Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
d_k
New Contributor

FortiGate routing with NAT

Hi, Can you understand how the routing will work with this config? Policy: LAN1(10.10.10.0/24) to 0.0.0.0 through NAT (interface ip 50.100.150.50) on interface LAN1 to WAN1 (ISP 1) LAN2(10.20.20.0/24) to 0.0.0.0 through NAT (interface ip 70.100.200.30) on interface LAN2 to WAN2 (ISP 2) Route: 0.0.0.0/0 via 50.100.150.1, interface WAN1, distance 1 priority 0 0.0.0.0/0 via 70.100.200.1, interface WAN2, distance 1 priority 0   Would it work without a traffic policy? What we need to do it's two network go through different ISPs.    
4 REPLIES 4
sw2090
Honored Contributor

well..since both default routes have the same prio/distance the traffic policies rule where the traffic goes.

 

So for a packet coming from 10.10.10.0/24 and going to 0.0.0.0/0 only the first policy will match as the second one's source address doesn't match. So that traffic will go to WAN1.

 

A packet coming from 10.20.20.0/24 will only match the second policy and go to WAN2.

 

Keep in mind that this will no longer work if you use sd-wan since if using sd-wan you cannot have more than one default route!

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
HaTiMuX
New Contributor III

Hi,

 

I think ECMP will be used since the default routes have the same distance and priority. Traffic will be loadbalanced between the two WAN links.

In this case, some traffic might be dropped (routing decision is made before policy matching).

For example, if traffic comes from LAN2 and the Fortigate decides to route traffic through WAN1, no Firewall policy will match.

 

For your scenario, the easiest way is to use SD-WAN, then you can add SD-WAN policies to route LAN1 traffic through WAN1 and LAN2 traffic through WAN2. 

 

You can also use policy routes, use both default routes but with different priorities, like this only one route will be used by default, then add a policy route to route traffic through the other interface.

sw2090
Honored Contributor

HaTiMux: for the routes yes that would use ECMP. However beause of the policies traffic from one lan will only flow through one wan.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
HaTiMuX
New Contributor III

sw2090: yes I totally agree this is why I said some traffic might be dropped if it doesn't match any policy.

Labels
Top Kudoed Authors