Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Troubleshooter_73
New Contributor III

Multiple WAN Routing - Recommendations needed

Hi to All,

 

I need a recommendation to the Routing Topic of a fortigate 100D with 5.2.3.

Customer has three WAN Connections and some internal LANs like WLAN, Client LAN, Server LAN etc.

He will force the traffic by the following way:

Clients --> WAN1

Server --> WAN2

WLAN --> WAN3

 

I created default routes for every three connections.

I created security policies

Client Rule - Incoming Interface and Client Network to WAN1 and ALL --> works fine

Server Rule - Incoming Interface (same than Clients) and Server Network to WAN2 --> no Internet access

WLAN Rule - Incoming Interface (another than the other ones) and WLAN Network --> no Internet Access

 

Until today I assumed, if the costs and Priority are equal, I can force this by creating only the security policies for the example above, but it failed, because if I create the default routes and the security policies, only one connection is possible.

It looks like the policies were not applied for the second and third WAN connection.

If I changed the priority of the routes for testing purposes, only the connection with lowest priority works.

 

I think I understand now what the systems does, but how can I match the customer requirements, without to create hundrets of policy based routes?

 

Thanks for any advice or recommendation!

 

Sven



FCNSA 5, FCNSP 5, NSE 4

FCNSA 5, FCNSP 5, NSE 4
3 REPLIES 3
Troubleshooter_73
New Contributor III

Sounds like an easy job, but it doesn't work as easy as I assumed. [&:]

I tried now recommended policy based routing, but here I have to handle about 50 Networks (IPSec and internal Networks).

Because if I create a policy based route with 0.0.0.0/0.0.0.0 as target (its impossible to told the system take only Public networks here, like other appliances do this), all traffic will be routed to this interface. So I have to create all my Static Routes as Policy based Routes above the needed Policy based Routes for the required WAN Access. Really unlike this...



FCNSA 5, FCNSP 5, NSE 4

FCNSA 5, FCNSP 5, NSE 4
gschmitt

You can create a policy rule:

Incoming interface (all that apply)

source address / mask 0.0.0.0/0.0.0.0

desination address / mask your internal networks (may need to create multiple)

Then: Action Stop Policy Routing to fall back on your normal/default routes

Troubleshooter_73
New Contributor III

Here I found an entry that points me to new features:

http://docs-legacy.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/advancedrouting...

 

The "negate" switch is really interesting for me, but it will be more powerful if I could combine "negate" with "multiple src-addresses". If this should work, I could decrease the configuration to only 3 Policy Based Routes!

 

Has anybody already configured multiple source/destination subnets?

If yes, how can I add more than one src-address in a Policy Based Route?

 

I tried with CLI by comma separated and with space between the addresses but nothing will work.

Or did they mean the Policy that depends on the Policy Based Route?



FCNSA 5, FCNSP 5, NSE 4

FCNSA 5, FCNSP 5, NSE 4
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors