Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ChrisM
New Contributor

Secondary WAN interface public IPs.

HI all,

 

Sorry new to Fortigate and trying to work out a problem.

 

I have a situation, two extenal WANs, both different IP scopes. I have a requirement that if our primay link drops can the public IPs of the primary WAN still be accessible via WAN2 and then through the firewall to the primary WAN interface. We have public facing servers that use NAT, all of the public IPs for them are on the primary WAN. But of course if the primary drops none of these are accessible even though external traffic can still get to WAN2.

 

Hope that makes sense.

 

Many thanks.

Chris.

8 REPLIES 8
xsilver_FTNT
Staff
Staff

Hi Chris,

how about to access those servers actually via some FQDN like serverA.yourdomain.com where DNS record will contain A records for both your WAN IP addresses?

So servers will be accessible via two different VIP settings and one of IPs will work eventually.

 

As you are probably not going to be able to affect routing of your public IPs and how they are reachable from public internet, unless you have some sort of dynamic routing with your ISPs and so things like BGP / AS etc.

 

 

Tom xSilver, planet Earth, over and out!

ChrisM
New Contributor

Hi Tom,

Good shout. Unfortunately the scope for the secondary WAN is a /30. The primary is /24 and we use a lot of these addresses.

 

Thanks for the reply.

 

Chris.

xsilver_FTNT

Hi Chris,

then explore BGP and dynamic routing, so subnets assigned to you (your AS - Autonomous System) will be always reachable via dynamically changing routes based on some pre-set metrics.
It might be somehow doable if both WAN connections are from one provider (I doubt that) so that provider might be willing and able to make some static routes with some priorities and maybe health-checks like ping servers. Something like to our SDWAN. But I'm not sure.

 

If those WAN connections are from different providers then I do not see much of other options here besides some dynamic routing and so some form of BGP. 

 

 

Tom xSilver, planet Earth, over and out!

ChrisM

HI Tom.

 

Both links from the same provider and they are prepared to run BGP for us. 

 

However...

If I have a server public IP 1.1.1.1 on WAN1 and private 10.10.10.10 I still need to be able to route traffic from our WAN2 (lets say 2.2.2.2) circuit to the public IP of the siad server and then to it's NATed address 10.10.10.10.

 

I was wondering if we should have a rule allowing traffic from the WAN2 interface to WAN1 interface. 

 

I hope this makes sense.

 

Chris.

Toshi_Esumi
Esteemed Contributor II

As Tom points out, it's up to your ISP side if the route toward your /24 can be failed over to your secondary circuit. Generally they can't especially those /24 and /30 are bound to the interfaces on the ISP side. If the primary has /30 on the interface on both ISP and your FGT ends, then /24 is routed through the interface, yes, you can fail it over to the secondary with BGP.

 

Toshi

ChrisM

HI Toshi,

We can get the ISP to fail over to the backup circuit using BGP etc. However I still have various public addresses I need to be accessible. The moment the circuit fails over these are no longer accessible. 

The only way I can think of achiving this is if there is a route within the fortigate itself so that traffic can pass from the backup interface and 'see' the public IPs on the primary interface and then hence get translated via NAT to the real IPs of the servers internally. 

 

I hope this makes sense.

 

I am considering one of Tom's ideas if I can change the secondary to a /24 and have multiple FQDN, one address on the primary and one on the secondary.

Toshi_Esumi
Esteemed Contributor II

If your primary WAN interface has 1.1.1.1/24 configured, when the circuit goes down that directly-connected route would disappear from the routing-table. Check with "get router info routing-table all" when you unplug the cable from WAN.

 

Toshi

ChrisM

Hi Toshi,

 

Yeah I was thinking that maybe if only the route to the primary died and the device it is connected was up then the ip scope on the primary would still be in the routing table. Hope this makes sense.