Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alzaiem
New Contributor

How to Direct Specific Traffic to Specific WAN?

Hello Everyone,

 

We have FortiGate 140D with OS 5.6 . We are currently depending on WAN1 port to access the internet which is microwave link. I have a new 4G device, which i would like to connect to FortiGate WAN2 but use it only for windows update downloads. I tried to connect the 4G link to WAN2 port, then suddenly all internet is disconnected from the users !! How can I use WAN2 just only for update of software?? even if its down, i don't want this traffic to go to WAN1.

 

Best Regards,

Alzaiem

1 Solution
Jeff_Roback

This is a surprisingly complex topic.  Here's a KB article I put together for our internal staff on the subject that explains this from a conceptual standpoint:

 

Setting up fortinet Fortigate firewalls for dual wan scenarios with >=2 Internet Connections

 

General strategy for setup:

 

Static default route for each wan interface[/ol][ul]same distance for each routedifferent priority for each route (lower priority wins)[/ul]

 

[ul]2. Link health monitor for each route. [ul]
  • This is what allows the route to be removed from the routing table if the link is unusable. 
  • This route gets removed from routing table if the IP's given here aren't reachable.[/ul][/ul]

     

     3. Policy Route for traffic that should use the secondary interface (the one Higher priority)

    [ul]
  • MUST leave default gateway as 0.0.0.0
  • This allows it to be removed if that interface goes down.[/ul]

     

    Routes specify where to send traffic. 

    This will generally be an interface (wan1, wan2, lan, etc) or a VPN tunnel to a remote site.

    the VPN appears as a virtual interface just like an internet connection.

     

    Routing Notes:

     

    Each Policy route is inspected.  As soon as one matches it wins and traffic goes that way
  • If a policy route refers to an interface that is down (via the link health monitor) then it will be skipped.[/ol]
  • If no policy route matches, then inspect each Static route, going from the lowest priority up.as soon as traffic matches, it goes that way.[/ol][/ol]

     

     

    Note:  If you need certain traffic to skip the priority routes, (for example forcing certain IP's to use the primary route even though there's a policy route to send that subnet via the secondary route), you can put an entry HIGHER in the list of policy routes for the IP(s) that stays "stop policy routing"

     

    Policies specify what is done to the traffic as it passes this interfaceCheck if traffic is allowed to passby Source address, dest address, or port[/ol]
  • What inspection should be done on that traffic AV, Website Blocking[/ol]
  • NAT of the source IP address (sNAT)Changing the private 10.x.x.x address to a public IP address.[/ol][/ol][/ol]

     

     

     

    DIRECTION of traffic from the fortigate's perspective is important to understand:

     

    In general, keep in mind that with the FortiGate we are always thinking of traffic in terms of where the traffic first originated (ie which machine asked for the traffic).

     

    When an end user is watching a youtube video, that is controlled by a policy from LAN to WAN.the fortigate catches the outbound request for the traffic from the user and automatically associates all the inbound traffic from wan to lan with that original session.
  • No settings are needed for WAN to LAN for this traffic, even though most of the traffic is flowing from the Internet to the user, it is considered LAN to WAN traffic.
  • Note this uses the sNAT indicated in the WAN to LAN policy to change the source address of the traffic to appear to be coming from a public adress. the IP Pool selected in the policy does this[/ol][/ol][/ol]

     

    When someone on the Internet connect to the exchange server, this is controlled by a policy from WAN to LAN.The fortigate catches the inbound request from WAN to LAN and automatically allows returning traffic from the server back to the itnernet client.
  • Even though most of the traffic will be going from the email server (LAN) to the client (WAN), this is considered a WAN to LAN flow, since it was initiated on the WAN.
  • In this case, the DESTINATION IP is changed ( the public IP used by the client on the itnternet is mapped to the private IP of the email server using a Virtual IP.)this is controlled by the VIrtual IP.[/ol][/ol][/ol]

     

    Servers that also initiate traffic to the internet and  need to use a specific public IP address  (Like email servers sending SMTP messages out) also need to be set up like clients, so they will also have their own LAN to WAN policy rule with a dedicated IP address (Using a IP Pool).[/ol]
  • Jeff Roback

    View solution in original post

    Jeff Roback
    7 REPLIES 7
    S1nDr3am
    New Contributor

    Hi, I think you should be able to achieve this using policy route. Make 1 policy using the windows update servers as destination then config WAN2 as the gateway. After that create a second policy and have so traffic use WAN1 as the gateway. Policy route is processed by sequence so I think this should work. Good luck
    loic
    New Contributor III

    you can use SD Wan and a SD Wan rules with the "Microsoft-MS.Update" internet services

    more details for sdwan : http://cookbook.fortinet....net-basic-failover-56/

    Loïc
    Loïc
    alzaiem
    New Contributor

    Thank you S1nDr3am, Loic for the advice. I will go through it and see what happens.

