I need to add a new Isp on Wan 2 and then i would that clients use Wan2 to surf the web but servers and services (exchange server,web server etc etc) keep on use Wan1.
It's enough to:
-set the network interface for wan2
-add a static route for wan2
-change the policies internal---->wan1 and set the outgoing interface to wan2
??
Thanks for your help
Francesco
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Great that it is working for you.
No, you can not use an address range unfortunately. It isn't needed usually, since routing is the passing of traffic between different networks.
This is also one of the many reasons you really should keep users and servers on different VLANs and subnets.
First thing that comes to mind is to move the users to another subnet. If they are DHCP clients that is an easy thing to setup in the firewall.
If that isn't possible, you can try to be creative with your own subnetting in the policy route.
Something like this:
Write policy routes that send these nets out via wan2.
192.168.1.96/27
192.168.1.127/26
192.168.1.192/28
That will cover all usable addresses between 1.97-206. Close enough for rock 'n roll?
:)
Richie
NSE7
You'll need to use policy routing in order to make that work.
Add the WAN2 interface with the new ISP. Add a default route to it, with distance 10 and priority 10 (if your wan1 default route is distance 10 and priority 0 - Use the same distance as WAN1, but LOWER priority on WAN2 (higher number).)
Create the firewall policies for your user networks that sends them out on WAN2 with NAT etc etc.
Create policy routes for your user networks that STOP policy routing when the destination is:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
This is needed because otherwise the clients shouldn't be able to reach anything internal - They are forced out on WAN2 by the rule below here. It is important that these rules that stop policy routing is on top of the ruleset, BEFORE the rule that does the actual policy routing.
Create policy routes for your user networks that forwards the traffic to destination network 0.0.0.0/0 -> WAN2, do not specify gateway address, use 0.0.0.0.
Configure link monitors for wan1 and wan2 in cli that pings something out on the internet that's always up, like Google's A/B-DNS:
(Set the interval/timeout/failtime/recoverytime to your liking, value is in seconds)
configure system link-monitor
edit monitor-wan1
set srcintf wan1
set server 8.8.8.8
set protocol ping
set gateway-ip x.x.x.x (your gateway on wan1)
set source-ip x.x.x.x (your wan1 IP)
set interval 5
set timeout 5
set failtime 5
set recoverytime 5
set update-static-route enable
set status enable
next
edit monitor-wan2
set srcintf wan2
etc etc... Do the rest the same as the monitor for wan1...
next
end
Now, if you want the user networks to be able to fall over to WAN1 if WAN2 fails, create rules pointing them to WAN1 also. Or create a zone (I would call it "INTERNET"...) with both wan1 and wan2 in it, and point all traffic going out to that zone. The policy routing and the regular routing table will take care of the traffic, everything that isn't policy routed will go out on wan1 according to the routing table. The link monitor will update the routing table when a link fails and remove all routes to the monitored interface.
So, if WAN1 fails, the default route is removed, and the traffic will hit the next default route, and use that.
Same with the traffic that you policy routed out on WAN2; as long as you only specify interface, and not gateway address, the traffic will go out on the interface that has the default route wich is WAN1 if WAN2 fails.
:)
Richie
NSE7
General routing uses the destination address as the decision (and both the clients and servers will likely be accessing similar Internet resources) so a typical default route will send all traffic out a single interface. You will need to use policy-based routing which can route based on information other than destination - and in this case you want a decision based on source address. You will need two "source address" policy routes, one for the clients pointing toward the WAN2 ISP and one for the servers pointing toward the WAN1 ISP.
So I need to Add the first policy route for all the Lan Ip towards WAN2 Source Address= 192.168.1.0/24 and then a specific policy route for each server i want to redirect towards WAN 1. Is this correct?
No, policy routing is for everything that you DON'T want to use your regular routing table.
Let your servers use your regular default route via wan1. You don't have to change anything for them. They will use wan1.
Then force your clients out on wan2 with policy routing.
