80C UTM No internet access when connecting wan to TL-R470T+ loadbalance router

Othman_Mohamed · ‎11-30-2014

Hi, I have TL-R470T+ router and i successfully configured it to bond 4 wan connections from same ISP., so the speed is quite nice and all users are able to surf the internet. but when connecting the router to wan port on fortigate 80C UTM the internet comes down even the other wan port in the UTM is up. is there any special configuration for this issue?

Dave_Hall · ‎11-30-2014

Hi Othman.

Can you clarify/outline what you are trying to accomplish? Perhaps a summary of your network layout? Which router (TL-R470T+ or 80CM) you will be using as your main router? What device on your internal LAN is providing DHCP (IP leases)?

It sounds like you want to use the TL-R470T+ as your main router but want the use of the UTM/security features of the 80CM -- in which case you may want to set up the 80CM in transparent mode -- which acts as a go-between your LAN and TL-R470T+. The FortiOS 4.3 Cookbook has a section on how to setup such a scenario, located here.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Othman_Mohamed · ‎12-01-2014

Hi Dave,

Thanks for replay I have :

1- 4 ADSL lines each one is connected to ADSL Modem

IP Addresses: 192.168.1.1 - 192.168.2.1 – 192.168.3.1 – 192.168.4.1 /24

2- TL-R470T+ load balance router combining the four lines

Wan Ports IP Addresses: 192.168.1.2 - 192.168.2.2 – 192.168.3.2 – 192.168.4.2 /24

LAN IP Address: 192.168.5.1/24

3- 80C fortigate UTM as a security appliance (operates in NAT mode)

Wan Ports IP Addresses: 192.168.5.2 – 192.168.6.2/24

LAN IP Address: 192.168.100.20/23

4- Domain controller provide DHCP to the clients

IP Address: 192.168.100.2/23

I want to set UTM between Load balance router and LAN

Dave_Hall · ‎12-01-2014

@Othman.

I agree with ede, though unless you merely provided just enough details about the network setup I am a bit puzzled by the info provided.

Normally, I'm so use to seeing a Fortigate positioned as the default gateway device on a network with an IP address of x.x.x.1 -- not x.x.x.20 as indicated in your description. Can you clarify what is acting as the default gateway on your 192.168.100.x/23 network? If it is not the Fortigate, how are you directing traffic to/through the Fortigate?

Is the 80CM a first time Fortigate deployment in your organization? a /23 network would imply your internal network would have at least >254 hosts -- I'd be very surprised to see an 80CM keep up with all that traffic unless all UTM features were disabled.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

ede_pfau · ‎12-01-2014

As I see it you need 2 things on the 80C:

1. a default route ('0.0.0.0/0') pointing to wan1, gateway 192.168.5.1

2. a policy from 'internal' to 'wan1' allowing ALL traffic; here you specify the UTM

There is no (apparent) use for the 'wan2' port on the FGT. I understand your post that 'wan2' is given 192.168.6.2/24.

A FGT will only accept ONE default route.

Ede Kernel panic: Aiee, killing interrupt handler!

Othman_Mohamed · ‎12-03-2014

Hi,

Dave, Ede. Thanks guys for your support

Dave, sorry you feel puzzled from my previous diagram and settings I sent before it wasn’t my recent settings

Here are my recent network settings

Network: 192.168.100.0/255.255.254.0

DHCP server: 192.168.100.2/255.255.254.0

Default gateway: 192.168.100.20

FTG 80C

LAN: 192.168.100.20/255.255.254.0

WAN1: 192.168.1.2/255.255.255.0

WAN2: 192.168.2.2/255.255.255.0

ADSL Modems

Wan1: 192.168.1.1/255.255.255.0

Wan2: 192.168.2.1/255.255.255.0

I find my FTG configurations are complicated a lot of security policies anyhow it works in NAT mode as I mentioned before

Now I got 2 additional ADSL Lines and the TP-Link Load balancer router and I’m looking for the best solution for the diagram I sent earlier

Dave do you think i have to upgrade my UTM

Ihave total 24Mb Adsl Speed divided to 4 lines and about 150 users and 160 pc's and growing

rwpatterson · ‎12-03-2014

My recommendation:

Set up the TPLink load balancer on the two additional ADSL lines

Use a laptop and test the Internet access through the TPLink with the laptop

When you get it to work, change out the laptop with one leg of your FGT UTM

Make sure you can use that TPLink Internet connection through the FGT

Plug those other two ADSL links into the TPLink and have a beer

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Othman_Mohamed · ‎12-03-2014

Hi rwpatterson,

Your recommendations are what simply i did the problem is when i connect the TPLink load balancer to FGT wan interface the internet goes down even "when the wan interface is connected" when i disconnect TPLink load balancer everything works fine ?!!

have a beer. i already had one today ;) thank you man.

Dave_Hall · ‎12-03-2014

It looks like you already have load-balancing between the two WAN ports on the Fortigate -- you will need to disconnect/disable one of the WAN ports (I would choose WAN2) and let internal traffic flow though the remaining WAN port, to the load-balancer. (If you currently do not have dead-gateway detection configured on the WAN ports then naturally the Internet will stop once you unplug one of the cables from the WAN ports.) I am dead set against setting up an internal network (if I can help it) that would result in a double NAT situation -- what you are proposing would result in a triple NAT substation (192.168.100.x->192.168.5.x->192.168.[1-4].x->Internet). I would try to remove much of this NAT complexity as possible, starting with seeing if the ADSL modems can be placed into bridge mode -- this should allow the load-balanacer to obtain "outside" IP addresses once it is configured for all four modem connections. If you can place the 80CM into transparent mode then ideally (along with the ADSL modems in bridge mode), you can go from 192.168.100.x ->fgt-->192.168.100.x->Load-balancer->Internet. (One nice thing about this is if the Fortigate failed, you can remove it and connect your internal network directly to the load-balancer.) Personally, I'm not really a big fan of TPlink and only wished the TL-R470T+ had a 1-GB internal port (personal opinion only). That said, the TL-R470T+ would make a good choice for off-loading the complexity/ processing power/resources on the 80CM -- If you had a more powerful Fortigate I would say try the load-balancing stuff directly from the Fortigate. As for determining if the 80CM is adequate to the task – if it is already up and running on your network, what is the CPU/memory usage on it like? If the 80CM is pushing >80% CPU usage or >78% memory usage then I say it's time to upgrade. What Bob says is good advice. I would go a bit further if I was deploying a load-balancer; I would want to make sure the connections between the load-balancer and modems are properly configure (e.g. no duplex/speed mismatch, proper MTU value, etc). I would then see how quickly (or not at all) the load-balancer acts if you disconnect/reconnect one or more modems from it. It wouldn't be a good load-balancer if it couldn't redirect traffic to the other modem connections upon detecting a downed modem.

Edit: when connecting the 80CM to the load-balancer, you will want to confirm the default 0.0.0.0/0.0.0.0 route (on the 80CM) is pointing to the load-balancer's LAN IP address.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

rwpatterson · ‎12-04-2014

Also, when you plug the FGT into the TPLink, check the interface on the Fotigate from the CLI. There may be a speed or duplex mismatch. From the CLI:

diagnose hardware deviceinfo nic <wanx>

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

80C UTM No internet access when connecting wan to TL-R470T+ loadbalance router

Nominate a Forum Post for Knowledge Article Creation