Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michelpbe
New Contributor

Dual WAN routing/BGP

Hi,

 

I have some questions about some changes we are about to make on our FortiGate 501E stack. We are connecting 2 WAN (WAN1 and WAN2) connections to our Fortigate 501E. Both interfaces have their own public IP. Outbound/inbound connectivity should failover if 1 link fails. We prefer to use WAN1 if available. We also use BGP to announce a set of IP's. I will have 2 BGP neighbors. WAN1 and WAN2 both have their own neighbor.

Some questions about this:

* For the dual WAN, is the best option to use SDWAN? * If I create the SDWAN and add the 2 interfaces to it (WAN1 cost 0, WAN2 cost 10), do I still need to create an SLA policy? * A VIP IP can't be assigned to the SDWAN interface. If the VIP is bound to WAN1, will it still work when WAN1 is down? * Same for VPN tunnel. It can't be bound to SDWAN, only to an SDWAN member (WAN1) * How do I force that all BGP announced traffic comes via WAN1? So I want that the shortest route is announced via WAN1. Can I do a path extension or something on WAN2 neighbor?

 

 

Thanks!

3 REPLIES 3
lobstercreed
Valued Contributor

Did you ever get this accomplished?  I missed this post but I do have some experience with this due to our own environment. 

 

I would guess that SD-WAN is not the best option for you since it sounds like you have your own address space.  It would probably not do what you would be expecting it to do since your inbound traffic would choose ISP based on BGP routes.

emnoc
Esteemed Contributor III

* For the dual WAN, is the best option to use SDWAN?

 

SDWAN is for outbound traffic

 

* If I create the SDWAN and add the 2 interfaces to it (WAN1 cost 0, WAN2 cost 10), do I still need to create an SLA policy?

 

i would in fact I would make all traffic perfer wan1 or wan2

* A VIP IP can't be assigned to the SDWAN interface. If the VIP is bound to WAN1, will it still work when WAN1 is down?

 

IDNK but gut feeling says no.

* Same for VPN tunnel. It can't be bound to SDWAN, only to an SDWAN member (WAN1)

 

That's correct, your bound to the physical interfaces ( wan1  or wan2 ) so for HA vpn use a dynamic routing is the best method ( ospf,rip, bgp ) control traffic by metric

* How do I force that all BGP announced traffic comes via WAN1? So I want that the shortest route is announced via WAN1. Can I do a path extension or something on WAN2 neighbor?

 

You can try prepend, but that WILL NOT FORCE ALL UPSTEAM TRAFFIC  TO HONOR IT, you have no control or clue on what each upstream is doing with regards to route-policy or locl-Preference

 

In my opinion I would do the bgp on a router and not even invoke SDWAN with bgp YMMV. Asymmetrical issues would my biggest concern.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

lobstercreed
Valued Contributor

I have highly asymmetrical connections to two different ISPs using BGP with prepends and it works great.  No need to buy an extra router when the FortiGate can handle it.  I agree about not using SDWAN in this scenario.