LLB rules for using different wan interface depeding on source

eclipse79 · ‎02-23-2017

Hello,

I am new to Fortinet world. I would like to configure fortigate to use different wan interfaces depeding on source address. For example, servers placed in DMZ should use wan2 interface, users in lan/guests should use wan1.

So, I configured (see picture at the bottom of this post):

- WAN-LLB: I set wan-load-balance interface with wan1 and wan2 interfaces

- Static Route: I set for destination 0.0.0.0/0.0.0.0 the device wan-load-balance

- WAN-LLB Rules: for test purpose, I created two rules:

[ol]

source: LAN subnet, destination: www.dnsstuff.com, outgoing interface: wan1

source: DMZ subnet, destination: www.dnsstuff.com, outgoing interface: wan2[/ol]

In this case, all seems to work. Clients in lan that surf in www.dnsstuff.com see in the web page that the public ip address used is the one of wan1, clients in DMZ see public ip of wan2.

Then I changed destionation address from "dnsstuff" to "all". In this case, all firewall rules don't work. I ran a traceroute from a client lan address to a dmz client address, the first hop is not the lan interface address, but the default gateway of wan1. So that rule replaced the default gateway of all interfaces with the default gateway of wan1/wan2.

Is there any way to select as destination of WAN-LLB rules "all internet addresses" instead "all"? Or, is there any other way to get what I want?

Thanks

eclipse79

Raph · ‎02-24-2017

Hi there,

To solve this, you need to add policy routes that will match your internal/DMZ networks and have as action to "Stop Policy Routing". Your connected and static routes will then apply correctly.

I usually create 3 policy routes like this to catch the RFC 1918 networks.

Hope this helps,

Raph

View solution in original post

kdevos · ‎02-23-2017

Hi

I have exactly the same problem :

Seems to work as the PBR : If the 0.0.0.0/0.0.0.0 is used in LLB rules destination, the routing table is ignored. Somebody has a solution ?

I'm in 5.2.10 FW

MikePruett · ‎02-23-2017

If you want certain subnets to go our a certain pipe for all traffic you would just use a policy based route.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

kdevos · ‎02-23-2017

Hi Mike

Problem of this : All my routing table will be ignored for these certain subnets, and intervlan-routing in ma LAN are ignored (from my routing table).

Is there a way to do this (i was thinking that the LLB could solve my problem).

Thanks for your help

Raph · ‎02-24-2017

Hi there,

To solve this, you need to add policy routes that will match your internal/DMZ networks and have as action to "Stop Policy Routing". Your connected and static routes will then apply correctly.

I usually create 3 policy routes like this to catch the RFC 1918 networks.

Hope this helps,

Raph

eclipse79 · ‎02-28-2017

thank you for your replies, it works now :)

kdevos · ‎03-01-2017

It will help, thanks :)

I was thinking that LLB is only used for Internet Traffic.

Due to the number of VLAN, it's "complicated" to add so many STOP RULES (one for each VLAN Interface, and Private subnet (172.16.0.0/12 and 192.168.0.0/16).