Read my earlier post for the details.
Richie
NSE7
Thank you, I'm trying with my ip address and it works perfectly.
I see that in the policy route is not possible to type an ip address range as source address.
is there any way to set an ip range??probably working with subnet mask?
we have servers and users in the same subnet 192.168.1.0 and I'd like to set all the Ips from 100 to 200 towards Wan2
Great that it is working for you.
No, you can not use an address range unfortunately. It isn't needed usually, since routing is the passing of traffic between different networks.
This is also one of the many reasons you really should keep users and servers on different VLANs and subnets.
First thing that comes to mind is to move the users to another subnet. If they are DHCP clients that is an easy thing to setup in the firewall.
If that isn't possible, you can try to be creative with your own subnetting in the policy route.
Something like this:
Write policy routes that send these nets out via wan2.
192.168.1.96/27
192.168.1.127/26
192.168.1.192/28
That will cover all usable addresses between 1.97-206. Close enough for rock 'n roll?
:)
Richie
NSE7
Perfect for Rock 'n roll!
thank you!
Another question....when I'll have only Wan2 (and wan1 cable will be unplugged) i will need just to remove the Policy Routes created to force traffic to Wan2 and the static Route for Wan1 , and then everything will go through Wan2?
Hi everybody, I would like your help in configuring Fortigate 100D. My initial configuration was like this. I put the one public ip address (I have more ip addresses) on my fortigate 100D wan1. Created VIPs with port forwarding. Server-1: running Exchange server 2013 with virtual directories (HTTPS), so I will need ports 25 and 443 to be used on it. The email works so as OWA when accessed externally. Server-2: will be running web server: so port 80 and port 443 also will be used. But I tried to create VIP for 443 again it FAILED, it said you already created one, which is for the mail server. So I thought since I have another wan port, wan2. I can use the other public ip for wan2. So my current configuration is like this: Wan1 will be used only for incoming mail traffic (ports 24 and 443) Wan2 will be used only for incoming web traffic (ports 80 and 443) x.x.x.x - public ip y.y.y.y - private ip Wan1: x.x.x.84 Wan2: x.x.x.83 created 2 VIPs for mail and 2 VIPs for web mail: x.x.x.84 --> y.y.y.11 port: 25 (mail server) x.x.x.84 --> y.y.y.11 port:443 (mail server) web: x.x.x.83 --> y.y.y.12 port: 80 (web server) x.x.x.83 --> y.y.y.12 port:443 (web server) I put these in 2 different VIPs groups: Mail traffic and web traffic Created 2 policy: Mail: incoming interface : wan1 source address: all outgoing interface: LAN destination address: Mail traffic (VIP) Schedule: always services: Https, Smtp Action: accept NAT NOT ENABLED Web: incoming interface : wan2 source address: all outgoing interface: LAN destination address: web traffic (VIP) Schedule: always services: Https, http Action: accept NAT NOT ENABLED There is another policy for internal users to surf the internet: internet: incoming interface : LAN source address: all outgoing interface: wan1 destination address: all Schedule: always services: all Action: accept NAT ENABLED: Use Outgoing Interface Address And finally static route: 0.0.0.0/0.0.0.0, wan1, gateway x.x.x.x My questions are: 1. Does this configuration work when someone surf to the company's website or sends mail to us? I mean using our website ti they get x.x.x.83 --> y.y.y.12 and the same goes for the mail x.x.x.84 --> y.y.y.11? Do i need to do something else? 2. I have read that the public ip used for the incoming mail must also be used for outbound mail: (The SMTP server, when initiating traffic towards the Internet , must use the same the same source IP address). http://kb.fortinet.com/kb/viewContent.do?externalId=FD31240 Then what should I do? use policy routes or ip pool? How should I configure it? 3. For me doesn't matter if LAN users use wan1 or wan2 to surf the internet. but does it matter which port should be used? I appreciate any help. Please advice. :) Thank you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.