Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
farhad_plasma
New Contributor

Created on ‎12-05-2016 05:24 AM

Dual WAN Load Balancing or Policy route with redundant interface

hi,

I have a situation in my network which there is 2 WAN links and I have to use both of them for internet as described bellow:

servers must use WAN1 primarily which has public ip addresses and serves remote access vpn and other public services,

clients must use WAN2 primarily which does not have public ip address.

both links must failover to the other for internet usage. Also both links receive their ip and gateway from pppoe connection.

So for this implementation I first tried WAN LLB. this implementation works really fine but the problem is that in this situation I lose incoming connections like VPN. I don't know why. I even defined a specific LLB Rule to prefer WAN1 for vpn address range, but again no luck.

The other way crossed my mined is using policy routes. I defined WAN2 default route distance with lower value and defined a policy route saying that all client traffic default route is WAN2. in this situation I have vpn and services working fine but when WAN2 goes down, clients lose internet access because policy route does not track any link state or something else to detect it. If I could write such a track like a router the problem is solved.

or I could find problem related to situation one again problem is solved.

can anyone help me in this situation please?

Labels:
22560
0 Kudos
11 REPLIES 11
Ronen_c
New Contributor

Created on ‎07-17-2017 06:04 AM

did anyone had the chance to solve this issue correctly ? 

I am trying something similar even without failover 

while WAN1 has pppoe with some static IP's

and WAN2 has regulat internet 

 

the incoming traffic is quite easy issue - since it all being routed throw VIP and FW policy

the problem is with the outgoing traffic 

trying to define who's is going throw which WAN by using policy routing - seems to be working fine except one big problem

when defining the routing using policy route - then the local LAN cannot access any other networks in the LAN since all its traffic goes throw the WAN interface

while normally with only one WAN activate connection - it works just fine and I can set the traffic using FW rules...  ( to the WAN and to the local interfaces and networks...)

 

any suggestions ?

 

thanks

 

 

 

860
0 Kudos
Baptiste
Contributor II
In response to Ronen_c

Created on ‎07-19-2017 11:01 PM

Ronen.c wrote:

when defining the routing using policy route - then the local LAN cannot access any other networks in the LAN since all its traffic goes throw the WAN interface

You have to create a new rule before the one routing outside in order to exempt internal traffic from policy routing

example :

1 - From LAN Z to LAN Y, action stop policy routing. <- Create rules to exempt your inernal traffic 

2 - From LAN Z to WAN 3, gateway a.b.c.d <- your policy routing for outgoing traffic thru a specific WAN

 

hint : in 5.2.x, there is no sequence number, the one on top is the first, second from top is the second, etc... don't remember if there is a sequence number in 5.4.x

So you have to put exempt rules on top and specific routes after.

 

 

 

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
Preview file
56 KB
860
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.