- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: ADDITIONAL ISP on Fortigate 100D
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADDITIONAL ISP on Fortigate 100D
I need to add a new Isp on Wan 2 and then i would that clients use Wan2 to surf the web but servers and services (exchange server,web server etc etc) keep on use Wan1.
It's enough to:
-set the network interface for wan2
-add a static route for wan2
-change the policies internal---->wan1 and set the outgoing interface to wan2
??
Thanks for your help
Francesco
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great that it is working for you.
No, you can not use an address range unfortunately. It isn't needed usually, since routing is the passing of traffic between different networks.
This is also one of the many reasons you really should keep users and servers on different VLANs and subnets.
First thing that comes to mind is to move the users to another subnet. If they are DHCP clients that is an easy thing to setup in the firewall.
If that isn't possible, you can try to be creative with your own subnetting in the policy route.
Something like this:
Write policy routes that send these nets out via wan2.
192.168.1.96/27
192.168.1.127/26
192.168.1.192/28
That will cover all usable addresses between 1.97-206. Close enough for rock 'n roll?
:)
Richie
NSE7
Richie
NSE7
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to use policy routing in order to make that work.
Add the WAN2 interface with the new ISP. Add a default route to it, with distance 10 and priority 10 (if your wan1 default route is distance 10 and priority 0 - Use the same distance as WAN1, but LOWER priority on WAN2 (higher number).)
Create the firewall policies for your user networks that sends them out on WAN2 with NAT etc etc.
Create policy routes for your user networks that STOP policy routing when the destination is:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
This is needed because otherwise the clients shouldn't be able to reach anything internal - They are forced out on WAN2 by the rule below here. It is important that these rules that stop policy routing is on top of the ruleset, BEFORE the rule that does the actual policy routing.
Create policy routes for your user networks that forwards the traffic to destination network 0.0.0.0/0 -> WAN2, do not specify gateway address, use 0.0.0.0.
Configure link monitors for wan1 and wan2 in cli that pings something out on the internet that's always up, like Google's A/B-DNS:
(Set the interval/timeout/failtime/recoverytime to your liking, value is in seconds)
configure system link-monitor
edit monitor-wan1
set srcintf wan1
set server 8.8.8.8
set protocol ping
set gateway-ip x.x.x.x (your gateway on wan1)
set source-ip x.x.x.x (your wan1 IP)
set interval 5
set timeout 5
set failtime 5
set recoverytime 5
set update-static-route enable
set status enable
next
edit monitor-wan2
set srcintf wan2
etc etc... Do the rest the same as the monitor for wan1...
next
end
Now, if you want the user networks to be able to fall over to WAN1 if WAN2 fails, create rules pointing them to WAN1 also. Or create a zone (I would call it "INTERNET"...) with both wan1 and wan2 in it, and point all traffic going out to that zone. The policy routing and the regular routing table will take care of the traffic, everything that isn't policy routed will go out on wan1 according to the routing table. The link monitor will update the routing table when a link fails and remove all routes to the monitored interface.
So, if WAN1 fails, the default route is removed, and the traffic will hit the next default route, and use that.
Same with the traffic that you policy routed out on WAN2; as long as you only specify interface, and not gateway address, the traffic will go out on the interface that has the default route wich is WAN1 if WAN2 fails.
:)
Richie
NSE7
Richie
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
General routing uses the destination address as the decision (and both the clients and servers will likely be accessing similar Internet resources) so a typical default route will send all traffic out a single interface. You will need to use policy-based routing which can route based on information other than destination - and in this case you want a decision based on source address. You will need two "source address" policy routes, one for the clients pointing toward the WAN2 ISP and one for the servers pointing toward the WAN1 ISP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I need to Add the first policy route for all the Lan Ip towards WAN2 Source Address= 192.168.1.0/24 and then a specific policy route for each server i want to redirect towards WAN 1. Is this correct?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, policy routing is for everything that you DON'T want to use your regular routing table.
Let your servers use your regular default route via wan1. You don't have to change anything for them. They will use wan1.
Then force your clients out on wan2 with policy routing.
Read my earlier post for the details.
Richie
NSE7
Richie
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I'm trying with my ip address and it works perfectly.
