Load balance 2 WAN provider using each available IP block

caramelmeimei · ‎04-19-2023

We have a current SD WAN setup with LAN internet connectivity traffics load balanced to 2 ISP providers - both WAN interface IPs are used and the bandwidths are combined.

192.168.0.0/24 --> ISP-A-50Mb (1.1.1.1/29) + ISP-B-50Mb (2.2.2.1/29)
1. Both IPs are used randomly in each session even in a single device
2. Bandwidths are combined to 100Mbps

This time I would like to use the other available IPs from each ISP block then still have the bandwidth combined and load balance from a diff LAN subnet.

192.168.10.0/24 --> ISP-A-50Mb (1.1.1.2/29) + ISP-B-50Mb (2.2.2.2/29)

Attempt: Assign overload IP pool for each ISP, and setup an outbound firewall policy NAT to it.

Only single IP (random) is used per device
Only single ISP bandwidth is utilized - 50Mbps

gfleming · ‎04-26-2023

OK today I learned that fast.com uses multiple sesssions and servers to conduct a speed test. This makes sense why it would be combined across both wan links then!

So currently you have one FW policy that works and you have another FW policy referencing a different LAN subnet and using different IP pools that does not work in terms of load balancing? Is that correct?

Have you tried splitting the FW policies for the different LAN subnet for each ISP/pool?

Cheers,
Graham

View solution in original post

knagaraju · ‎04-19-2023

Hello caramelmeimei,

In the case of a dynamic IP pool, your requirement cannot be achieved and it is by design.

Please refer the below link for additional details on it
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...

gfleming · ‎04-19-2023

Can you explain your use-case here? What are the requirements that are dictating the configuration you are looking for?

IMO just using SD-WAN with load-balance algorithm should work fine. Why do you need such complexity?

Cheers,
Graham

caramelmeimei · ‎04-19-2023

I have a group of users that need to use a diff set of public IPs ( ISP-A-50Mb (1.1.1.2/29) + ISP-B-50Mb (2.2.2.2/29) ) in accessing the internet ,instead of the IPs in the interface ( ISP-A-50Mb (1.1.1.1/29) + ISP-B-50Mb (2.2.2.1/29) )

gfleming · ‎04-19-2023

OK I haven't tested this in lab but I think it should work:

Two SD-WAN rules:

1. Source Group A -> Load Balance on WAN1 and WAN2

2. Source Group B -> Load Balance on WAN1 and WAN2

Two FW Policies:

1. Source Group A -> Dest All -> NAT Pool containing 1.1.1.1 and 2.2.2.1

2. Source Group B -> Dest All -> NAT Pool containing 1.1.1.2 and 2.2.2.2

Something like that?

Cheers,
Graham

caramelmeimei · ‎04-19-2023

Yes the concept is correct. But:

"Two SD-WAN rules" : since it has the same interface I'm not sure how to config a second rule for it

gfleming · ‎04-19-2023

SD-WAN rules contain a "source" configuration. You can have the same interface but different sources. Actually now that I think about it you don't need different SD-WAN rules after all. Just the two Firewall Policies will do the trick.

You'll have two IP pools assigned to each FW Policy (one pool for each ISP link contained the SD-WAN zone).

Alternatively you could put each ISP link into its own Zone and then reference the zone independently in the FW rule if the multiple IP pools doesn't work.

Cheers,
Graham

caramelmeimei · ‎04-20-2023

Actually that is the attempt I made:

Assign each links into separated zone
Selected those zones as the outgoing
Selected 1.1.1.2 and 2.2.2.2 as dynamic pools

Yes by doing this, I got the LAN users to establish connection while utilizing that IPs.

Unfortunately, that didn't accomplished to load balance their traffics.

Only single IP (random) is used per device
Only single ISP bandwidth is utilized - 50Mbps

I am now thinking of creating a physical link in a separate interface for those IPs - (ISP -> Switch -> FG), then create a separate SD-WAN configuration with it.

While common subnet between interfaces is doable by allow-subnet-overlap, is it recommended to do that for WAN connections?

gfleming · ‎04-20-2023

I don't think you need to create a separate link for each IP.... let's work with what you've done so far. I think you're close.

What is the load balance alogorithm you are using on the SD-WAN rule?

Can you show your SD-WAN rule? And the associated FW Policy and IP pools?

Cheers,
Graham

caramelmeimei · ‎04-21-2023

LBA using Volume

SD-WAN rule:

config system sdwan
set status enable
set load-balance-mode measured-volume-based
config zone
edit "virtual-wan-link"
next
edit "upg-zone-wan1"
next
edit "upg-zone-wan2"
next
end
config members
edit 1
set interface "port1"
set zone "upg-zone-wan1"
set gateway 1.1.1.254
set volume-ratio 100
next
edit 2
set interface "port2"
set zone "upg-zone-wan2"
set gateway 2.2.2.254
set volume-ratio 100
next
end

FW Policy:

config firewall policy
edit 39
set name "LAN2-POLICY"
set uuid 444211f8-de63-51ed-7226-cfe0cae03444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "LAN2-users"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "WAN1-2-IP" "WAN2-2-IP"
next
edit 1
set name "ALL-LAN-POLICY"
set uuid 444a32e8-6c73-51ed-bad3-33444101d444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "monitor-all"
set webfilter-profile "monitor-all"
set application-list "monitor-all"
set nat enable
next
end

IPPOOL:

config firewall ippool
edit "WAN1-2-IP"
set startip 1.1.1.2
set endip 1.1.1.2
next
edit "WAN2-2-IP"
set startip 2.2.2.2
set endip 2.2.2.2
next
end