Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
knut
New Contributor

Changing ISP

I got a Fortigate 100A working as a router/firewall for personal users. We are changing the ISP at the front, and we got all public IP' s. What I would like to do is to keep the old connection as a backup, as well as serve the internet connection until everybody have gotten a new IP-adress. But the fortigate seems to struggle with two equal default gateways (I can only connect to WAN1-IP adresses and not WAN2). At first I would have liked the ip' s today will stay the same until it asks for a new IP from the DHCP. But this doesn' t seem to work that well, so I might have to change the firewall rules to use NAT with the old adresses through the new ISP. I' m using WAN1 as the old connection and WAN2 as the new. Internal is currently the old connection, and the DMZ1 is the new, both connected to the same switch. Is there any good way to do this?
1 FGT320B, 1 FGT200B, 1 FGT110C, 1 FGT60C, 3 FGT50B, 3FAP220A. 4.0MR3P7 and 4.0MR2P11
1 FGT320B, 1 FGT200B, 1 FGT110C, 1 FGT60C, 3 FGT50B, 3FAP220A. 4.0MR3P7 and 4.0MR2P11
5 REPLIES 5
Fireshield
New Contributor

First off, is there a reason you are moving the Internal network to the DMZ? You should be able to allow the traffic just fine from the Internal. The only requirement for equal routing is to have one set to priority via the CLI. conf rout sta edit X set priority 1 (for new link, 2 for old) next end Then also make sure you have firewall policies to allow the traffic.
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
knut
New Contributor

The reason for two interfaces on the internal side is because of different internal ip-adresses (all public ip' s).
1 FGT320B, 1 FGT200B, 1 FGT110C, 1 FGT60C, 3 FGT50B, 3FAP220A. 4.0MR3P7 and 4.0MR2P11
1 FGT320B, 1 FGT200B, 1 FGT110C, 1 FGT60C, 3 FGT50B, 3FAP220A. 4.0MR3P7 and 4.0MR2P11
Fireshield
New Contributor

Then you will want policy routing. Source [DMZ IPs] Destination [WAN2]
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
knut
New Contributor

How could I overlook that one! Thank you very much for a quick and promt answer
1 FGT320B, 1 FGT200B, 1 FGT110C, 1 FGT60C, 3 FGT50B, 3FAP220A. 4.0MR3P7 and 4.0MR2P11
1 FGT320B, 1 FGT200B, 1 FGT110C, 1 FGT60C, 3 FGT50B, 3FAP220A. 4.0MR3P7 and 4.0MR2P11
Not applicable

Hi! Just to describt you how you could work with policy based routing (no ' backup' , just simple static in the first run). Define everything as if there was only your internal Network and your new Provider. Set the default route with your new provider (WAN1), enable NAT for the clients and write some policies. You can test your settings by now, if eveerything is working with the internal Network as usual. In the second step, you route _all_ your traffic from the DMZ interface via the old provider (WAN2). For this reason establish a policy route for all Traffic arriving from DMZ to be routed over WAN2. Write some normal Policies to allow the traffic from DMZ to Wan2. You should be done.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors