Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Troubleshooter_73
New Contributor III

Created on ‎09-09-2015 01:27 AM

Multiple WAN Routing - Recommendations needed

Hi to All,

 

I need a recommendation to the Routing Topic of a fortigate 100D with 5.2.3.

Customer has three WAN Connections and some internal LANs like WLAN, Client LAN, Server LAN etc.

He will force the traffic by the following way:

Clients --> WAN1

Server --> WAN2

WLAN --> WAN3

 

I created default routes for every three connections.

I created security policies

Client Rule - Incoming Interface and Client Network to WAN1 and ALL --> works fine

Server Rule - Incoming Interface (same than Clients) and Server Network to WAN2 --> no Internet access

WLAN Rule - Incoming Interface (another than the other ones) and WLAN Network --> no Internet Access

 

Until today I assumed, if the costs and Priority are equal, I can force this by creating only the security policies for the example above, but it failed, because if I create the default routes and the security policies, only one connection is possible.

It looks like the policies were not applied for the second and third WAN connection.

If I changed the priority of the routes for testing purposes, only the connection with lowest priority works.

 

I think I understand now what the systems does, but how can I match the customer requirements, without to create hundrets of policy based routes?

 

Thanks for any advice or recommendation!

 

Sven


FCNSA 5, FCNSP 5, NSE 4

FCNSA 5, FCNSP 5, NSE 4
3647
0 Kudos
3 REPLIES 3
Troubleshooter_73
New Contributor III

Created on ‎09-09-2015 07:14 AM

Sounds like an easy job, but it doesn't work as easy as I assumed. [&:]

I tried now recommended policy based routing, but here I have to handle about 50 Networks (IPSec and internal Networks).

Because if I create a policy based route with 0.0.0.0/0.0.0.0 as target (its impossible to told the system take only Public networks here, like other appliances do this), all traffic will be routed to this interface. So I have to create all my Static Routes as Policy based Routes above the needed Policy based Routes for the required WAN Access. Really unlike this...


FCNSA 5, FCNSP 5, NSE 4

FCNSA 5, FCNSP 5, NSE 4
1526
0 Kudos
gschmitt
Valued Contributor
In response to Troubleshooter_73

Created on ‎09-10-2015 01:19 AM

You can create a policy rule:

Incoming interface (all that apply)

source address / mask 0.0.0.0/0.0.0.0

desination address / mask your internal networks (may need to create multiple)

Then: Action Stop Policy Routing to fall back on your normal/default routes

1526
0 Kudos
Troubleshooter_73
New Contributor III

Created on ‎09-15-2015 03:02 AM

Here I found an entry that points me to new features:

http://docs-legacy.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/advancedrouting...

 

The "negate" switch is really interesting for me, but it will be more powerful if I could combine "negate" with "multiple src-addresses". If this should work, I could decrease the configuration to only 3 Policy Based Routes!

 

Has anybody already configured multiple source/destination subnets?

If yes, how can I add more than one src-address in a Policy Based Route?

 

I tried with CLI by comma separated and with space between the addresses but nothing will work.

Or did they mean the Policy that depends on the Policy Based Route?


FCNSA 5, FCNSP 5, NSE 4

FCNSA 5, FCNSP 5, NSE 4
1526
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.