Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

DUAL WAN ROUTING

I actually don' t want to load balance traffic across two connections as we have external services which are mapped to external IP addresses, ie, SIP and E-mail. We have 3 production servers, one is 192.168.0.8, which is our primary server with an external IP mapped to a server certificate, external e-mail access, and employee intranet. This server is currently using WAN1 which has been our long established internet account. Another server, 192.168.0.200, is an IP PBX, and we are doing SIP trunking currently with Voicepulse, and migrating to Bandwidth.com. These trunk providers map their services to the public address of WAN1. I do not want to change this setup, and want to make sure that traffic from these two servers stay on WAN1. The Internet connection for these services has a higher upload capacity than the newly acquired WAN2 Internet connection. The rate of this connection is 5 MB down, 1.5 MB up. Since SIP traffic and the resulting voice quality correlates to available bandwidth, I want to isolate traffic. Our other production server, 192.168.0.12, is running Windows Media Services, and its default port conflicts with ports opened on 192.168.0.8, and as a result have had to do VIP' s with alternate ports to avoid conflicts. I would like to direct traffic from this server to utilize WAN2 as it' s exit to the Internet, and thus not have to use alternate ports to provision the use of the service offerings. This new Internet connection is not as robust as what we have on WAN1, being a 5 MB down /384KB UP connection. Our Internal users are currently browsing the internet using our WAN1 connection, and I would like that traffic to also travel down the new WAN2 connection. The idea being to completely separate and minimize any possibility that SIP traffic would be affected by a users high internet usage, and also remove my needing to use VIPS to map incoming data traffic destined to my production servers. Currently I have configured my WAN2 with the static IP associated with this provider, and created a default gateway with an equal cost of (10). I have created new policies in the Internal --> WAN2 that I would have thought would force users to use WAN2. So by de-selecting the current policies in Internal --> WAN1, and enabling the policy under Internal --> WAN2 , and leaving defined policies in the Internal --> WAN1 for the servers mentioned above, Internet does not work at all from any server or user. I have also tried creating a Policy Route, but when I try to configure a route for a particular server, it instead inserts 192.168.0.0/255.255.255.0, instead of the typed in, 192.168.0.8/255.255.255.0. Why is it setting it as an entire subnet instead of just one host. Please help, not sure if my approach is correct, or if I need to take a different approach altogether.
1 REPLY 1
Troy_Sorzano
New Contributor

I actually don' t want to load balance traffic across two connections as we have external services which are mapped to external IP addresses, ie, SIP and E-mail.
You may want the advantages of failover for all the services that are not IP specific. So you will want to use equal cost routing by setting both routes to the same distance. Belive me it is a mental block that I just got past after using Fortigates since they were release.
one is 192.168.0.8, which is our primary server with an external IP mapped to a server certificate, external e-mail access, and employee intranet. This server is currently using WAN1 which has been our long established internet account.
My understanding of SSL certs is that they are tied to FQDN not IP. As I have moved certs from IP to IP and from server to server as long as the FQDN is correct. I have our Exchange cert and it works on both of my WAN ports with equal cost routing.
Another server, 192.168.0.200, is an IP PBX, and we are doing SIP trunking currently with Voicepulse, and migrating to Bandwidth.com. These trunk providers map their services to the public address of WAN1.
We have a similar setup our PBX VoIP is IP specific. So in a failover situation we will lose our IP phones.
I do not want to change this setup, and want to make sure that traffic from these two servers stay on WAN1. The Internet connection for these services has a higher upload capacity than the newly acquired WAN2 Internet connection. The rate of this connection is 5 MB down, 1.5 MB up. Since SIP traffic and the resulting voice quality correlates to available bandwidth, I want to isolate traffic.
Good idea and exactly what we do.
Our other production server, 192.168.0.12, is running Windows Media Services, and its default port conflicts with ports opened on 192.168.0.8, and as a result have had to do VIP' s with alternate ports to avoid conflicts. I would like to direct traffic from this server to utilize WAN2 as it' s exit to the Internet, and thus not have to use alternate ports to provision the use of the service offerings. This new Internet connection is not as robust as what we have on WAN1, being a 5 MB down /384KB UP connection. Our Internal users are currently browsing the internet using our WAN1 connection, and I would like that traffic to also travel down the new WAN2 connection. The idea being to completely separate and minimize any possibility that SIP traffic would be affected by a users high internet usage, and also remove my needing to use VIPS to map incoming data traffic destined to my production servers. Currently I have configured my WAN2 with the static IP associated with this provider, and created a default gateway with an equal cost of (10). I have created new policies in the Internal --> WAN2 that I would have thought would force users to use WAN2. So by de-selecting the current policies in Internal --> WAN1, and enabling the policy under Internal --> WAN2 , and leaving defined policies in the Internal --> WAN1 for the servers mentioned above, Internet does not work at all from any server or user. I have also tried creating a Policy Route, but when I try to configure a route for a particular server, it instead inserts 192.168.0.0/255.255.255.0, instead of the typed in, 192.168.0.8/255.255.255.0. Why is it setting it as an entire subnet instead of just one host.
You are specifing a network with 255.255.255.0 what you mean to do is specify a single IP so you should use 192.168.0.8/255.255.255.255. Also ignore the help file and put 0.0.0.0 in the gateway and equal cost routing in your static routes. This will allow your policy route to be disabled when that WAN2 is down (make sure you setup dead gateway proteciton in the network settings of WAN2). See this KB article. --------------------- " Leaving the gateway field blank ensures that the policy route will not be active when the link is down (it is affected by the ping server status)." So im assuming the FG is indeed " smart enough" to not force traffic over the down link when using policy routes. http://support.fortinet.com/forum/tm.asp?m=50341&appid=&p=&mpage=1&key=policy%2Croute%2Cfail&language=single&tmode=&smode=&s=#50341 " When the gateway is left as 0.0.0.0 the FortiGate will check the routing table for the gateway out that interface so these is no need to set a gateway here. If a route out the outgoing interface is not in the routing table, the interface is considered down and the policy route is ignored." http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=100116&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5093825&stateId=0%200%205095873 --------------------- How do I know this. I just had a WAN2 outage and our policy routes did not fail over to WAN1 like I had hoped. Thanks to the help of this forum I was pointed to the KB artilcle and now have policy routes for load blanacing the way I want but also failover works. I have tested it by pulling the WAN2 cable and by pointing my dead gateway IP to a IP that could not be pinged. It takes about 20 seconds for a pulled cable and about 1 min for a dead gateway failover to happen. If you host your DNS with a company like www.dnsmadeeasy.com you can setup DNS failover. So your exchange/mail server is mail.yourcompany.com you have your primary WAN1 IP for that. but you set the failover IP to the WAN2 IP. dnsmadeasy will notice WAN1 is down and will then hand out WAN2 IPs. They also support round robin DNS. With dnsmadeeasy doing the external DNS and the WAN failover / equalcost routing and polcy routes you will have total redundancy for Internet except for your services that require hard coded IP' s like VoIP or IPSEC type VPNs. At some point I hope Fortinet adds Authorative DNS to the fortigates. There is no reason they could not do it and it would give us the ability to use the fortigate as inteligent DNS. It could load balance WAN1 and WAN2 by looking at the load and responding to external DNS requests with the least utlized circuit or the cicuit that is still up in a failover situation. This would allow me to do everything with Fortinet and stop using the hosted dnsmadeeasy service. It make the most sence to have Authorative DNS on the fortinet devices and a I am not sure why they do not have it. Troy
Labels
Top Kudoed Authors