Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ahmed
New Contributor

Forward specific services to specific WAN interface

Hello 

i have 2 WAN intrfaces , created Virtual WAN interface include voth interfaces 

i need to force all SMTP traffic to specific WAN interface .

 

Thanks

5 REPLIES 5
emnoc
Esteemed Contributor III

You need to review PBR ( policy based routing ). This will allow you specify what service to send out of the normal route selection.

 

config router policy     edit 100         set input-device "DMZ01"

        set src 10.1.1.1 255.255.255.255         set protocol 6         set start-port 25         set end-port 25         set output-device "wan2"

        set gateway 1.2.3.4     next  

 

Please ensure you have firewall policy to allow for the traffic  & use the dia debug flow if you have issues

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Ahmed
New Contributor

thanks very much ,  Done :)

but if this interface with multiple IP addresses

how can i specify IP address to used

Thanks again 

emnoc
Esteemed Contributor III

Not sure what you mean by used and multiple address, if you have secondaries, just specify the physical/virtual interface named and the defined ipv4 gateway address per the example given. If your SNAT, than apply the correct ip_pools for the address you want to use.

 

The PBR is forwarding the traffic outside of the normal kernel route table.

ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Ahmed
New Contributor

thanks again 

when i crated route policy 

its uses my primary ip address of the interface 

i need to use one of secondaries addresses 

i use SNAT 

please tell me how to use iP pool

Carlos_A_Almeida

Ahmed wrote:

thanks again 

when i crated route policy 

its uses my primary ip address of the interface 

i need to use one of secondaries addresses 

i use SNAT 

please tell me how to use iP pool

Ahmed, IpPools are used to nat outgoing traffic of some session at your firewall. You can use it to do many things, like replace wan1 IP to your SMTP server IP to not blacklist it.

 

Example:

 

-> wan1 public ip address:

config system interface

edit "wan1" set vdom "root" set ip 33.33.33.50 255.255.255.0

next

end

 

->IPPool configuration:

config firewall ippool edit "ippool33" set startip 33.33.33.33 set endip 33.33.33.33 next

end

 

-> Rule configuration

config firewall policy

edit 15 set srcintf "internal" set dstintf "wan1" set srcaddr "host_10.10.10.10" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable set ippool enable set poolname "ippool33" next

 

-> Result:

 

Your host 10.10.10.10 outgoing ip was 33.33.33.50, now with ippool will be 33.33.33.33. Simple like that.

 

 

Regards,

 

Carlos 

Labels
Top Kudoed Authors