Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FG 100d Multiple Wan PPPoE
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG 100d Multiple Wan PPPoE
Good Afternoon,
Just had BT Infinity installed today. This now requires a modem and a router compare to previous modem/router.
So considered using PPPoE on the FG100D removing known vpn problems with bt routers.
connected the modem up on port1 setup pppoe with correct username and password.
It received the correct ip and I set up to obtain gateway.
Tried to get on the internet with no luck.
Checked the routing as I previously had static routing. which has been removed.
The routes are there but interface states ppp1. Now I have 4 internet connections and if i connect all 4 I end up with 2 records for each connection, interfaces ppp1,ppp2,ppp3,ppp4
Due to lack of time I had to refit the modems.
Would there be any problem having 4 pppoe connections?
Do I need to change all my firewall policies to use interface ppp1 instead of port1?
I could not find any reference through the web interface of ppp1.
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem Resolved.
Restarted FG and all connections worked correctly.
Will the FG suffer at all using 4 80mb down/20mb up connections over pppoe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t think that a 100D will even notice. PPPoE is not a ' chatty' protocol - except for the initial negotiations there are only some regular keepalive packets. And what is ~320 Mbit/s for an appliance like this...
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ede_pfau.
Having it running the last few days its seems to be running fine apart from the priority of routing.
Previously when using static/ip to modem/router priority was set on static route to default as the 1st connection. Then policy routes to send http/https via 2nd connection.
New setup with 4 pppoe connections obtain ip/netmask and default gateway from the isp (all single static ip) with a distance of 10. currently no static routes have manually been set. On reboot I have noticed the gateway changes so unsure if I can even set a static gateway on a static route.
Current Route View for Gateway
Static 0.0.0.0/0 81.139.64.1 ppp2 10 0
Static 0.0.0.0/0 81.139.64.1 ppp1 10 0
Static 0.0.0.0/0 81.148.0.1 ppp3 10 0
Static 0.0.0.0/0 81.148.0.1 ppp4 10 0
Connected 81.139.64.1/32 0.0.0.0 ppp2 0 0
Connected 81.139.64.1/32 0.0.0.0 ppp1 0 0
Connected 81.148.0.1/32 0.0.0.0 ppp3 0 0
Connected 81.148.0.1/32 0.0.0.0 ppp4 0 0
With using the above http/https still uses connection 2 as the policy routes are still in place. Because there is no priority settings set for the gateway route all other connections to external is " load balanced" completely random port from different machines.
Is there an alternative way to set the default route for anything not internal.
I have attempted setting static routes, and disabled obtain gateway automatcially but it then prevented any connection to external and the routes did not appear in the monitor. Even after a reboot
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ehm, why change the ' automatic' setup of gateway addresses? Of course, if all default routes are equal you will have a (more or less) load balanced distribution of sessions over all 4 routes. This isn' t bad in itself.
The option to receive the correct gateway address through the PPP protocol is quite helpful as you have noticed. Depending on the actual connection the gateway may vary. That' s why the protocol was made in such a way as to provide the address of the receiving end as well.
Just to clarify: Policy Routes are a thing from the zombie world. They live between real routes which you can see in the Routing Monitor, and real policies which do not guide traffic but only control it. Policy Routes are always obeyed first, before the routing table is looked up. If I had to make a wish for a feature request it would be to add visibility of Policy Routes, probably in the Routing Monitor.
One more caveat when experimenting with routing settings: only when processing the first packets of a NEW session the routing decision is made. No changes to routes have effects on existing sessions. If you experiment with routes be sure to kill all sessions before re-testing. (I can tell, having wasted lots of time without proper knowledge of that interaction.)
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
Under normal circumstances I would totally agree regarding the " load balancing" effect.
Sadly This is why I have 4 individual connections.
My purpose for the 4 connections.
1. All outgoing connections for workstations and servers to the internet,(including email and dns) Email is on a different site.
2. http, ftp and https for all workstations and servers
3. VPN to 2 x satellite sites and soon to be remote client access
4. VPN to HQ
As you can see the 3rd and 4th connections are high priority for VPN access, as I am using DFS Live to all sites.
Regarding the fixing the gateway in static routes and setting priority to use number1 is there an alternative way to set the default route other than priority when creating a static route?
Policy routes are used to simply send 21,80,443 via port 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: technik My purpose for the 4 connections. 1. All outgoing connections for workstations and servers to the internet,(including email and dns) Email is on a different site. 2. http, ftp and https for all workstations and servers 3. VPN to 2 x satellite sites and soon to be remote client access 4. VPN to HQWhy don' t you try this: Leave the distance for all at 10. Set the priorities for 3 & 4 to 5 (A lower number than 1 & 2. These routes shouldn' t be default, just needed for the remote VPN subnets). Set your static routes for your remote subnets to 5 on 3 & 4. Set policy routes for port 80, 443, 21, etc. to #2. This way, there should only be 2 default routes out: 1 & 2. 3 & 4 will only only cover the VPNs.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the internet connections are on a dynamically assigned routes with distance 10 and vpn links are on a distance of 5.
Can I simply set up a policy route to forward all other traffic with a distance of 8 without the gateway set
incoming interface: lan
source address: 192.168.2.0/255.255.255.0
destination address: 0.0.0.0/0.0.0.0
outgoing interface: wan1
gateway address: 0.0.0.0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No.
Policy routes will be obeyed first, before a routing table lookup. With the config shown ALL traffic from the .2.0/24 network would be sent out via WAN1. Didn' t you intend to divert HTTP(S) traffic only?
BTW: with Policy Routes, usually the gateway address is left blank. It suffices to specify the port/interface. I haven' t had to specify the gateway address yet but it might come in handy if you have to.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok.
After typing the above message and having a look over this morning.
Setting up the policy route like you said forwarded everything via wan1. Was soon reverted.
I then tried setting a static route for all 4 connections.
0.0.0.0/0.0.0.0 port1 0.0.0.0 10 1
0.0.0.0/0.0.0.0 port1 0.0.0.0 10 2
0.0.0.0/0.0.0.0 port1 0.0.0.0 10 3
0.0.0.0/0.0.0.0 port1 0.0.0.0 10 4
Leaving it so the gateway was blank
This did not affect the routing table. I then set them all to distance 9.
They then all appeared in the routing table. But no internet was available by any connection.
I have to admit I am a bit lost in this now.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,782 -
FortiClient
1,783 -
5.2
801 -
FortiManager
740 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
480 -
Fortiap
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
193 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
108 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiGate-VM
22 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1110 | |
| 758 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.