Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vurdalag
New Contributor II

Fortigate Route Trafic from Specific Interface to Specific WAN

Hi, I have Fortigate 60F and two ISP added to SD-WAN:

WAN1

WAN2

 

 

I would like always to route traffic from Interface "3" (Subnet 192.168.0.0/24) to ISP "WAN2" and never failover to ISP "WAN1". If "WAN2" is down then clients on Interface "3" will be offline (that is OK). When other interfaces can use WAN2 as primary ISP and failover to WAN1 ISP. 

If I will create below SD-WAN RULE then won't Interface "3" (192.168.0.0/24) failover to WAN1 in case of WAN2 is offline?

SD-WAN RuleSD-WAN Rule

 

1 Solution
Vurdalag
New Contributor II

For the time being found three options how to block traffic originated from subnet 192.168.0.0 (port3) to be routed via WAN1 port even if WAN2 is physically down (cable unplugged):

 

1) Found on this resource absolutely the same issue what I have:

https://www.reddit.com/r/fortinet/comments/p7j1zl/restrict_certain_subnetinterface_from_using/

 

On port3 (subnet 192.168.0.0), I created secondray IP 100.64.0.1/24

Secondary IP addressSecondary IP address

 

Created two policy routes. First routing policy is to route always traffic from 192.168.0.0/24 subnet (port3) via WAN2 (Starlink):

Policy Route Nr. 1Policy Route Nr. 1

 

Second policy to route traffic from port3 to port3 with gateway as this port's secondary IP which is 100.64.0.1. Once WAN2 link is down (cable unplugged for example) then first routing policy is skipped and below is taking care of 192.168.0.0 traffic since will match:

Policy Route Nr. 2Policy Route Nr. 2

 

2) Another option, is two remove SD-WAN zone and make WAN1 and WAN2 as the separate interfaces. 

Configure failover between WAN1 and WAN2 using link-monitor as per below resource:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Redundant-Internet-connection-without-load...

 

Configure Policy to block traffic from 192.168.0.0 to WAN1

 

Not sure how practical is first approach but it is working without removing SD-WAN zone. Was tested and found working. 
2nd option was tested as well.

 

3) Under SD-WAN create two new zones:

WAN1 ZONE

WAN2 ZONE

 

Add WAN1 and WAN2 interfaces to respective zone. 

Create two SD-WAN rules:

- Rule1: Source Address specify subnet what you want to route via WAN2 only. Manual mode -> Interface Preference: WAN2

- Rule2: Source Address specify all remaining subnets what can access WAN2 and WAN1.  Manual mode -> Interface Preference: WAN2, WAN1 (order of interfaces is important)

Go to Routes -> Static Routes -> Add both new SD-WAN zones to Static Route Device fields

 

Configure SLA under SD-WAN

Configure Policy Firewall:

Top rule Block subnet 192.168.0.0/24 from accessing WAN1 (WAN1 ZONE as destination interface)

Second rule allow 192.168.0.0/24 subnet to access WAN2 interface (WAN2 ZONE as destination interface)

 

View solution in original post

10 REPLIES 10
qasimbashir6242

Hey,

Ah, the Fortinet docs, a treasure trove of info! Good call on suggesting the Manual Selection Rule. That should definitely streamline things if you're only dealing with one preferred interface.

Thanks for sharing the link for more details. Always helpful to have the source right there. :thumbs_up:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/723448/manual-strategygoku.tu

Cheers,

Labels
Top Kudoed Authors