- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Multi-WAN with Virtual IPs tied to public IP on on...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi-WAN with Virtual IPs tied to public IP on one link only?
We're lighting up a second ISP connection on one of our 200Ds. Currently, we have a few virtual IPs configured on the firewall for public services, and these are tied to one provider as one might expect.
As I read multi-WAN instructions, I'll need to nuke all policies and routes to the separate ISP connections, create the load-balanced entity, and rebuild policies and routes accordingly. Fairly straightforward.
What I'm having trouble discovering is how I can make these virtual IPs still work for external-facing services. Do I need to simply redefine the virtual IPs with a different interface mapping (in other words, from WAN1 to WAN_loadbalance) and leave everything else the same, or are there additional steps that need to be taken?
Thanks for any info.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, can you provide an example so that I could give you a config sample. Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure!
So let's say we've had ISP1 as the sole provider up until now. From this provider, we get some public IP addresses. We'll call these addresses 4.4.4.0/29 or something like that. We have a public-facing server that uses 4.4.4.4 on the public side, and has an internal address of 10.100.100.4. So, for outside-in traffic, we configure an appropriate rule and build a virtual IP that maps 10.100.100.4 to 4.4.4.4, and configure that virtual IP to use ISP1 on WAN1, and for egress traffic sourced from the server we build an IP pool that references that same IP address. Fair enough.
Now, we get a second provider - ISP2 - and we decide we'd like to do multi-WAN loadbalancing. Based on the docs, I know I'll need to 1) remove any routes pointing to either the WAN1 or WAN2 interfaces and b) remove any policies that point to either interface - since I can't build the multi-WAN entity in the config if either interface is referenced explicitly, and building that virtual multi-wan interface is the first step in the process.
So, with that said, can I implement multi-WAN and still use virtual IPs/IP pools that are specifically tied to a single provider? I don't want to lose that functionality. My guess is that I could amend the virtual IP entry to point to 'any' interface instead of the separate WAN interfaces, but I don't know that to be true as of yet.
Hope this helps, and thanks for the response.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got your point. I will switch to this as my very next task. Get back to you soon.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, before you configured multi-wan link, I assumed you could configured vip well. So, let's focus on multi vip pointing to multi servers from multi-wan:
1. Two internal servers: web server 192.168.4.205 and ftp server 192.168.4.204
2. Two wan interfaces: wan1 10.1.100.130/24, wan2 172.16.200.130/24
3. Virtual-wan-link to load-balance between wan1 and wan2 :
[code lang=css]config system virtual-wan-link
set status enable
config members
edit 1
set interface "wan1"
set gateway 10.1.100.254
set priority 100
next
edit 2
set interface "wan2"
set gateway 172.16.200.254
set priority 200
next
end
end
4. Depends on your design, if you only allow access to web server via wan1, and ftp server via wan2, then:
[code lang=css]config firewall vip
edit "web_server"
set extip 10.1.100.135
set extintf "wan1"
set mappedip "192.168.4.205"
next
edit "ftp_server"
set extip 172.16.200.135
set extintf "wan2"
set mappedip "192.168.4.204"
next
end
and apply these 2 vip into your policy:
config firewall policy edit 1 set srcintf "virtual-wan-link" set dstintf "server_link" set srcaddr "all" set dstaddr "web_server" set action accept set schedule "always" set service "ALL" set nat enable next edit 2 set srcintf "virtual-wan-link" set dstintf "server_link" set srcaddr "all" set dstaddr "ftp_server" set action accept set schedule "always" set service "ALL" set nat enable next end
5. If you need to allow wan1 - server2, wan2-server1, create two more new vip could be an easy way.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How to access virtual server ip... 95 Views
- Help Needed: DDNS Not Working and... 572 Views
- Connect Fortigate to internet with 2... 463 Views
- Trouble Receiving DHCP Packet Over S2S... 530 Views
- reach internal iis web server from... 572 Views
Labels
-
FortiGate
7,209 -
FortiClient
1,422 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
462 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
177 -
FortiNAC
129 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
109 -
FortiGateCloud
97 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
High Availability
32 -
VLAN
31 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
19 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
14 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Virtual IP
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
OSPF
9 -
WAN optimization
9 -
4.0MR2
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
IP address management - IPAM
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Security profile
7 -
Proxy policy
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Fortinet Engage Partner Program
4 -
FortiPAM
4 -
FortiCarrier
4 -
3.6
4 -
FortiTester
4 -
FortiScan
4 -
DLP sensor
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
DoS policy
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
Schedule
2 -
FortiHypervisor
2 -
Authentication rule and scheme
2 -
VoIP profile
2 -
Explicit proxy
2 -
Internet Service Database
2 -
4.0MR1
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1079 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.