     

    Best Regards,

    Alzaiem

    Jeff_Roback

    This is a surprisingly complex topic.  Here's a KB article I put together for our internal staff on the subject that explains this from a conceptual standpoint:

     

    Setting up fortinet Fortigate firewalls for dual wan scenarios with >=2 Internet Connections

     

    General strategy for setup:

     

    Static default route for each wan interface[/ol][ul]same distance for each routedifferent priority for each route (lower priority wins)[/ul]

     

    [ul]2. Link health monitor for each route. [ul]
  • This is what allows the route to be removed from the routing table if the link is unusable. 
  • This route gets removed from routing table if the IP's given here aren't reachable.[/ul][/ul]

     

     3. Policy Route for traffic that should use the secondary interface (the one Higher priority)

    [ul]
  • MUST leave default gateway as 0.0.0.0
  • This allows it to be removed if that interface goes down.[/ul]

     

    Routes specify where to send traffic. 

    This will generally be an interface (wan1, wan2, lan, etc) or a VPN tunnel to a remote site.

    the VPN appears as a virtual interface just like an internet connection.

     

    Routing Notes:

     

    Each Policy route is inspected.  As soon as one matches it wins and traffic goes that way
  • If a policy route refers to an interface that is down (via the link health monitor) then it will be skipped.[/ol]
  • If no policy route matches, then inspect each Static route, going from the lowest priority up.as soon as traffic matches, it goes that way.[/ol][/ol]

     

     

    Note:  If you need certain traffic to skip the priority routes, (for example forcing certain IP's to use the primary route even though there's a policy route to send that subnet via the secondary route), you can put an entry HIGHER in the list of policy routes for the IP(s) that stays "stop policy routing"

     

    Policies specify what is done to the traffic as it passes this interfaceCheck if traffic is allowed to passby Source address, dest address, or port[/ol]
  • What inspection should be done on that traffic AV, Website Blocking[/ol]
  • NAT of the source IP address (sNAT)Changing the private 10.x.x.x address to a public IP address.[/ol][/ol][/ol]

     

     

     

    DIRECTION of traffic from the fortigate's perspective is important to understand:

     

    In general, keep in mind that with the FortiGate we are always thinking of traffic in terms of where the traffic first originated (ie which machine asked for the traffic).

     

    When an end user is watching a youtube video, that is controlled by a policy from LAN to WAN.the fortigate catches the outbound request for the traffic from the user and automatically associates all the inbound traffic from wan to lan with that original session.
  • No settings are needed for WAN to LAN for this traffic, even though most of the traffic is flowing from the Internet to the user, it is considered LAN to WAN traffic.
  • Note this uses the sNAT indicated in the WAN to LAN policy to change the source address of the traffic to appear to be coming from a public adress. the IP Pool selected in the policy does this[/ol][/ol][/ol]

     

    When someone on the Internet connect to the exchange server, this is controlled by a policy from WAN to LAN.The fortigate catches the inbound request from WAN to LAN and automatically allows returning traffic from the server back to the itnernet client.
  • Even though most of the traffic will be going from the email server (LAN) to the client (WAN), this is considered a WAN to LAN flow, since it was initiated on the WAN.
  • In this case, the DESTINATION IP is changed ( the public IP used by the client on the itnternet is mapped to the private IP of the email server using a Virtual IP.)this is controlled by the VIrtual IP.[/ol][/ol][/ol]

     

    Servers that also initiate traffic to the internet and  need to use a specific public IP address  (Like email servers sending SMTP messages out) also need to be set up like clients, so they will also have their own LAN to WAN policy rule with a dedicated IP address (Using a IP Pool).[/ol]
  • Jeff Roback

    Jeff Roback
    sw2090

    yeah that is the way to do without using sdwan :)

     

    If you could use sdwan it is much easier:

     

    -  enable sdwan and add all wan to it.

