- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- 2 internal interfaces and 2 wan
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 internal interfaces and 2 wan
We have a FortiGate 100C.
We have 2 internal networks -- LAN1 and LAN2
We have 2 broadbands -- WAN1 and WAN2
We want LAN1 to access internet only through WAN1, and LAN 2 to access internet only through WAN2. We also want LAN1 to be able to access LAN2 and vice versa.
How should we configure the 100C to achieve this?
If we set the gateway of WAN1 and WAN2 to have same distance and priority, firewall policy LAN1 to WAN1; LAN2 to WAN2; LAN1 to LAN2 and LAN2 to LAN1, then only PCs in LAN1 with IP addresses ending with even number (the last octet) can access the internet (through WAN1).
Since we need LAN1 to be able to access LAN2 and vice versa, is it correct that we cannot use VDOM?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use VDOMs to this by creating " InterVDOM Links"
to allow communications between VDOMs ( LAN1VDOM and LAN2VDOM )
But with your setup as you described it you can already
allow communications between LAN 1 and LAN 2 by just
creating necessary firewall policies.
LAN 1---> LAN 2 allow any
LAN 2 --> LAN 1 allow any
you also probably will need to create the necessary
Policy based routing policies, since I guess you might
have created ones already to force traffic out of
the different WAN ports.
you will need to have
LAN 1 IP network going to LAN 2 IP network force to LAN 2 port
LAN 2 IP network going to LAN 1 IP network force to LAN 1 port
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Since you are using the same distance & priority the ECMP would come in to the picture. due to which the fortigate is trying to do a source address based load balancing.
So I would recommend you to change the priority of the static routes.
Hopefulle this should solve the issue.
regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
this has been discussed and solved just this week under the topic of " Unethical scenario" by fellow user laf.
http://support.fortinet.com/forum/tm.asp?m=63266&appid=&p=&mpage=1&key=&language=single&tmode=&smode=&s=#66123
In essence, if you absolutely want to have a direct association of wan1 to lan1, wan2 to lan2 then you may either use policy based routing or VDOMs (virtual firewalls) with an interVDOM link. You find example setups for both either in the FortiOS Handbook or in a KnowledgeBase article.
In your case with equal distance default (!) routes the Fortigate chooses the wan port according to the source IP (not: the source subnet like you would like to have). This is such that a session from a host is routed over the same wan port all the time.
You could achieve full WAN connectivity for lan1 if you create an additional policy ' lan1' to ' wan2' , and ' lan2' to ' wan1' . This would use both wan ports for all clients but would not strictly separate traffic from the lan ports.
@MohanFC:
if you change priority or distance of the 2 default routes then only one will be preferred, that is, used until it fails. In case of failure traffic will be routed over the second wan which now idles along.
@rocampo:
I don' t see why you would have to use policy routing for the inter-LAN traffic. Simple static routes would do if the Fortigate had none - routes to lan1 and lan2 are added automatically on creation of the interface IPs. So no further action needed here other than 2 policies.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfauThank you ede_pfau. With both default gateway having the same priority, I put in policy route for LAN2 to WAN2, but still only half of the IPs of LAN1 and LAN2 can access Internet. I deliberately changed the gateway address of the outgoing interface (WAN2) to an invalid address, immediately no IP on LAN2 can access Internet. Thus it seems the policy route is working but the result is not what I expected. After changing the priority of the default gateway of WAN2 from 0 to 10, all IPs in LAN1 can access Internet through WAN1. However, All IPs on LAN2 cannot access Internet. The senario is as follows: 0.0.0.0 0.0.0.0 WAN1_gateway priority 0 0.0.0.0 0.0.0.0 WAN1_gateway priority 10 Firewall policy: LAN1 --> WAN1 allow any with NAT LAN2 --> WAN2 allow any with NAT Policy route: Protocol -- 6 Incoming Interface -- LAN2 Source address -- 192.168.1.0/255.255.255.0 Destination address -- 0.0.0.0/0.0.0.0 Destination Ports -- 1~65535 Type of service -- 00 00 Force traffic to -- WAN2 Gateway address -- WAN2_gateway Since the priority of WAN1 is higher than WAN2, I gues that s no need for a policy route for LAN1 to WAN1. Why LAN2 cannot access WAN2 even there is a policy route? Is there something wrong with the settings of the policy route? Have I missed something?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again,
1.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
0.0.0.0 0.0.0.0 WAN1_gateway priority 10is a typo, right? should read " WAN2_gateway" 2. delete the default route to WAN2 3. policy route: protocol=0 (6 is TCP only) With no default route pointing to WAN2, the only traffic arriving there must be via the policy route.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just noticed you have cross-posted into an old thread
http://support.fortinet.com/forum/tm.asp?m=63266&appid=&p=&mpage=1&key=&language=&tmode=&smode=&s=#66619
and already getting help there.
You are wasting time and resources - mine and that of the other participants.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ede_pfau
Sorry for the cross-post. I don' t meant to waste your time and that of other participants. I won' t do this again.
I just want to get more answers and solve the problem ASAP only.
In fact, your help is much appreciated!
Related Posts
- ADVPN Setup- Hub and Spokes Wan... 109 Views
- How to allow access from internal... 150 Views
- Convert IPSEC interfaces to SDWAN 141 Views
- Unable To Connect VPN 269 Views
- How do I retrieve the ip... 194 Views
Labels
-
FortiGate
6,782 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
582 -
FortiAnalyzer
427 -
6.0
416 -
5.6
362 -
FortiSwitch
348 -
FortiAP
348 -
FortiClient EMS
275 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
163 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
IPsec
88 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
71 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
LDAP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.