I see that in the policy route is not possible to type an ip address range as source address.
is there any way to set an ip range??probably working with subnet mask?
we have servers and users in the same subnet 192.168.1.0 and I'd like to set all the Ips from 100 to 200 towards Wan2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great that it is working for you.
No, you can not use an address range unfortunately. It isn't needed usually, since routing is the passing of traffic between different networks.
This is also one of the many reasons you really should keep users and servers on different VLANs and subnets.
First thing that comes to mind is to move the users to another subnet. If they are DHCP clients that is an easy thing to setup in the firewall.
If that isn't possible, you can try to be creative with your own subnetting in the policy route.
Something like this:
Write policy routes that send these nets out via wan2.
192.168.1.96/27
192.168.1.127/26
192.168.1.192/28
That will cover all usable addresses between 1.97-206. Close enough for rock 'n roll?
:)
Richie
NSE7
Richie
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect for Rock 'n roll!
thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another question....when I'll have only Wan2 (and wan1 cable will be unplugged) i will need just to remove the Policy Routes created to force traffic to Wan2 and the static Route for Wan1 , and then everything will go through Wan2?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everybody, I would like your help in configuring Fortigate 100D. My initial configuration was like this. I put the one public ip address (I have more ip addresses) on my fortigate 100D wan1. Created VIPs with port forwarding. Server-1: running Exchange server 2013 with virtual directories (HTTPS), so I will need ports 25 and 443 to be used on it. The email works so as OWA when accessed externally. Server-2: will be running web server: so port 80 and port 443 also will be used. But I tried to create VIP for 443 again it FAILED, it said you already created one, which is for the mail server. So I thought since I have another wan port, wan2. I can use the other public ip for wan2. So my current configuration is like this: Wan1 will be used only for incoming mail traffic (ports 24 and 443) Wan2 will be used only for incoming web traffic (ports 80 and 443) x.x.x.x - public ip y.y.y.y - private ip Wan1: x.x.x.84 Wan2: x.x.x.83 created 2 VIPs for mail and 2 VIPs for web mail: x.x.x.84 --> y.y.y.11 port: 25 (mail server) x.x.x.84 --> y.y.y.11 port:443 (mail server) web: x.x.x.83 --> y.y.y.12 port: 80 (web server) x.x.x.83 --> y.y.y.12 port:443 (web server) I put these in 2 different VIPs groups: Mail traffic and web traffic Created 2 policy: Mail: incoming interface : wan1 source address: all outgoing interface: LAN destination address: Mail traffic (VIP) Schedule: always services: Https, Smtp Action: accept NAT NOT ENABLED Web: incoming interface : wan2 source address: all outgoing interface: LAN destination address: web traffic (VIP) Schedule: always services: Https, http Action: accept NAT NOT ENABLED There is another policy for internal users to surf the internet: internet: incoming interface : LAN source address: all outgoing interface: wan1 destination address: all Schedule: always services: all Action: accept NAT ENABLED: Use Outgoing Interface Address And finally static route: 0.0.0.0/0.0.0.0, wan1, gateway x.x.x.x My questions are: 1. Does this configuration work when someone surf to the company's website or sends mail to us? I mean using our website ti they get x.x.x.83 --> y.y.y.12 and the same goes for the mail x.x.x.84 --> y.y.y.11? Do i need to do something else? 2. I have read that the public ip used for the incoming mail must also be used for outbound mail: (The SMTP server, when initiating traffic towards the Internet , must use the same the same source IP address). http://kb.fortinet.com/kb/viewContent.do?externalId=FD31240 Then what should I do? use policy routes or ip pool? How should I configure it? 3. For me doesn't matter if LAN users use wan1 or wan2 to surf the internet. but does it matter which port should be used? I appreciate any help. Please advice. :) Thank you.
Related Posts
- Hub-Spoke With Redundant Tunnels 90 Views
- Assistance Needed: Routing Issue with FortiGate... 339 Views
- Dynamicly assign subnets to objects based... 301 Views
- Run before/after login vpn command on... 163 Views
- SSL VPN into existing subnet 242 Views
Labels
-
FortiGate
6,489 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.