hi,
I have a situation in my network which there is 2 WAN links and I have to use both of them for internet as described bellow:
servers must use WAN1 primarily which has public ip addresses and serves remote access vpn and other public services,
clients must use WAN2 primarily which does not have public ip address.
both links must failover to the other for internet usage. Also both links receive their ip and gateway from pppoe connection.
So for this implementation I first tried WAN LLB. this implementation works really fine but the problem is that in this situation I lose incoming connections like VPN. I don't know why. I even defined a specific LLB Rule to prefer WAN1 for vpn address range, but again no luck.
The other way crossed my mined is using policy routes. I defined WAN2 default route distance with lower value and defined a policy route saying that all client traffic default route is WAN2. in this situation I have vpn and services working fine but when WAN2 goes down, clients lose internet access because policy route does not track any link state or something else to detect it. If I could write such a track like a router the problem is solved.
or I could find problem related to situation one again problem is solved.
can anyone help me in this situation please?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
did anyone had the chance to solve this issue correctly ?
I am trying something similar even without failover
while WAN1 has pppoe with some static IP's
and WAN2 has regulat internet
the incoming traffic is quite easy issue - since it all being routed throw VIP and FW policy
the problem is with the outgoing traffic
trying to define who's is going throw which WAN by using policy routing - seems to be working fine except one big problem
when defining the routing using policy route - then the local LAN cannot access any other networks in the LAN since all its traffic goes throw the WAN interface
while normally with only one WAN activate connection - it works just fine and I can set the traffic using FW rules... ( to the WAN and to the local interfaces and networks...)
any suggestions ?
thanks
Ronen.c wrote:when defining the routing using policy route - then the local LAN cannot access any other networks in the LAN since all its traffic goes throw the WAN interface
You have to create a new rule before the one routing outside in order to exempt internal traffic from policy routing
example :
1 - From LAN Z to LAN Y, action stop policy routing. <- Create rules to exempt your inernal traffic
2 - From LAN Z to WAN 3, gateway a.b.c.d <- your policy routing for outgoing traffic thru a specific WAN
hint : in 5.2.x, there is no sequence number, the one on top is the first, second from top is the second, etc... don't remember if there is a sequence number in 5.4.x
So you have to put exempt rules on top and specific routes after.
2 FGT 100D + FTK200
3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.