPsec tunnel through the WWAN interface works as a backup for WAN/MPLS traffic. The WAN/MPLS and the IPsec tunnel interfaces are used to route traffic between private networks.
Root cause:
Mobile provider behavior, generically referred to as 'source IP violation', where the mobile provider tears down the mobile connection when traffic with private source IP addresses is seen on the connection.
Solution:
To overcome the 'source IP violation' behavior, perform the following actions:
Add/enable a NAT on firewall policy for the outgoing internet traffic via WWAN.
Reconfigure the existing static routes:
Add static routes for private networks pointing to the SD-WAN Zone (lower administrative distance for the WAN/MPLS interface, higher administrative distance for the IPsec tunnel).
Add static blackhole routes for private networks with an even higher distance (254).
