Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanieZ
New Contributor

Fortigate FG60D two WAN routing issue

God day.

 

Need help in configuring my fortigate with 2 WAN ports One network through port wan1 have office internet and mail server with VIPs second network through port WAN2 have wifi guest network The problem is that from WAN2 it is impossible go to WAN1 mail server OWA page.

WAN`s taken from one internet provider with different IP and have different distance, internet to WAN2 set up through Routing policy.

 

Can anyone help?

14 REPLIES 14
live89
Contributor II

Let me see if I understood your question :

You're saying that Guest users are not able to surf to OWA page ?

OWA page uis behind the WAN1 interface with VIP configured.

Guest users are surfing the inernet through WAN2.

 

Correct me if I understood your question  incorrectly !

 

- Why should the guest user go outside to internet and then ge back to you FGT device and search for the VIP to OWA page ?

 

You can just create DNS database with static resolve to the internal IP and assign the DNS database to the WAN2 interface:

 

for example:

 

FW (dns-server) # show config system dns-server     edit "WAN2"     next end

FW # config system dns-database FW (dns-database) # show config system dns-database     edit "OWA"         set domain "yourdomain.com"         set authoritative disable             config dns-entry                 edit 1                     set hostname "owa"                     set ip 172.16.1.12                 next             end

Thanks

Thanks
DanieZ
New Contributor

Thanks for the answer. Yes, in general, you understood correctly. The question why users from the guest network access - many users use corporate mail on smartphones, and at the moment it does not work on the guest wifi. If I can clarify, for that moment no access to Fortinet portal, Exchange OWA and Exchange and Exchange ActiveSync from WAN 2 to WAN 1. 

LAN 1 192.168.0.1 go outside to WAN1 1.1.1.1

LAN 2 192.168.5.1 go outside to WAN2 1.1.5.1

Ashik_Sheik

Hi,

 

You need U turn policy from guest to LAN with destination mail VIP .This will work .

 

Regds,

 

Ashik

Sheik Mahammad Ashik
Sheik Mahammad Ashik
DanieZ

ashik wrote:

Hi,

 

You need U turn policy from guest to LAN with destination mail VIP .This will work .

 

Regds,

 

Ashik

Hi, thanks for the answer. Can you explain more or write an example? I tried to set up access by route policy from guest LAN to WAN1 and up access by ipv4 policy from guest LAN to office LAN without results.

Ashik_Sheik

Hi 

 

Suppose you have eg : OWA-VIP  like 85.245.45.45 -192.168.10.1 

 

Create a policy  - guest to Lan and in the destination field select OWA-VIP.

 

No NAT enabled .This will work .

 

Regds,

 

Ashik

 

 

Sheik Mahammad Ashik
Sheik Mahammad Ashik
DanieZ

Hi

 

There is a problem, OWA-VIP attached to WAN1 and in the option destination that you offer it is impossible to specify VIP.

Ashik_Sheik

Hi,

 

VIP should not be attached to any interface .So you can reconfigure the VIP to do to create U turn rule .

 

Regds,

 

Ashik

Sheik Mahammad Ashik
Sheik Mahammad Ashik
DanieZ

Hi

For now, without result.

I created a rule from guest lan int. to office lan int. source all and destination OWA-VIP

Still can`t connect to owa from guest network to OWA

DanieZ

Hi

For now, without result.

I created a rule from guest lan int. to office lan int. source all and destination OWA-VIP

Still can`t connect to owa from guest network to OWA

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors