- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Load balance 2 WAN provider using each available IP block
We have a current SD WAN setup with LAN internet connectivity traffics load balanced to 2 ISP providers - both WAN interface IPs are used and the bandwidths are combined.
- 192.168.0.0/24 --> ISP-A-50Mb (1.1.1.1/29) + ISP-B-50Mb (2.2.2.1/29)
- Both IPs are used randomly in each session even in a single device
- Bandwidths are combined to 100Mbps
This time I would like to use the other available IPs from each ISP block then still have the bandwidth combined and load balance from a diff LAN subnet.
- 192.168.10.0/24 --> ISP-A-50Mb (1.1.1.2/29) + ISP-B-50Mb (2.2.2.2/29)
Attempt: Assign overload IP pool for each ISP, and setup an outbound firewall policy NAT to it.
- Only single IP (random) is used per device
- Only single ISP bandwidth is utilized - 50Mbps
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK today I learned that fast.com uses multiple sesssions and servers to conduct a speed test. This makes sense why it would be combined across both wan links then!
So currently you have one FW policy that works and you have another FW policy referencing a different LAN subnet and using different IP pools that does not work in terms of load balancing? Is that correct?
Have you tried splitting the FW policies for the different LAN subnet for each ISP/pool?
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello caramelmeimei,
In the case of a dynamic IP pool, your requirement cannot be achieved and it is by design.
Please refer the below link for additional details on it
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain your use-case here? What are the requirements that are dictating the configuration you are looking for?
IMO just using SD-WAN with load-balance algorithm should work fine. Why do you need such complexity?
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a group of users that need to use a diff set of public IPs ( ISP-A-50Mb (1.1.1.2/29) + ISP-B-50Mb (2.2.2.2/29) ) in accessing the internet ,instead of the IPs in the interface ( ISP-A-50Mb (1.1.1.1/29) + ISP-B-50Mb (2.2.2.1/29) )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I haven't tested this in lab but I think it should work:
Two SD-WAN rules:
1. Source Group A -> Load Balance on WAN1 and WAN2
2. Source Group B -> Load Balance on WAN1 and WAN2
Two FW Policies:
1. Source Group A -> Dest All -> NAT Pool containing 1.1.1.1 and 2.2.2.1
2. Source Group B -> Dest All -> NAT Pool containing 1.1.1.2 and 2.2.2.2
Something like that?
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes the concept is correct. But:
"Two SD-WAN rules" : since it has the same interface I'm not sure how to config a second rule for it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN rules contain a "source" configuration. You can have the same interface but different sources. Actually now that I think about it you don't need different SD-WAN rules after all. Just the two Firewall Policies will do the trick.
You'll have two IP pools assigned to each FW Policy (one pool for each ISP link contained the SD-WAN zone).
Alternatively you could put each ISP link into its own Zone and then reference the zone independently in the FW rule if the multiple IP pools doesn't work.
Graham
Created on ‎04-20-2023 08:10 PM Edited on ‎04-20-2023 08:22 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually that is the attempt I made:
- Assign each links into separated zone
- Selected those zones as the outgoing
- Selected 1.1.1.2 and 2.2.2.2 as dynamic pools
Yes by doing this, I got the LAN users to establish connection while utilizing that IPs.
Unfortunately, that didn't accomplished to load balance their traffics.
- Only single IP (random) is used per device
- Only single ISP bandwidth is utilized - 50Mbps
I am now thinking of creating a physical link in a separate interface for those IPs - (ISP -> Switch -> FG), then create a separate SD-WAN configuration with it.
While common subnet between interfaces is doable by allow-subnet-overlap, is it recommended to do that for WAN connections?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you need to create a separate link for each IP.... let's work with what you've done so far. I think you're close.
What is the load balance alogorithm you are using on the SD-WAN rule?
Can you show your SD-WAN rule? And the associated FW Policy and IP pools?
Graham
Created on ‎04-21-2023 01:33 AM Edited on ‎04-21-2023 01:36 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LBA using Volume
SD-WAN rule:
config system sdwan
set status enable
set load-balance-mode measured-volume-based
config zone
edit "virtual-wan-link"
next
edit "upg-zone-wan1"
next
edit "upg-zone-wan2"
next
end
config members
edit 1
set interface "port1"
set zone "upg-zone-wan1"
set gateway 1.1.1.254
set volume-ratio 100
next
edit 2
set interface "port2"
set zone "upg-zone-wan2"
set gateway 2.2.2.254
set volume-ratio 100
next
end
FW Policy:
config firewall policy
edit 39
set name "LAN2-POLICY"
set uuid 444211f8-de63-51ed-7226-cfe0cae03444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "LAN2-users"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "WAN1-2-IP" "WAN2-2-IP"
next
edit 1
set name "ALL-LAN-POLICY"
set uuid 444a32e8-6c73-51ed-bad3-33444101d444
set srcintf "LAN"
set dstintf "upg-zone-wan1" "upg-zone-wan2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "monitor-all"
set webfilter-profile "monitor-all"
set application-list "monitor-all"
set nat enable
next
end
IPPOOL:
config firewall ippool
edit "WAN1-2-IP"
set startip 1.1.1.2
set endip 1.1.1.2
next
edit "WAN2-2-IP"
set startip 2.2.2.2
set endip 2.2.2.2
next
end
