Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Multi-WAN with Virtual IPs tied to public IP o...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi-WAN with Virtual IPs tied to public IP on one link only?
We're lighting up a second ISP connection on one of our 200Ds. Currently, we have a few virtual IPs configured on the firewall for public services, and these are tied to one provider as one might expect.
As I read multi-WAN instructions, I'll need to nuke all policies and routes to the separate ISP connections, create the load-balanced entity, and rebuild policies and routes accordingly. Fairly straightforward.
What I'm having trouble discovering is how I can make these virtual IPs still work for external-facing services. Do I need to simply redefine the virtual IPs with a different interface mapping (in other words, from WAN1 to WAN_loadbalance) and leave everything else the same, or are there additional steps that need to be taken?
Thanks for any info.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, can you provide an example so that I could give you a config sample. Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure!
So let's say we've had ISP1 as the sole provider up until now. From this provider, we get some public IP addresses. We'll call these addresses 4.4.4.0/29 or something like that. We have a public-facing server that uses 4.4.4.4 on the public side, and has an internal address of 10.100.100.4. So, for outside-in traffic, we configure an appropriate rule and build a virtual IP that maps 10.100.100.4 to 4.4.4.4, and configure that virtual IP to use ISP1 on WAN1, and for egress traffic sourced from the server we build an IP pool that references that same IP address. Fair enough.
Now, we get a second provider - ISP2 - and we decide we'd like to do multi-WAN loadbalancing. Based on the docs, I know I'll need to 1) remove any routes pointing to either the WAN1 or WAN2 interfaces and b) remove any policies that point to either interface - since I can't build the multi-WAN entity in the config if either interface is referenced explicitly, and building that virtual multi-wan interface is the first step in the process.
So, with that said, can I implement multi-WAN and still use virtual IPs/IP pools that are specifically tied to a single provider? I don't want to lose that functionality. My guess is that I could amend the virtual IP entry to point to 'any' interface instead of the separate WAN interfaces, but I don't know that to be true as of yet.
Hope this helps, and thanks for the response.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got your point. I will switch to this as my very next task. Get back to you soon.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, before you configured multi-wan link, I assumed you could configured vip well. So, let's focus on multi vip pointing to multi servers from multi-wan:
1. Two internal servers: web server 192.168.4.205 and ftp server 192.168.4.204
2. Two wan interfaces: wan1 10.1.100.130/24, wan2 172.16.200.130/24
3. Virtual-wan-link to load-balance between wan1 and wan2 :
[code lang=css]config system virtual-wan-link
set status enable
config members
edit 1
set interface "wan1"
set gateway 10.1.100.254
set priority 100
next
edit 2
set interface "wan2"
set gateway 172.16.200.254
set priority 200
next
end
end
4. Depends on your design, if you only allow access to web server via wan1, and ftp server via wan2, then:
[code lang=css]config firewall vip
edit "web_server"
set extip 10.1.100.135
set extintf "wan1"
set mappedip "192.168.4.205"
next
edit "ftp_server"
set extip 172.16.200.135
set extintf "wan2"
set mappedip "192.168.4.204"
next
end
and apply these 2 vip into your policy:
config firewall policy edit 1 set srcintf "virtual-wan-link" set dstintf "server_link" set srcaddr "all" set dstaddr "web_server" set action accept set schedule "always" set service "ALL" set nat enable next edit 2 set srcintf "virtual-wan-link" set dstintf "server_link" set srcaddr "all" set dstaddr "ftp_server" set action accept set schedule "always" set service "ALL" set nat enable next end
5. If you need to allow wan1 - server2, wan2-server1, create two more new vip could be an easy way.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,769 -
FortiClient
1,782 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
478 -
Fortiap
475 -
FortiClient EMS
437 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
192 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
107 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
57 -
High Availability
57 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
Radius
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiGate-VM
21 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1740 | |
| 1109 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.