Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- 2 WAN interfaces in same subnet?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎10-31-2006 07:11 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 WAN interfaces in same subnet?
I' m trying to set up a FortiGate 60 with both WAN ports in a official /29 net. I have upgraded it to 3.00 and successfully set addresses and policies on all interfaces.
I get stuck on the external routing/gateway. Tried both static routes and policy routes without success, but can' t get both interfaces to work at the same time. The idea is to have " DMZ" use one WAN and " Internal" the other WAN port.
Any hints? Is this possible?
9 REPLIES 9
Not applicable
Created on ‎10-31-2006 07:29 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alctually this should be possible.
But: Why the hell do you want some configuration like that? Keeping this apart means a lot of work with policy based routing.... (since we do not have virtual routers - grrrrr.)
Why don' t you define NAT/Port forwarding as you like it
... or use some differnet device for routing and use the FG in transparent mode?
In my personal opinion Fortinet did not invent routing.... Firewalling/Tunneling/ContentFilter etc. is not bad but routing is really *normal* with no special features.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do agree that FG did not provide a good routing functionality~ But I still thinking that it' s not a bad idea to have two WAN link, in my case, one for VPN tunnel connectivity, another one for normal Internet access~ 
Keihin: what' s your type of Internet connections? ADSL or with fixed IP? I also found that the fg60 seems so strange when connected to the ADSL (without fixed IP)... the default route seems useless.... even you set the default gw as whatever, the internal hosts still can connecting to the Internet..... up to this moment, I still cannot make the 60 working properly with the 2 WAN link on WAN1 & WAN2.....
Keihin: what' s your type of Internet connections? ADSL or with fixed IP? I also found that the fg60 seems so strange when connected to the ADSL (without fixed IP)... the default route seems useless.... even you set the default gw as whatever, the internal hosts still can connecting to the Internet..... up to this moment, I still cannot make the 60 working properly with the 2 WAN link on WAN1 & WAN2.....
Protect yourself~ http://www.secunia.com
MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Not applicable
Created on ‎11-01-2006 12:55 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply. I have good reasons to use 2 different IP addresses, and this _should_ work. I have 2 FG60, and have now put them both in parallel using only wan1 on both with adjacent IPs. Works like a charm. First time ever I can ping both external IPs from outside...
I now struggle with another problem: accessing my own external IP from inside my office. I' m testing some Internet clients, and need my official IP to work also in the office. All Internet access works fine, but I can' t ping nor access my external IPs from my LAN (internal). I only have a ALL->ALL with NAT checked in my Internal->WAN1 part of the firewall.
Any ideas?
Not applicable
Created on ‎11-14-2006 04:56 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
diag sniffer packet wan1 " icmp"
This will tell you if the traffic is reaching the nic or not. You can also put a sniffer on your internal interface as well. This will tell you where the traffic is getting too.
You can also try doing a traceroute and make sure that your traffic is not going out and reaching the destination, but trying to return to you another way.
Not applicable
Created on ‎12-04-2006 07:32 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
K,
What you wish to do will take some creative configurations, but in the subnet mask you describe, it cannot work. Routed traffic must traverse between dissimilar subnets, otherwise you face a subnet overlap. What you might try is supernetting (resubnet) your subnet. Instead of using /29, use a /32 subnet on each, and use the same gateway IP in your static routing table. The 255 subnet causes for the net ID, host ID, and the broadcast ID to be all the same IP; just like the old-fashioned dial-up connections provided. If it works, great. If not, well, sorry but I don' t think it can with similar /29 IPs, unless you connect the router to a layer-2 or layer-3 switch.
Not applicable
Created on ‎12-04-2006 09:49 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for input.
You say it can' t be done, theoretically? But how do you explain that it works when I use 2 FortiGate devices? The latest problem I had was solved when I found that a downed interface isn' t actually downed (bug). I had to change the IP' s on the downed interfaces on both boxes, and suddenly everything worked fine.
I' ve also set up this configuration using Linux without problems.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
In general, a router is routing between different IP networks and will not allow to have multiple interfaces in the same subnet. It' s like a crossing, there are not two ways going right, only one :-)
From routing (layer 3) perspective if there are two local IP connections going to the same subnet the router cannot decide on which to use.
I assume when you use two F60' s you have the routing process running on both of them? So on every box a routing decission is made by a separate process resulting in no issue for every box having one interface to the same subnet.
My 2 cents.
Jan
Not applicable
Created on ‎12-05-2006 06:43 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think your refering to NAT loopback
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Darn it, I wish I would have thought of that.
Labels
-
FortiGate
10,948 -
FortiClient
2,248 -
FortiManager
921 -
FortiAnalyzer
701 -
5.2
687 -
5.4
638 -
FortiSwitch
605 -
FortiClient EMS
600 -
FortiAP
576 -
IPsec
466 -
6.0
416 -
SSL-VPN
402 -
FortiMail
386 -
5.6
362 -
FortiNAC
314 -
FortiWeb
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
212 -
FortiAuthenticator
192 -
FortiGuard
164 -
5.0
152 -
Firewall policy
152 -
FortiGate-VM
151 -
6.4
128 -
FortiCloud Products
122 -
FortiSIEM
115 -
FortiToken
115 -
FortiGateCloud
113 -
Wireless Controller
97 -
High Availability
94 -
Customer Service
90 -
Routing
83 -
SAML
82 -
ZTNA
82 -
FortiProxy
80 -
BGP
75 -
VLAN
75 -
Authentication
74 -
Fortivoice
73 -
FortiEDR
73 -
DNS
73 -
Certificate
73 -
FortiADC
70 -
RADIUS
67 -
LDAP
65 -
SSO
60 -
FortiLink
60 -
FortiSandbox
57 -
NAT
57 -
FortiExtender
53 -
Interface
52 -
Application control
51 -
VDOM
50 -
4.0MR3
49 -
Virtual IP
47 -
Logging
44 -
FortiDNS
43 -
SSL SSH inspection
42 -
FortiPAM
39 -
Web profile
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiConnect
36 -
Automation
35 -
FortiWAN
32 -
FortiConverter
31 -
API
30 -
FortiGate v5.2
28 -
Traffic shaping
28 -
Fortigate Cloud
27 -
SSID
26 -
Static route
26 -
SNMP
25 -
System settings
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
OSPF
22 -
WAN optimization
22 -
FortiMonitor
21 -
Web application firewall profile
21 -
Web rating
20 -
FortiSOAR
19 -
Security profile
19 -
IP address management - IPAM
19 -
FortiAP profile
18 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
Users
14 -
Traffic shaping policy
14 -
FortiManager v5.0
13 -
DNS filter
13 -
FortiDeceptor
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Traffic shaping profile
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Application signature
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Vulnerability Management
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Service
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
Video Filter
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2811 | |
| 1427 | |
| 812 | |
| 770 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.