I want to configure a multi-WAN configuration in FORTIGATE. (Disable Failover)

Kay-Raon · ‎01-18-2023

Hello, there is an equipment that has Fortigate 200D 6.0.15 installed. WAN1 (ISP1) WAN2 (ISP2) is connected to this equipment, and I want to use these two alone without using load balancing.

Example)
WAN1 -> LAN1, WAN2 -> LAN2

The current Policy Route connects to the local subnet for each ISP to facilitate Internet communication. However, it is not connected to the Site to Site router, and the ports set in Policy ipv4 are not loopback. :(

However, if you disable both Policy Routes (ISP1, ISP2), it seems to be Site-to-Site VPN and loopback normally. However, Internet communication is not available. T.T

How do we solve this problem? Disable load balancing. (Use independently. If one is disconnected, it does not need to be load balanced.)

If you know this problem, please help!

Thank you.

gfleming · ‎01-18-2023

It's not entirely clear what your issue is. You have a site-to-site tunnel that stops working when policy route is enabled?

Do both lan and lan2 need access to the site-to-site tunnel?

Is the site-to-site tunnel terminated on a loopback interface?

You can consider using SD-WAN for your purposes: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/846132/sd-wan

You can create rules in SD-WAN (that are basically just glorified policy routes) that will allow you to steer traffic from LAN -> WAN and LAN2->WAN2. No failover/switchback etc.

Cheers,
Graham

Kay-Raon · ‎01-19-2023

Thank you for your reply. :) If you set the Policy Route as shown in the picture above, the Internet of WAN1 -> LAN1 + WAN2 -> LAN2 will be connected normally, and all the policies you have forwarded will work. However, it does not connect to a VPN tunnel connected by Site-to-Site (100% packet loss), and port-forwarded services on WAN1 <- LAN1 do not enter.

However, if two Policy Routes are disabled, they can be connected to a router tunnel connected to Site-To-Site (0% packet loss) and the port-forwarded services on WAN1 <- LAN1 enter normally.

I want to know how to configure SD-WAN to go to WAN1 -> LAN1 + WAN2 -> LAN2. I looked up a lot of materials, but most of them were for load balancing :(

I don't want to use load balancing, but I want to use it for each connection.

Thank you! Have a nice day :)

gfleming · ‎01-19-2023

Let's try to solve the first issue. Can you please show the configuration of your tunnel on the Fortigate?

show vpn ipsec phase1-interface
show vpn ipsec phase2-interface

And can you please also who your policy routes

 diagnose firewall proute list

And please show the VIP config for WAN1 -> LAN1

show firewall vip

Cheers,
Graham

Kay-Raon · ‎01-21-2023

Hello, thank you for your help. I wrote down the list below.

RD-MG-IPSec = Access VPN for Management
REDREDGROUP-BO = Site-to-Site VPN

show vpn ipsec phase1-interface

    config vpn ipsec phase1-interface
    edit "RD-MG-IPSec"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set comments "VPN: RD-MG-IPSec (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "IPSec-User"
        set ipv4-start-ip 10.34.100.1
        set ipv4-end-ip 10.34.100.254
        set dns-mode auto
        set save-password enable
        set psksecret ENC <MY_SECRET>
        set dpd-retryinterval 60
    next
    edit "REDREDGROUP-BO"
        set interface "wan1"
--More--                  set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: REDREDGROUP-BO (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw <MY_GW_ADDRESS>
        set psksecret ENC <MY_SECRET_KEY>
    next
end

show vpn ipsec phase2-interface result:

config vpn ipsec phase2-interface
    edit "RD-MG-IPSec"
        set phase1name "RD-MG-IPSec"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set comments "VPN: RD-MG-IPSec (Created by VPN wizard)"
    next
    edit "REDREDGROUP-BO"
        set phase1name "REDREDGROUP-BO"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
        set comments "VPN: REDREDGROUP-BO (Created by VPN wizard)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "REDREDGROUP-BO_local"
        set dst-name "REDREDGROUP-BO_remote"
    next
end

diagnose firewall proute list result:

list route policy info(vf=root):
 
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=31 dport=0-65535 oif=6 gwy=<MY_GW_ADDRESS>
source wildcard(1): 10.34.1.0/255.255.255.0 
destination wildcard(1): 0.0.0.0/0.0.0.0 
 
id=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:0 iif=32 dport=0-65535 oif=7 gwy=<MY_GW_ADDRESS>
source wildcard(1): 128.121.63.0/255.255.255.0 
destination wildcard(1): 0.0.0.0/0.0.0.0

show firewall vip

    edit "Web-HTTP"
        set uuid c314889a-89aa-51ed-4db7-253198b4d5ab
        set extintf "wan1"
        set portforward enable
        set mappedip "10.34.1.200"
        set extport 80
        set mappedport 80
    next
    edit "Web-HTTPS"
        set uuid 57158756-89ab-51ed-5add-75468116dda7
        set extintf "wan1"
        set portforward enable
        set mappedip "10.34.1.200"
        set extport 443
        set mappedport 443

Currently, Policy Route is turned on, so only the Internet and external port forwarding communication HTTP and HTTPS are operating normally.

Thank you for your help :)

gfleming · ‎01-25-2023

What are the 10.34.1.0/24 and 128.121.63.0/24 networks?

What networks exist in the "REDREDGROUP-BO_local" and "REDREDGROUP-BO_remote" objects?

Are the two GW_ADDRESSES in the policy routes different or the same?

Cheers,
Graham

I want to configure a multi-WAN configuration in FORTIGATE. (Disable Failover)

Nominate a Forum Post for Knowledge Article Creation