We have a current SD WAN setup with LAN internet connectivity traffics load balanced to 2 ISP providers - both WAN interface IPs are used and the bandwidths are combined.
This time I would like to use the other available IPs from each ISP block then still have the bandwidth combined and load balance from a diff LAN subnet.
Attempt: Assign overload IP pool for each ISP, and setup an outbound firewall policy NAT to it.
Solved! Go to Solution.
OK today I learned that fast.com uses multiple sesssions and servers to conduct a speed test. This makes sense why it would be combined across both wan links then!
So currently you have one FW policy that works and you have another FW policy referencing a different LAN subnet and using different IP pools that does not work in terms of load balancing? Is that correct?
Have you tried splitting the FW policies for the different LAN subnet for each ISP/pool?
Hello caramelmeimei,
In the case of a dynamic IP pool, your requirement cannot be achieved and it is by design.
Please refer the below link for additional details on it
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...
Can you explain your use-case here? What are the requirements that are dictating the configuration you are looking for?
IMO just using SD-WAN with load-balance algorithm should work fine. Why do you need such complexity?
I have a group of users that need to use a diff set of public IPs ( ISP-A-50Mb (1.1.1.2/29) + ISP-B-50Mb (2.2.2.2/29) ) in accessing the internet ,instead of the IPs in the interface ( ISP-A-50Mb (1.1.1.1/29) + ISP-B-50Mb (2.2.2.1/29) )
OK I haven't tested this in lab but I think it should work:
Two SD-WAN rules:
1. Source Group A -> Load Balance on WAN1 and WAN2
2. Source Group B -> Load Balance on WAN1 and WAN2
Two FW Policies:
1. Source Group A -> Dest All -> NAT Pool containing 1.1.1.1 and 2.2.2.1
2. Source Group B -> Dest All -> NAT Pool containing 1.1.1.2 and 2.2.2.2
Something like that?
Yes the concept is correct. But:
"Two SD-WAN rules" : since it has the same interface I'm not sure how to config a second rule for it
SD-WAN rules contain a "source" configuration. You can have the same interface but different sources. Actually now that I think about it you don't need different SD-WAN rules after all. Just the two Firewall Policies will do the trick.
You'll have two IP pools assigned to each FW Policy (one pool for each ISP link contained the SD-WAN zone).
Alternatively you could put each ISP link into its own Zone and then reference the zone independently in the FW rule if the multiple IP pools doesn't work.
Created on ‎04-20-2023 08:10 PM Edited on ‎04-20-2023 08:22 PM
Actually that is the attempt I made:
Yes by doing this, I got the LAN users to establish connection while utilizing that IPs.
Unfortunately, that didn't accomplished to load balance their traffics.
I am now thinking of creating a physical link in a separate interface for those IPs - (ISP -> Switch -> FG), then create a separate SD-WAN configuration with it.
While common subnet between interfaces is doable by allow-subnet-overlap, is it recommended to do that for WAN connections?
I don't think you need to create a separate link for each IP.... let's work with what you've done so far. I think you're close.
What is the load balance alogorithm you are using on the SD-WAN rule?
Can you show your SD-WAN rule? And the associated FW Policy and IP pools?
Created on ‎04-21-2023 01:33 AM Edited on ‎04-21-2023 01:36 AM
LBA using Volume
SD-WAN rule:
config system sdwan
set status enable
set load-balance-mode measured-volume-based
config zone
edit "virtual-wan-link"
next
edit "upg-zone-wan1"
next
edit "upg-zone-wan2"
next
end
config members
edit 1
set interface "port1"
set zone "upg-zone-wan1"
set gateway 1.1.1.254
set volume-ratio 100
next
edit 2
set interface "port2"
set zone "upg-zone-wan2"
set gateway 2.2.2.254
set volume-ratio 100
next
end
FW Policy:
config firewall policy
edit 39
set name "LAN2-POLICY"
set uuid 444211f8-de63-51ed-7226-cfe0cae03444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "LAN2-users"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "WAN1-2-IP" "WAN2-2-IP"
next
edit 1
set name "ALL-LAN-POLICY"
set uuid 444a32e8-6c73-51ed-bad3-33444101d444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "monitor-all"
set webfilter-profile "monitor-all"
set application-list "monitor-all"
set nat enable
next
end
IPPOOL:
config firewall ippool
edit "WAN1-2-IP"
set startip 1.1.1.2
set endip 1.1.1.2
next
edit "WAN2-2-IP"
set startip 2.2.2.2
set endip 2.2.2.2
next
end
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.