    -  create some sdwan rule for ms update (like written before)

    -  create a second rule for all other traffic (needed because the rest would match the loadblanacer rule without it and that would cause it to use both wan - you don't need it if you do not mind other traffic using wan2 too and only want to force ms update to use only wan2)

    - create a policy for traffic to the internet that has sdwan as destination interface

    - create a default route with sdwan as interface

     

    Optionally: create some health check on sd-wan to have failover if one link is gone.

    Then ms update will use wan2 as long as it works and failover to wan1 if wan2 is gone or offline.

     

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    alzaiem
    New Contributor

    Thank you S1nDr3am for the advice. I will go through it and see what happens.

     

    Best Regards,

    Alzaiem

    S1nDr3am ➥ Approval Pending loic Bronze Member  Total Posts : 22Scores: 2Reward points: 0Joined: 4/5/2006Location: FranceStatus: online[/ul] Re: How to Direct Specific Traffic to Specific WAN? 46 minutes ago (permalink)     0 you can use SD Wan and a SD Wan rules with the "Microsoft-MS.Update" internet services more details for sdwan : http://cookbook.fortinet....net-basic-failover-56/   Answer Helpful Report AbuseForward  Quote   #3   alzaiem Quick Reply: (Open Full Version)        Paragraph Font Family Font Size                  Path: p     Submit Post     Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=119][Other FortiGate and FortiOS Topics][/link] » Routing and Transparent Mode » How to Direct Specific Traffic to Specific WAN? Jump to:  Jump to - - - - - - - - - -  [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall  - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier  - - - - FortiCASB - - - - FortiClient - - - - FortiCloud - - - - FortiConnect - - - - FortiController - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiExtender - - - - FortiFone - - - - FortiGuard - - - - FortiHypervisor - - - - FortiMail - - - - FortiManager - - - - FortiMoM - - - - FortiMonitor - - - - FortiPlanner - - - - FortiPortal - - - - FortiPresence - - - - FortiRPS - - - - FortiSandbox - - - - FortiScan - - - - FortiSIEM - - - - FortiSwitch - - - - FortiTester - - - - FortiToken - - - - FortiTap - - - - FortiVoice - - - - FortiWAN - - - - FortiWeb - - - - FortiWiFi - - - - Wireless Infrastructure (FortiWLC, FortiWLM, Meru) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical      © 2018 APG vNext Commercial Version 5.5   Latest Posts    Re: How to Direct Specific Traffic to Specific WAN? FortiCloud - General Data Protection Regulation (GDPR) compliant Re: Impossible to connect to VPN: Permission denied (-455) How to Direct Specific Traffic to Specific WAN? Re: FortiSandbox sizing Site to Site Tunnel is up, no traffic Re: FortiSandbox sizing Re: LAG/LACP between stacked Fortiswitches Re: FortiOS 5.2.13 is out! Re: FortiSandbox sizing [/ul] Active Posts    FortiSandbox sizing LAG/LACP between stacked Fortiswitches FortiOS 5.2.13 is out! How to enable user auth for Explicit Web Proxy in 5.6? FortiAPs down after Fortigate update different tunnel Problem with policies and ICMP. Can Fortigate download an IP Dynamic Block List that we define? ASA and PIX Cannot add a FG 5.4.8 to FM 5.6.2 [/ul] All FAQs    There is no record available at this moment[/ul] S1nDr3am
    alfred0809
    New Contributor

    RESOLUTION:

    [ol]
  • Login to the SonicWall management GUI.
  •  Click MANAGE on the top bar ,navigate to Network and the click Routing.
  • Click Add to create a Static Route. In the pop-up window there are several options available to you, all of which are important to understand.[/ol][ul]
  • The Source field refers to where the traffic will be coming from. In the below example we want to apply this Route to any traffic coming from any Interface with the LAN designation.
  • The Destination field refers to where the traffic is going. In the below example we select Any since we can't list all the destinations, instead we're specifying by Protocol.
  • The Service field refers to the type of traffic this Route should apply to. We've selected HTTP, so any packets going over Port 80 which ALSO come from a LAN Zone Interface/Subnet will be subject to this Route.
  • The Gateway field is where the traffic will be sent to. In this instance we have our Backup ISP on the X2 Interface and want to use it for this HTTP traffic, so we select the X2 Default Gateway.
  • The Interface field is what Interface the Gateway we've chosen exists on. In this case we're using our ISP on X2, so we choose X2.

     NOTE:  The Metric field refers to what weight this Route should have, with lower being a higher priority. In this example we've chosen 10.

    [/ul]
  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors