We have a Fortigate 60D running 6.0.9
We have two internet lines.
One is connected to 60D via WAN1
The other one is used by a Cisco router (which is in the same subnet with the 60D / 60D has 192.168.1.10 and Cisco has 192.168.1.1 respectively)
We can add static rule both for 60D (and the line that's in WAN1) with
0.0.0.0/0 gateway 85.xx.xx.xx (the static ip of the ISPs equipment)
0.0.0.0/0 gateway 192.168.1.1 (the lan ip of the Cisco router)
but no traffic seems to get through this static route.
If we add a static route for a specific site it does gets through the Cisco router.
Any help ?
I'm assuming you're trying to do ECMP load balancing between them.
1. Check routing table with "get router info routing-table static". Do you see two default routes existing with the same distance and same priority.
2. What kind of policies do you have? It require two policies to each directions.
3. If the source you're generating the internet-bound traffic from is in the same LAN subnet, it would not work well when the FGT forwarded it to the Cisco because outgoing is 192.168.1.x(source)->192.168.1.10(FGT)->192.168.1.1(Cisco), but for returning the Cisco 192.168.1.1 sends directly to the source 192.168.1.x. The FGT doesn't like it and might block following TCP outgoing packets due to only one way traffic.
You might need to set a VLAN between FGT and Cisco then assign a /30 subnet. Then you can have a proper policy toward the VLAN interface, in addition to the policy toward WAN1.
We've managed to solve this issue
Made one static route 0.0.0.0/0 with gateway 213.xxx.xxx.xxx which is the next hop in the line which is connected via the cisco router, and an extra static route that for goint to 213.xxx.xxx.xxx ip the gateway is 192.168.1.1 (cisco router lan ip).
So far it seems that is working..
Well it seems to work in some computers but not to others. But it must be a case of misconfigured DNS server.. Machines with DHCP work ok, but if they have static ip address they can't use both external lines depending on the fortigate's policies. The static ip pc's can access internet only via the line on WAN port..
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.