Multihomed GBP loadbalancing

haax · ‎12-01-2020

Hi all, We are working on a config for a Multihomed ISP solution. This is the setup Local Fortigate [AS100] <> L3 UPLINK A <> ISP router A [AS200] Local Fortigate [AS100] <> L3 UPLINK B <> ISP router B [AS200] The goal is to divide our assigned IP public space [100.100.100.0/24] into 2 segments to make use of both UPLINK-s I can get inboud traffic "split" by using "set set-metric xxx", the failover also works between the 2 uplinks The "problem" is that I dont know how to divide the outbound traffic based on the source segment. So my corrunt setup of route-maps A-IN/B-IN is incorrect.........

All ideas are welcome!


config router bgp
    set as 100
    set router-id 100.100.100.100
    set network-import-check disable
    config neighbor
        edit "ISP router A"
            set link-down-failover enable
            set prefix-list-out "blockrule"
            set remote-as 200
            set route-map-in "A-IN"
            set route-map-out "A-OUT"
            set send-community6 disable
            set password ENC {---}
        next
        edit "ISP router B"
            set link-down-failover enable
            set prefix-list-out "blockrule"
            set remote-as 200
            set route-map-in "B-IN"
            set route-map-out "B-OUT"
            set send-community6 disable
            set password ENC {---}
 next
    end
    config network
        edit 1
            set prefix 100.100.100.0 255.255.255.128
        next
        edit 2
            set prefix 100.100.100.128 255.255.255.128
        next
    end
end

config router prefix-list
    edit "blockrule"
        config rule
            edit 1
                set action deny
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
            edit 2
                set prefix any
                unset ge
                unset le
            next
        end
    next
    edit "SEGMENT-ONE"
        config rule
            edit 1
                set prefix 100.100.100.0 255.255.255.128
                unset ge
                unset le
            next
        end
    next
    edit "SEGMENT-TWO"
        config rule
            edit 1
                set prefix 100.100.100.128 255.255.255.128
                unset ge
                unset le
            next
        end
    next
    edit "DG"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
end


config router route-map
    edit "A-OUT"
        config rule
            edit 1
                set match-ip-address "SEGMENT-ONE"
                set set-local-preference 200
                set set-metric 100
            next
            edit 2
                set match-ip-address "SEGMENT-TWO"
                set set-local-preference 100
                set set-metric 200
            next
        end
    next
    edit "B-OUT"
        config rule
            edit 1
                set match-ip-address "SEGMENT-ONE"
                set set-local-preference 100
                set set-metric 200
            next
            edit 2
                set match-ip-address "SEGMENT-TWO"
                set set-local-preference 200
                set set-metric 100
            next
        end
    next
    edit "A-IN"
        config rule
            edit 1
                set match-ip-address "DG"
                set set-local-preference 100
                set set-metric 200
            next
            edit 2
                set match-ip-address "DG"
                set set-local-preference 200
                set set-metric 100
            next
        end
    next
    edit "B-IN"
        config rule
            edit 1
                set match-ip-address "DG"
                set set-local-preference 200
                set set-metric 100
            next
            edit 2
                set match-ip-address "DG"
                set set-local-preference 100
                set set-metric 200
            next
        end
    next
end

Yurisk · ‎12-01-2020

Trying to load balance with BGP is always an exercise in frustration, beware ...

Now to the case at hand:

- Setting Local Preference in outgoing advertisements is useless in 99% of the cases as your ISPs will NOT honor it.

The only way to influence traffic to your advertised routes is either via splitting the subnet into 2 or adding prepends on one of the BGP peerings, none of which is an exact science.

About outgoing traffic of yours, you have few options:

[ol]

Use SD-WAN and thus control load on the lines via SD-WAN rules, IMO preferred option.

Enable (if not enabled already) BGP multipath "set ebgp-multipath enable", see more details https://kb.fortinet.com/kb/viewContent.do?externalId=100137 . With this on, your Fortigate will install BOTH default gateways from both ISPs and will do ECMP load balancing of outgoing traffic between them, you cannot control which network goes via which ISP. Kinda works for the most cases, but if there is an abusing whale-connection host, this will not help much.

Do it old school with Policy Based Routes - configure rules from what source net in LAN route via which ISP. Least preferred as ugly, hard to debug, has attitude of itself when to think next hop is reachable when not, can cause downtime.[/ol]

HTH

Yuri

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

emnoc · ‎12-01-2020

What he has done should work, have you check what you ISP is seeing for A and B outs?

Ken Felix

PCNSE

NSE

StrongSwan

lobstercreed · ‎12-02-2020

I'm just going to point out the obvious here. You can't use /25's to advertise in the global route table. Not sure if that has anything to do with what you're experiencing, but unless your two connections are from the same ISP and they're aggregating it for you then I would say you cannot do what you're trying to do, period. I didn't know that /24 was the smallest route you could advertise when I got our /24 six years ago and I've regretted it ever since. Should have gotten a /23 :(