Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eclipse79
New Contributor

Created on ‎02-23-2017 01:24 AM

LLB rules for using different wan interface depeding on source

Hello,

I am new to Fortinet world. I would like to configure fortigate to use different wan interfaces depeding on source address. For example, servers placed in DMZ should use wan2 interface, users in lan/guests should use wan1.

 

So, I configured (see picture at the bottom of this post):

- WAN-LLB: I set wan-load-balance interface with wan1 and wan2 interfaces

- Static Route: I set for destination 0.0.0.0/0.0.0.0 the device wan-load-balance

- WAN-LLB Rules: for test purpose, I created two rules:

[ol]
  • source: LAN subnet, destination: www.dnsstuff.com, outgoing interface: wan1
  • source: DMZ subnet, destination: www.dnsstuff.com, outgoing interface: wan2[/ol]

    In this case, all seems to work. Clients in lan that surf in www.dnsstuff.com see in the web page that the public ip address used is the one of wan1, clients in DMZ see public ip of wan2.

     

    Then I changed destionation address from "dnsstuff" to "all". In this case, all firewall rules don't work. I ran a traceroute from a client lan address to a dmz client address, the first hop is not the lan interface address, but the default gateway of wan1. So that rule replaced the default gateway of all interfaces with the default gateway of wan1/wan2.

     

    Is there any way to select as destination of WAN-LLB rules "all internet addresses" instead "all"? Or, is there any other way to get what I want?

     

    Thanks 

    eclipse79 

     

    • Preview file
    92 KB
    12843
    0 Kudos
    1 Solution
    Raph
    New Contributor

    Created on ‎02-24-2017 02:47 AM

    Hi there,

     

    To solve this, you need to add policy routes that will match your internal/DMZ networks and have as action to "Stop Policy Routing". Your connected and static routes will then apply correctly.

    I usually create 3 policy routes like this to catch the RFC 1918 networks.

     

    Hope this helps,

    Raph

    View solution in original post

    3417
    0 Kudos
    6 REPLIES 6
    kdevos
    New Contributor

    Created on ‎02-23-2017 05:15 PM

    Hi

    I have exactly the same problem :

    Seems to work as the PBR : If the 0.0.0.0/0.0.0.0 is used in LLB rules destination, the routing table is ignored. Somebody has a solution ?

    I'm in 5.2.10 FW

     

    3373
    0 Kudos
    MikePruett
    Valued Contributor
    In response to kdevos

    Created on ‎02-23-2017 07:21 PM

    If you want certain subnets to go our a certain pipe for all traffic you would just use a policy based route.

    Mike Pruett

    Fortinet GURU | Fortinet Training Videos

    Mike Pruett Fortinet GURU | Fortinet Training Videos
    3373
    0 Kudos
    kdevos
    New Contributor
    In response to MikePruett

    Created on ‎02-23-2017 11:27 PM

    Hi Mike

    Problem of this : All my routing table will be ignored for these certain subnets, and intervlan-routing in ma LAN are ignored (from my routing table).

    Is there a way to do this (i was thinking that the LLB could solve my problem).

    Thanks for your help

    3373
    0 Kudos
    Raph
    New Contributor

    Created on ‎02-24-2017 02:47 AM

    Hi there,

     

    To solve this, you need to add policy routes that will match your internal/DMZ networks and have as action to "Stop Policy Routing". Your connected and static routes will then apply correctly.

    I usually create 3 policy routes like this to catch the RFC 1918 networks.

     

    Hope this helps,

    Raph

    3418
    0 Kudos
    eclipse79
    New Contributor
    In response to Raph

    Created on ‎02-28-2017 04:00 AM

    thank you for your replies, it works now :)

    3373
    0 Kudos
    kdevos
    New Contributor
    In response to Raph

    Created on ‎03-01-2017 09:44 AM

    It will help, thanks :)

    I was thinking that LLB is only used for Internet Traffic.

    Due to the number of VLAN, it's "complicated" to add so many STOP RULES (one for each VLAN Interface, and Private subnet (172.16.0.0/12 and 192.168.0.0/16).

    3373
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.