I have an HA pair of 1100E on 7.0.11 currently set up with SD-WAN
I have ordered a load balanced service from our ISP where I get two circuits, two routers and two /28 public subnets, and I am trying to set up my Fortigates before they go live.
I was told by my ISP that I could use them independently and choose which ones to route to using SD-WAN. To do this I was told I should use an IP address from router one's subnet for my WAN port on the Fortigate (Port 3), and to set up a secondary IP on Port 3 from the other subnet (Both subnets should be ok on one VLAN) I could then add this to the SD-WAN pool
I would then need to set up another WAN port (4) with an IP from router 2's subnet, with a secondary IP from router 1's subnet.
I can create the first port fine, but when I try to add the primary IP on the second port it won't let me as the IP is in the same subnet as the secondary IP on port 3.
Does anyone have other ideas as to how I should be setting this up? The two routers run HSRP so can take over the other's IP range if either goes down.
This sounds odd to me. You won’t be able to configure the same subnet on two different ports on your FortiGate, no matter if its secondary on the one port and primary on the other.
Also for HSRP to work properly on the routers you will need a switch to provide a L2 broadcast domain in between.
If they agree to this I would probably rather have them hand over the 2 subnets on two different ports or vlans on each router. If they then have the HSRP prio higher on the first router for one of the vlan/ports and vice versa for the other router/vlan/port this would allow you to use both „lines“ active /active too and it would be way better to grasp.
So if you go the physical port option
Subnet 1 (HSRP pro on R1)
P1 on R1 to Switch (VLAN X)
P1 on R2 to Switch (VLAN X)
FGT P1 to Switch (VLAN X)
Subnet 2 (HSRP prio on R2)
P1 on R1 to switch (VLAN Y)
P1 on R2 to switch (VLAN Y)
FGT P2 to switch (VLAN Y)
This would work with just one port on each router and the FGT with tagged vlans.
Thanks for the reply, there is a switch in between but I omitted it for simplicity and probably shouldn't have. From the router point of view, that is what they are suggesting, using the two VLANs on a single port.
But like you say, with two connections, one for each VLAN from the FGT I don't need an IP from each subnet for each WAN connection - not sure why they said I do!
That makes sense to me so thank you very much for your help.
load-balanced WAN connections with two circuits from your ISP, but are running into issues with the IP addresses and subnets. Here are some potential solutions:
1. Use different subnets: To avoid the IP address conflict, you could use different subnets for each WAN port. For example, you could configure WAN port 3 with an IP address from router 1's subnet and WAN port 4 with an IP address from router 2's subnet. This would ensure that there is no IP address conflict between the two WAN ports.
2. Use VLANs: If you are limited to using a single VLAN for both subnets, you could use VLAN tagging to separate the subnets. For example, you could configure WAN port 3 with an untagged VLAN for router 1's subnet and a tagged VLAN for router 2's subnet. Then you could configure WAN port 4 with an untagged VLAN for router 2's subnet and a tagged VLAN for router 1's subnet. This would allow you to use both subnets on a single VLAN, while avoiding the IP address conflict.
3. Use NAT: Another option would be to use NAT to translate the IP addresses from one subnet to the other. For example, you could configure WAN port 3 with an IP address from router 1's subnet and then use NAT to translate traffic from router 2's subnet to router 1's subnet. This would require additional configuration, but would allow you to use both subnets on a single WAN port.
It may be helpful to contact your ISP to see if they have any recommendations or best practices for configuring load-balanced WAN connections with their service.
You can absolutely still have inbound services in this case.
VIPs on the FortiGate can map to each interface. So inbound on WAN1 and WAN2 will allow access to internal resources. If one router or link goes down the other one will continue to function.
Now you just need to figure out how you're going to make sure that failover happens automatically for clients. Like DNS updates with service probing or similar. But this would be true regardless of your internal configuration (unless you were doing BGP).
On that note, will your ISP allow you to do BGP with them? That would allow for automated link failover and you wouldn't need to have two different subnets...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.