Another Dual Wan/ Two ISPs question

cmberry · ‎12-13-2010

Iâ€™ve read through some recent posts, but they donâ€™t seem to address my question. Bear with me. I have two different ISPs, two sets of DNS, and two gateways. Wan1 is configured and everything works great internally/externally with my firewall policies, UTM, etc. I would like to just have the second ISP give me MORE bandwidth to outside world. Mostly I see people talking about Dual WAN for redundancy, or to partition certain traffic to use a certain WAN. I would just like to have the internal network use up all of WAN1 bandwidth, and then start using Wan2 bandwidth, so overall I have more bandwidth. I am using firmware 4.2.2 on a 200B. I have created an interface for Wan2. I think I probably have to do something with Static Routing, but I am not sure how to proceed. Thanks for the help!

abelio · ‎12-13-2010

I would like to just have the second ISP give me MORE bandwidth to outside world. Mostly I see people talking about Dual WAN for redundancy, or to partition certain traffic to use a certain WAN. I would just like to have the internal network use up all of WAN1 bandwidth, and then start using Wan2 bandwidth, so overall I have more bandwidth. I am using firmware 4.2.2 on a 200B.

200B running 4.2 is 802.3ad capable. Depending on how your ISP is bringing services to you, check 4.2 admin guide for ' link aggregation' to aggregate interfaces to increase bandwidth available. First warning: aggregate interfaces must all connect to the same next-hop routing destination. With 2 different ISPs I cannot figure out how that could be performed regards,

regards

/ Abel

ede_pfau · ‎12-13-2010

I think it' s much simpler: just configure 2 default routes to your 2 ISPs with equal distance and priority. Then, the Fortigate will distribute internet (outgoing) traffic evenly. No need for policy routing or anything. If you want to you can look it up in the FortiOS Handbook, " ECMP" (equal cost multiple paths" routing). Link aggregation is nice but will not work with 2 different ISPs.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

abelio · ‎12-14-2010

ORIGINAL: ede_pfau I think it' s much simpler: just configure 2 default routes to your 2 ISPs with equal distance and priority. Then, the Fortigate will distribute internet (outgoing) traffic evenly. No need for policy routing or anything. If you want to you can look it up in the FortiOS Handbook, " ECMP" (equal cost multiple paths" routing).

not exactly Ede, I understand from cmberry' s post is that he don' t want balancing in any way. He would add bandwidth from the second WAN when the first one became exhausted or something like that. ECMP is about balancing between wans, not for adding more bandwith to the existent one.

Link aggregation is nice but will not work with 2 different ISPs.

yup, it' s nice, but with several constraints to deploy it regards, A.

regards

/ Abel

cmberry · ‎12-14-2010

I think it' s much simpler: just configure 2 default routes to your 2 ISPs with equal distance and priority. Then, the Fortigate will distribute internet (outgoing) traffic evenly. No need for policy routing or anything. If you want to you can look it up in the FortiOS Handbook, " ECMP" (equal cost multiple paths" routing).

So, this sounds like what i need, but I can' t find ECMP in my webconfig. I read about it in the FortiOS Handbook and in the web config HELP, both list it as showing up in Router > Static > Static Route, but NOT in my 200B 4.2.2. It should have a link after the word " delete" , but there is nothing there, Hmmm. Can someone else running 4.2.2 confirm its missing or moved, or am I crazy?

willem · ‎12-14-2010

If you want to use the bandwidth of WAN1 first and then switch to WAN2, use the spillover treshold that you can define in the interface settings.

Willem __________________________________ FCNSP (Fortinet Certified Network Security Professional)

ede_pfau · ‎12-14-2010

funny that we carry on the discussion and the OP doesn' t... It is exactly what you write that I was referring to (if cmberry wants additional bandwidth only if wan1 gets exhausted). Plain ECMP just adds the second line, and with it bandwidth. Not for one connection (as LACP does) but for many connections if seen statistically. As ECMP is on layer 3, LACP on layer 2. But if you read on (Handbook, pp.1226-1228) you find " spill-over ECMP" . This is how you can use a second wan line in addition to the existing first line in case it gets saturated. Only difference in setup is that you define a spill-over threshold for each interface.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

cmberry · ‎12-14-2010

Hi guys, just catching up on all these posts. Thanks for the replies, I am going to try the solution(s) suggested and let you know. I really appreciate the detailed responses. It sounds like this is a really simple thing to implement, which is a relief.

ede_pfau · ‎12-14-2010

yep, confirmed. Version: Fortigate-50B v4.0,build0291,100824 (MR2 Patch 2) Use

 conf sys settings
   set v4-ecmp-mode usage-based
 end

instead.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

cmberry · ‎12-14-2010

yep, confirmed. Version: Fortigate-50B v4.0,build0291,100824 (MR2 Patch 2)

Ok, thanks for looking. I did as you suggested: config system settings set v4-ecmp-mode {source-ip-based | usage-based | weight-based} end I added spillover threshold for each interface, 1500 kbps for one and 6000 kbps for another, and I' ll see how it goes. By the way, both interfaces are working to the outside world, so now it' s a matter of me tweaking it so they are utilized in a way that I have maximum bandwidth. I wonder if it' s a bug that the web config does not show ECMP, or if it' s by design? In terms of Firewall policies, do I need to double all of my policies from WAN1 for WAN2? Right now I have a policy that does Internal -> Wan1, with various UTM features. I also added a Internal -> Wan2 manually. But with ECMP and static routes with same distance and priority, is this still necessary?