- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failover routing to APN
Hello,
We have kind of interesting problem.
We have multiple routers around the city and they are connected via isp/fiber to our central Fortigate.
There is lan for example 172.30.5.1/24 from this subnet city routers have WAN IP and behind these city routers there is LAN lets say 172.20.0.0/24, there is also subnet on FG 172.18.45.1/24 where are servers which communicate to devices on lan 172.20.0.0/24 via static routes on FG
But here comes the trick - on city router there is LTE backup to our own APN where there is ipsec between APN and our FG, on APN there is subnet lets say 172.30.4.1/24 and when the router change to APN on WAN servers from server lan stop communicating with devices on 172.20.0.0/24 - because gateway changes of course. We tried to do solution with DNAT which does work but there is multiple devices with same ports so its not the solution.
Is there any solutions that comes to mind? Some kind of failover routing?
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my first thought is to try and solve the problem with a much less complicated solution than failover routing. failover is usually meant to provide an emergency recovery mechanism if a server completely dies. it's not really designed to be used for load balancing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it basically is emergency recovery because each router in the city is connected to traffic lights and if fiber fails they have LTE backup to our own APN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The topology is not so clear without a proper diagram but I'm assuming...
FGT <----- Fiber MPLS provider -----> [172.30.5.0/24] city routers <---> [172.20.0.0/24]
^ ^
+--> [172.18.45.0/24] |
+--> [172.30.4.0/24]4G/5G MPLS provider <-----------+
If this is correct, the key is both the FGT and the city router need to know the route was change from the primary MPLS to 4G MPLS at the same time. Based on your description, the city router side can detect it and failover. Then, the question is can the FGT know the Fiber MPLS down?
We regularly do like this between FGTs with a routing protocol like BGP. But if you want/need to do that with static routing, you have to use link-monitor to detect the city router's primary path is down, then remove the primary static routes to the remote end and let an lower AD static route to 4G MPLS path to "float" up in the routing table.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/76624/link-monitor
Toshi