I had 3 WAN connection (ADSL modems) providing internet access to my company. I brought 4th connection which has a fiber metro connection by the switch and connected to my 4th port.
1 - First set the new interface (named as metro_port). I selected role as WAN, Addressing mode as manual and IP/Netmask as ISP provided.
2 - At Second step i defined Static Route. I gave destination to 0.0.0.0/0.0.0.0, interface as set up in the first step(metro_port) and gateway as ISP provided.
3 - At third step i have insterted a new Policy Route in order to set my computer go out to internet over metro_port.
4 - I set up a new Firewall Policy, incoming as Lan, Outgoing as metro_port, source as my computer's IP address. Selected NAT enabled. To maximize priority of this policy i dragged it to the first in list.
Now unless unplugging or disabling my old WAN connections (ADLS modem connections), i cannot use new WAN connection to use internet access. I checked log tables, it doesn' even use to this policy.
What am i doing wrong?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Check your routing table (get router info routing-table all) to see if the new static route is even in the table.
In order to use multiple default routes the distance has to be the same (though the priority can be different to determine the path used without policy routing).
Sorry, I was a little out of my depth here. I don't understand how you can have the 212.xxx.xxx.217 address on 3 different interfaces. It looks like it should be 88.xxx.xxx.35, 36, or 209 for each different interface. However, Googling this a bit it sounds like this is a common practice with PPPoE (which I have 0 experience with)...
This link may help you. It's a similar setup to yours I think: https://kb.fortinet.com/kb/documentLink.do?externalID=FD32573
The key as I mentioned originally was that the distance has to be the same between the routes, so you'll need to set a distance of 5 for your new fiber default route. By default it was 10 (as observed in the screenshot earlier).
This would also explain why nothing changed when you added the other static routes in that screenshot. They were all using a distance of 10 whereas these dynamic gateways you're getting from PPPoE use a distance of 5 and would exclude the ones with 10 from entering the routing table.
Check your routing table (get router info routing-table all) to see if the new static route is even in the table.
In order to use multiple default routes the distance has to be the same (though the priority can be different to determine the path used without policy routing).
I can see new static route fom routing table, ist says :
176.xxx.xxx.xxx/30 is directly connected
But i am not using multiple static route, i defined just one static route for this new gateway.
What kind of default routes are your other WAN connections using then, if not static? That would be the problem most likely. ECMP does not work across different types as far as I know, so you'll need to make sure all the routes are the same type and distance to be able to route across different WAN connections simultaneously.
I created static routes for another WAN interfaces now, attacched configuration below.
But nothing has changed. Routing table is not showing matching routes with my static route configuration.
Exclamation warnings say "xxx.xxx.xxx.xxx gateway ip could be unreachable. it is not in any subnet of the interface"
I tried using different priorities as well.
At the same time I have policy routes directing internal clients (sources) to specified interfaces. Will these settings affect static routes?
You still did not answer what kind of default routes your other WAN connections are using. It sounds like you mis-configured the statics that you just added, so naturally that wouldn't change anything. If I saw your routing table (result of get router info routing-table all) I would be able to answer this better.
Excuse me. I am not very good with fortigate but i was configured this years ago. Even if i enter static routes or not,
get router info doesn't chage. So i deleted static routes and now router info is :
Pxxxx # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 212.xxx.xxx.217, ppp3, [0/40]
[5/0] via 212.xxx.xxx.217, ppp2, [0/30]
[5/0] via 212.xxx.xxx.217, ppp1, [0/30]
C 10.0.0.0/24 is directly connected, kablosuz
C 88.xxx.xxx.35/32 is directly connected, ppp3
C 88.xxx.xxx.36/32 is directly connected, ppp2
C 88.xxx.xxx.209/32 is directly connected, ppp1
C 176.xxx.xxx.120/30 is directly connected, port4
C 192.168.0.0/24 is directly connected, lan
C 192.168.2.0/24 is directly connected, port2
C 212..xxx.xxx.217/32 is directly connected, ppp3
is directly connected, ppp2
is directly connected, ppp1
Sorry, I was a little out of my depth here. I don't understand how you can have the 212.xxx.xxx.217 address on 3 different interfaces. It looks like it should be 88.xxx.xxx.35, 36, or 209 for each different interface. However, Googling this a bit it sounds like this is a common practice with PPPoE (which I have 0 experience with)...
This link may help you. It's a similar setup to yours I think: https://kb.fortinet.com/kb/documentLink.do?externalID=FD32573
The key as I mentioned originally was that the distance has to be the same between the routes, so you'll need to set a distance of 5 for your new fiber default route. By default it was 10 (as observed in the screenshot earlier).
This would also explain why nothing changed when you added the other static routes in that screenshot. They were all using a distance of 10 whereas these dynamic gateways you're getting from PPPoE use a distance of 5 and would exclude the ones with 10 from entering the routing table.
Solved, thanks a lot.
I was configured my interfaces as PPPoE and distances were defined as 5 there. Now i just added new static route for my new WAN connection with the distance 5 and it's worked.
Next time when you have a chance to make changes, consider setting the interface distance, which inserts static default route when PPPoE or DHCP pulls its IP, much larger like 100 or 220. That would make the interface injected default route lower priority in distance than some routing protocol's routes.
We do this all the time because we use BGP in our network to control even the default route.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.