- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Forigate 80C Dual WAN issue with inbound traffic o...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forigate 80C Dual WAN issue with inbound traffic on WAN2
I have a Foritgate 80C which I recently upgraded to v5.2.3 build 670. I am hoping to test this configuration with this unit before purchasing a Forigate 100D or 200D firewall.
Issue: I have 2 ISP's and utilizing both WAN1 and WAN2. When WAN1 is active, I cannot receive traffic inbound (such as a ping test) over WAN2. If I shutdown WAN1, the traffic (the ping test as well as RDP and other tests) start to work right away over WAN2. If I activate the WAN1 connection again, the traffic inbound on WAN2 stops as soon as the interface is up.
It would appear that while WAN1 is active, inbound connections to WAN2 are not allowed.
Basic Config / Testing (IP's are fake):
(Please read this from top to bottom, basically this is me working logically through the configuration w/ my results as I progress)
Internal1 (LAN) Mailserver for testing - 172.16.5.10
WAN1 - Static IP Address - Have 5 Static IP's I can use Interface has IP Address 10.0.0.2 and GW of 10.0.0.1
WAN2 - Static IP Address - Have 5 Static IP's that I can use Interface has IP Address 192.168.1.2 and a GW of 192.168.1.1
Static Route - 0.0.0.0 / 0.0.0.0 Device (WAN1) Gateway 10.0.0.1 Administrative Distance 10
Static Route - 0.0.0.0 / 0.0.0.0 Device (WAN2) Gateway 192.168.1.1 Administrative Distance 20
Firewall Policy1: Incoming: Internal LAN1, 172.16.5.0/24 Outgoing WAN1, ALL, ALWAYS, ALL, ACCEPT NAT On, Use Outgoing Interface Address
Firewall Policy2: Incoming: Internal LAN1, 172.16.5.0/24 Outgoing WAN2, ALL, ALWAYS, ALL, ACCEPT NAT On, Use Outgoing Interface Address
At this point in the configuration my mailserver will connect out the internet via WAN1 and have a public IP of 10.0.0.2 (FW WAN1 address).
I then add a policy route: Incoming Interface (Internal1 (LAN)) Source 172.16.5.10/255.255.255.255 Destination 0.0.0.0/0.0.0.0 Forward Traffic - Outgoing Interface WAN2 192.168.1.1.
At this point in the configuration, the mailserver will connect to the internet via WAN2 and have a public IP of 192.168.1.2 (FW WAN2 address).
Add a Virtual IP: External 192.168.1.5 (one of my usable external statics) mapped to 172.16.5.10 (NO port forwarding)
At this point in the configuration, the mailserver still connects to the internet via WAN2 with a public IP of 192.168.1.2 (FW WAN 2 Address).
I then add a FW policy, WAN2 - Internal: Incoming Interface WAN2, source ALL, Outgoing Interface Internal1(LAN) Destination Address (Virtual IP 192.168.1.5 --> 172.16.5.10) ALWAYS, Service ALL (just as test!) ACCEPT, NAT OFF
At this point my mailserver will connect to the internet via WAN2 and have a public IP of 192.168.1.5 (Virtual IP mapping working). However at this point in the configuration, I cannot connect from the outside to 192.168.1.5. If I do a administrative shutdown of the WAN1 interface, I can then connect into WAN2 via the virtual IP address as configured. As soon as I activate WAN1 again, I lose connectivity. (Also trying NAT ON vs NAT OFF makes no difference)
Is this a limitation of the firewall? An unsupported configuration? Am I missing something?
Thank you for taking the time to read all of this. I appreciate any and all help!
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you try changing the administrative distance of the WAN2 route to 10 to match the route for WAN1, but give it a higher integer for priority? That way, it's at least in the routing table as a feasible reverse path, even if it's not the preferred path.
Regards, Chris McMullan Fortinet Ottawa
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you try changing the administrative distance of the WAN2 route to 10 to match the route for WAN1, but give it a higher integer for priority? That way, it's at least in the routing table as a feasible reverse path, even if it's not the preferred path.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Christopher,
THANK YOU!!!!!
I had played around with setting the distance to equal 10 for both connections, but traffic would almost always default to go out WAN2. I recently upgraded from an old version (Version 4) in testing this and never saw the priority setting :(.
This was spot on. Setting the distance as equal and the priority for WAN1 as 10 and WAN2 as 20 kept everything that was working, working the way it was and allowed WAN2 inbound traffic.
I am very happy it was just a setting I missed! Thank you again Christopher!!!!
--Matt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem!
The issue in OS 4.x makes sense, since we didn't add priority until 4.3.
Regards, Chris McMullan Fortinet Ottawa
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- VS SSL offloading with deep inspection 344 Views
- Persistent One Way Audio Issues, no... 629 Views
- Packet duplication not done in session... 376 Views
- Connecting Two SIP Trunks with Different... 588 Views
- Fortigate 60F Sending Wrong LOGS to... 440 Views
Labels
-
FortiGate
7,188 -
FortiClient
1,419 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
458 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
116 -
IPsec
110 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
LDAP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
SSL SSH inspection
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
System settings
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1077 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.