Hello,
I have a FG 100D (5.2) with two ISPs (connected to WAN 1 and WAN 2) and I need to configure:
- Load balancing - traffic has to be distributed between two ISPs - Fail over protection - If one of the ISP has any problem all traffic has to be routed by the other one - "policy routing" - Also I need that some VLANs go out internet by a specific ISP BUT IF THIS ISP FAILS, THE TRAFFIC OF THIS VLANs GO OUT BY THE OTHER ISP.
I've think to make the Load Balancing and Fail Over Protection by this way: two static default routes with same cost and priority to its own ISP router. Later, configure ECMP by default: source IP based configuring the health check of each WAN to permit the FG to erase the static route in case of fail o one of them.
At the end I don´t know how to make that some VLANs go internet trhough a specific WAN..... I think that it could be configured with policy routing: source: VLANX ip: 0.0.0.0 gw: 0.0.0.0 // route to: WANX IP:0.0.0.0 GW:0.0.0.0
I need your help......
Thanks!!!!!!
Hello,
do you plan to use virtual-wan-link(CLI)/Wan Link Load Balancing(GUI) feature?
If yes, put wan1 and wan2 into virtual-wan-link, like
1.
config system virtual-wan-link
set status enable
config member
edit 1
set interface wan1
set detect-server x.x.x.x
............
2. config a static route with virtual-wan-link enable
config router static
edit 0
set dst x.x.x.x/y
set virtual-wan-link enable
3. virtual-wan-link service can't meet your requirement, cause can't indicate source interface in it. but you can use source IP address as match condition if you like, otherwise policy route needed, please note DON'T set gateway IP address in it.
If no,
1. config two static routes with same distance and priority setting as you said
2. config link-monitor on each interface
3. config policy route with gateway setting
Jzhang wrote:Hello,
do you plan to use virtual-wan-link(CLI)/Wan Link Load Balancing(GUI) feature?
If yes, put wan1 and wan2 into virtual-wan-link, like
1.
config system virtual-wan-link
set status enable
config member
edit 1
set interface wan1
set detect-server x.x.x.x
............
2. config a static route with virtual-wan-link enable
config router static
edit 0
set dst x.x.x.x/y
set virtual-wan-link enable
3. virtual-wan-link service can't meet your requirement, cause can't indicate source interface in it. but you can use source IP address as match condition if you like, otherwise policy route needed, please note DON'T set gateway IP address in it.
If no,
1. config two static routes with same distance and priority setting as you said
2. config link-monitor on each interface
3. config policy route with gateway setting
Hello,
Thank you for your help. I have choosen the second option:
1. config two static routes with same distance and priority setting as you said
2. config link-monitor on each interface
3. config policy route with gateway setting
But I'm not clear how to configure the step 3, could you give me an example? I have to fill the next gaps:
- incoming interface (I know that I have to put the LAN that I want to route to this WAN)
- incoming address (I want to apply the policy to the entire LAN, then, I understand that it isn't neccesary to fill this gap once I have to configure the incoming interface, is it?
- Destination address: I don't know if it's neccesary to fill this gap...
- Action: Traffic forward
- Outgoing interface: I understand that here is where I have to put the interface WAN that I want to use for the specific LAN, didn't I?
- Destination Gateway: I don`t know what I have to fill here.
Thank you for your help.
- incoming interface (I know that I have to put the LAN that I want to route to this WAN)
>>yes - incoming address (I want to apply the policy to the entire LAN, then, I understand that it isn't neccesary to fill this gap once I have to configure the incoming interface, is it?
>>yes, no need to fill - Destination address: I don't know if it's neccesary to fill this gap...
>>no need to fill - Action: Traffic forward
>>yes - Outgoing interface: I understand that here is where I have to put the interface WAN that I want to use for the specific LAN, didn't I?
>>yes, then wan interface you want traffic out - Destination Gateway: I don`t know what I have to fill here.
>>no need to fill
Thanks everyone for your help. I´m going to try it.
Regards!!!
I am doing more or less exactly this in production right now. In order to maximize the control, I chose not to use virtual wan-interface:
Two ISPs, two default routes, same distance but lower prio on one of them. This means traffic will leave out on the first route, all traffic that you want to go out on the 2nd ISP you need to policy route out. No automatic loadbalancing. You still need the default route there, otherwise it won't work properly, incoming connections to that ISP will be impossible etc. Remember that when you do policy routing to internet, it is important to specify the traffic you DON'T want to policy route. You will need three "stop policy routing"-rules excluding all internal networks (RFC 1918, i.e: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) for every network you want to policy route out to internet, otherwise all your internal traffic will be blocked.
If you just use addresses from 10.0.0.0/8 internally, just stop policy routing that then. If you don't do this, you will block your internal traffic, and you don't want that, you just want to send traffic destined for internet out the other ISP.
You don't need to specify the gateway address in the policy rule doing the actual policy routing, in fact, it is a bad idea to have anything else then 0.0.0.0 there. You can't set a gateway here if you want to be able to failover between the ISPs.
I use link-monitors with the setting "update static route" enabled, so that the monitor remove the default route if the connection fails. Make sure the polling settings are sane, poll every 3-5 seconds, allow 3 failures before failover, or something like that. You don't want link flaps, and an automatic failover time around 10 seconds is sufficient for most scenarios. Remember that the traffic that has failed over to the other ISP will continue to use that path even after ISP is back up, that is until the sessions has timed out. The users will gradually fail back to ISP1. This is by design.
The ISPs are in separate Zones, so I run dual rulesets in order to make a failover possible. This is also in order to maximize control. For every policy that you create for traffic destined for either ISP1 or ISP2 will need a mirror rule pointing to the other ISP if you want failover.
Also remember that you can use ISP2 for incoming connections in any way you want to with this setup. The policy routing only affects outgoing connections.
Good luck!
Richie
NSE7
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.