2 WAN interfaces, both active for different protocols and no load balancing

Raudi · ‎04-01-2018

Hello,

i want to replace a LANCOM 1781EF+ with a FG100D and have now a routing problem, i don't find how co configure the FG that i have the same features.

I have 2 cable business WAN lines, where i got a fixed public IPv4 via DHCP.

I want to use the WAN2 outgoing only for VPN connections and VoIP traffic. The WAN1 should be used for normal internet access. Both public IP addresses are used for publish internal services.

How can i configure 2 WAN interfaces and split the traffic?

Outgoing: Internet Access including Client IPSec VPN's -> WAN1 IPSec VPN's and VoIP -> WAN2

Published services - incoming: TCP 80,443 -> WAN1 TCP 21,25,53,443 -> WAN2

Is this possible?

I tryed already with policy routes, but every time when i try a new configuration, something else didn't work.

At the moment all is working, but outgoing client internet access is using both WAN interfaces.

Regards

Stefan

Toshi_Esumi · ‎04-02-2018

What do you mean by "high priority"? Do you want to use WAN2 for internet as long as it's UP and not to use WAN1? Or load-balance based on the usage? But you said "no load balancing" in the subject.

For VPN, the other sides have to connect to either WAN1 IP or WAN2 IP specifically. You can't switch it on this FG side.

Raudi · ‎04-02-2018

For a route i can set 2 different values:

Distance

Priority

In an interface i have only the distance.

When the route was created automatically via DHCP the settings of a manuel route have no effect.

When i modify the distance in the interface the interface with the higher value don't work.

When i change the interface from DHCP to maual and enter the same ip addresses i got via DHCP before i can use the the priority value in the manual route.

When i use this priority value all traffic will be routet to the interface with the lower value but VPN on the interface with the higher value is still working.

So my question is.

Is there a way to configure that priority, when the interface is still on DHCP?

Toshi_Esumi · ‎04-02-2018

DHCP injest only default route (default GW). Nothing else. Only interface distance influences the DHCP-injected default route. My question from the beginning is why you want to set higher precedence on one default route over another while you just want to split the purposes statically.

Raudi · ‎04-02-2018

Because i must redirect the outgoing traffic to a specific interface without disabling the other interface for VPN or getting problems with the traffing through the VPN tunnel.

Or how should i configure, all clients should use WAN1 and VPN tunnels should use WAN2? And traffic shuld also be routet through the VPN tunnel...

(Sorry in english, perhaps it is not easy to explain.)

Toshi_Esumi · ‎04-02-2018

To redirect/manupulate any VPN toward a specific outgoing port, you need to have a specific route (/32) for the peers to specific port WAN1 or WAN2. Then when you change the outgoing route, you need to change the peer IP on the remote side if it's static site-to-site VPNs. Default route's precedence wouldn't help anything for that purpose.

Raudi · ‎04-02-2018

But it is working:

S* 0.0.0.0/0 [5/0] via 90.xxx.6.130, wan1, [[style="background-color: #ffff00;"]5[/style]/0] [5/0] via 90.xxx.4.170, wan2, [[style="background-color: #ffff00;"]10[/style]/0]

All traffic from clients is going through WAN1 and WAN2 will only used for VPN and for VoIP which i redirected via a policy route.

The only thing i'm thinking about is, what happens when i don't get the IP via DHCP, what will my provider do when he don't get DHCP requests?

I have 3 VPN's, one has a fixed IP the other 2 are dynamic.

Toshi_Esumi · ‎04-02-2018

You didn't mention those were dialup vpns. Yes, if that's the case, as long as you use FG's "priority" on the static default routes, internally initiated internet traffic goes through the higher "priority" interface, in your example wan2, while all dialup vpn accesses are returned through the interface the request came in, just like when you didn't set any priority. However, in vpn configuration (if IPSec) you need to specify the interface in phase1-interface config. So when you want to move around VPNs between wan1 and wan2 you need to change that config (phase1-interface need to be separated enough to manupulate, otherwise all go to one direction). I think it requires all related sessions cleared at that time. In other words, it's almost unmanageable.

If it's SSL VPNs, you can set interface "any" in the vpn settings so that you don't have to change the interface config. Only client side need to change the server IP to connect to.

In any case I assumed above or something different, you need to provide more specific information about your VPNs to let anybody help you.

Raudi · ‎04-02-2018

A higher value is a higher cost, so the traffic goes through WAN1 with the lower value.

So all is fine. I thought that this are site-to-site vpn's is clear, because they are listed in the routing table above.

So there is no way to get the same result (i have now with the manual IP configuration) when i have DHCP enabled?

Toshi_Esumi · ‎04-02-2018

Sorry, the higher the number, the lower the priority. So wan1.

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_Advanced_...

You can set priority only on static routes.

Raudi · ‎04-02-2018

O.k., last question, can i disable the creation of routes when i get the IP via DHCP? So that i use DHCP and have a active static route?

O.k. makes not realy sense, because normaly DHCP means that i get different IP's, so i want to use a route with the current ip i got.

But in this case i get every time the same IP... So perhaps...