Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
WEQ-Technologies
New Contributor

Two default routes on one interface

Hello everyone,

I just wanted to make sure if this is going to work:

 

Our customer has two WAN subnets which are connected to one interface on the FortiGate. Therefore I need two default routes, one to each gateway. The secondary subnet is configured as secondary IP at the wan1 interface. Does the FortiGate know automatically which gateway it should choose? (See the attached images)

Unfortunately I cannot test this yet since it's not installed at the customer's site...

 

Thank you in advance!

 

2022-04-15_10-42_1.png2022-04-15_10-42.png

1 Solution
aahmadzada
Staff
Staff

Hi,
By default, FortiOS will perform ECMP with such a setup.
Can you please tell me the reason you would like to assign these secondary IP addresses to the wan interface?
Are these IP addresses will be used in SNAT, DNAT?

 

Ahmad

Ahmad

View solution in original post

4 REPLIES 4
aahmadzada
Staff
Staff

Hi,
By default, FortiOS will perform ECMP with such a setup.
Can you please tell me the reason you would like to assign these secondary IP addresses to the wan interface?
Are these IP addresses will be used in SNAT, DNAT?

 

Ahmad

Ahmad
WEQ-Technologies

Hi, thanks for the reply!

This is because the previous firewall (Barracuda) had such a setup so I took it and transfered it 1:1 to the FortiGate. I have some VIPs that I guess would work just fine but ECMP of course is not what I want. So I guess I will use two seperate interfaces for the two subnets and use SD-WAN instead...

 

Benedikt

aahmadzada

Not sure how Barracuda does work, but on FortiOS If these IP addresses will be used for SNAT/DNAT, there is no need to "host" them on the wan interface.

Ahmad

Ahmad
Toshi_Esumi
Esteemed Contributor II

You should dig into Barracuda config further to understand why it was configured that way. My instant guess is one of them was an old one and a secondary IP was used for transition, then it was never removed after it's completed. Means one of them might not be working now. You might need to talk to your ISP to figure it out.

 

Toshi