Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
caramelmeimei
New Contributor II

Load balance 2 WAN provider using each available IP block

We have a current SD WAN setup with LAN internet connectivity traffics load balanced to 2 ISP providers - both WAN interface IPs are used and the bandwidths are combined.

  • 192.168.0.0/24 --> ISP-A-50Mb (1.1.1.1/29) + ISP-B-50Mb (2.2.2.1/29)
    1. Both IPs are used randomly in each session even in a single device
    2. Bandwidths are combined to 100Mbps

This time I would like to use the other available IPs from each ISP block then still have the bandwidth combined and load balance from a diff LAN subnet.

  • 192.168.10.0/24 --> ISP-A-50Mb (1.1.1.2/29) + ISP-B-50Mb (2.2.2.2/29)

Attempt: Assign overload IP pool for each ISP, and setup an outbound firewall policy NAT to it.

  1. Only single IP (random) is used per device
  2. Only single ISP bandwidth is utilized - 50Mbps
1 Solution
gfleming
Staff
Staff

OK today I learned that fast.com uses multiple sesssions and servers to conduct a speed test. This makes sense why it would be combined across both wan links then!

 

So currently you have one FW policy that works and you have another FW policy referencing a different LAN subnet and using different IP pools that does not work in terms of load balancing? Is that correct?

 

Have you tried splitting the FW policies for the different LAN subnet for each ISP/pool?

Cheers,
Graham

View solution in original post

15 REPLIES 15
knagaraju
Staff
Staff

Hello caramelmeimei,

In the case of a dynamic IP pool, your requirement cannot be achieved and it is by design.

Please refer the below link for additional details on it
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...


gfleming
Staff
Staff

Can you explain your use-case here? What are the requirements that are dictating the configuration you are looking for?


IMO just using SD-WAN with load-balance algorithm should work fine. Why do you need such complexity?

Cheers,
Graham
caramelmeimei

I have a group of users that need to use a diff set of public IPs ( ISP-A-50Mb (1.1.1.2/29) + ISP-B-50Mb (2.2.2.2/29) ) in accessing the internet ,instead of the IPs in the interface ( ISP-A-50Mb (1.1.1.1/29) + ISP-B-50Mb (2.2.2.1/29) )

gfleming

OK I haven't tested this in lab but I think it should work:

 

Two SD-WAN rules:

1. Source Group A -> Load Balance on WAN1 and WAN2

2. Source Group B -> Load Balance on WAN1 and WAN2

 

Two FW Policies:

1. Source Group A -> Dest All -> NAT Pool containing 1.1.1.1 and 2.2.2.1

2. Source Group B -> Dest All -> NAT Pool containing 1.1.1.2 and 2.2.2.2

 

Something like that?

Cheers,
Graham
caramelmeimei

Yes the concept is correct. But:

 

"Two SD-WAN rules" : since it has the same interface I'm not sure how to config a second rule for it

gfleming

SD-WAN rules contain a "source" configuration. You can have the same interface but different sources. Actually now that I think about it you don't need different SD-WAN rules after all. Just the two Firewall Policies will do the trick. 

 

You'll have two IP pools assigned to each FW Policy (one pool for each ISP link contained the SD-WAN zone).

 

Alternatively you could put each ISP link into its own Zone and then reference the zone independently in the FW rule if the multiple IP pools doesn't work.

Cheers,
Graham
caramelmeimei

Actually that is the attempt I made:

  • Assign each links into separated zone
  • Selected those zones as the outgoing
  • Selected 1.1.1.2 and 2.2.2.2 as dynamic pools

Yes by doing this, I got the LAN users to establish connection while utilizing that IPs.

 

Unfortunately, that didn't accomplished to load balance their traffics.

  1. Only single IP (random) is used per device
  2. Only single ISP bandwidth is utilized - 50Mbps

 

I am now thinking of creating a physical link in a separate interface for those IPs - (ISP -> Switch -> FG), then create a separate SD-WAN configuration with it.

While common subnet between interfaces is doable by allow-subnet-overlap, is it recommended to do that for WAN connections?

gfleming

I don't think you need to create a separate link for each IP.... let's work with what you've done so far. I think you're close.

 

What is the load balance alogorithm you are using on the SD-WAN rule?

 

Can you show your SD-WAN rule? And the associated FW Policy and IP pools?

Cheers,
Graham
caramelmeimei

LBA using Volume

 

SD-WAN rule:

config system sdwan
set status enable
set load-balance-mode measured-volume-based
config zone
edit "virtual-wan-link"
next
edit "upg-zone-wan1"
next
edit "upg-zone-wan2"
next
end
config members
edit 1
set interface "port1"
set zone "upg-zone-wan1"
set gateway 1.1.1.254
set volume-ratio 100
next
edit 2
set interface "port2"
set zone "upg-zone-wan2"
set gateway 2.2.2.254
set volume-ratio 100
next
end

 

FW Policy:

config firewall policy
edit 39
set name "LAN2-POLICY"
set uuid 444211f8-de63-51ed-7226-cfe0cae03444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "LAN2-users"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "WAN1-2-IP" "WAN2-2-IP"
next
edit 1
set name "ALL-LAN-POLICY"
set uuid 444a32e8-6c73-51ed-bad3-33444101d444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "monitor-all"
set webfilter-profile "monitor-all"
set application-list "monitor-all"
set nat enable
next
end

 

IPPOOL:

config firewall ippool
edit "WAN1-2-IP"
set startip 1.1.1.2
set endip 1.1.1.2
next
edit "WAN2-2-IP"
set startip 2.2.2.2
set endip 2.2.2.2
next
end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors