Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Multiple WANs for separate LANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple WANs for separate LANs
We are using a Fortigate 60D in our work place. The 60D is used as our UTM/core router and is using one WAN link to provide internet access. The company plans to add a second firm in the current location. The new firm will have a separate internet connection for its users. The plan is to setup 2 VLANS, one for the current business and the second for the new firm and create my policies according to business’s needs. My question is can(and how) I setup the fortigate to route internet traffic out separate WAN interfaces according to the VLANs being used?
Thanks
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple ways you can do this. These vary somewhat if you're running 5.2.x or 5.4.x.
Solutions will vary depending on how the businesses are connected and what services they require. Are they each connected with their own switches and routers, or are they all plugging into the same switch? Do their users need to be able to VPN in? Are they running their own servers that need to be publicly exposed? Are they handling their own wifi needs? Etc. etc.
If the companies both need to be able to manage "their" part of the FortiGate, then you may need to use VDOMs. An example of this is at http://cookbook.fortinet.com/vdom-configuration-54/.
If you're doing all the management, as long as the two companies are on different physical switches, you can keep them on separate physical interfaces, each with their own subnet. If they're all on the same switch at some point, then vlans on a managed switch are a safer way to keep things separated. There are a number of examples of this in the forums and the KB and cookbook. The FortiOS 5.4.x admin guide has a section named "Example VLAN configuration in NAT mode" if you haven't worked with them before.
Routing the different companies networks, based on their vlans or subnets, out the different WANs can be done with policy routes (source based routing). The way to do this is a bit different if you are on 5.4.x or 5.2.x.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure why you would not link balance the two WANs for redundancy. So you have WAN 1 and WAN 2 separate. Yes, you could create policy for traffic out either one. I set my 800C to link balance the two 20 Mbps WAN ports. Exchange has MX record on both. WAN 1 has a lower metric to be primary for it. HTTP and HTTPS link balance round robin. SSO traffic to our banks are WAN2 first, WAN1 second in a fail over mode. Only thing is make sure the latency on both are about equal to link balance. The only issue would be a DDOS attack or WAN down issue that would stop traffic going out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple ways you can do this. These vary somewhat if you're running 5.2.x or 5.4.x.
Solutions will vary depending on how the businesses are connected and what services they require. Are they each connected with their own switches and routers, or are they all plugging into the same switch? Do their users need to be able to VPN in? Are they running their own servers that need to be publicly exposed? Are they handling their own wifi needs? Etc. etc.
If the companies both need to be able to manage "their" part of the FortiGate, then you may need to use VDOMs. An example of this is at http://cookbook.fortinet.com/vdom-configuration-54/.
If you're doing all the management, as long as the two companies are on different physical switches, you can keep them on separate physical interfaces, each with their own subnet. If they're all on the same switch at some point, then vlans on a managed switch are a safer way to keep things separated. There are a number of examples of this in the forums and the KB and cookbook. The FortiOS 5.4.x admin guide has a section named "Example VLAN configuration in NAT mode" if you haven't worked with them before.
Routing the different companies networks, based on their vlans or subnets, out the different WANs can be done with policy routes (source based routing). The way to do this is a bit different if you are on 5.4.x or 5.2.x.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tanr wrote:Hi, sorry for diggin this thread up, but I have somehow complementary question to what you have written. Everything described is perfectly clear to me. The problem appears when we start to think about WAN redundancy for accessing Internet (so outgoing traffic). Seems that with two company scenario each having its OWN primary WAN and using the others company WAN as a backup line we are not able to provide a failover function without using load balancing feature, is that correct?There are multiple ways you can do this. These vary somewhat if you're running 5.2.x or 5.4.x.
Solutions will vary depending on how the businesses are connected and what services they require. Are they each connected with their own switches and routers, or are they all plugging into the same switch? Do their users need to be able to VPN in? Are they running their own servers that need to be publicly exposed? Are they handling their own wifi needs? Etc. etc.
If the companies both need to be able to manage "their" part of the FortiGate, then you may need to use VDOMs. An example of this is at http://cookbook.fortinet.com/vdom-configuration-54/.
If you're doing all the management, as long as the two companies are on different physical switches, you can keep them on separate physical interfaces, each with their own subnet. If they're all on the same switch at some point, then vlans on a managed switch are a safer way to keep things separated. There are a number of examples of this in the forums and the KB and cookbook. The FortiOS 5.4.x admin guide has a section named "Example VLAN configuration in NAT mode" if you haven't worked with them before.
Routing the different companies networks, based on their vlans or subnets, out the different WANs can be done with policy routes (source based routing). The way to do this is a bit different if you are on 5.4.x or 5.2.x.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First question should be: Are those two companies okay with you using their WAN ISP as failover for the other company! If they are not then you don't want to do any of this.
If your two companies each have their own VDOM having failover to a wan on the other VDOM would get a little more complicated - haven't tried that myself, but I would think it is doable.
If your two companies are on the same VDOM, and you're separating them by physical interface or by vlan, then you can still provide failover without needing to use load balancing. See https://forum.fortinet.com/tm.aspx?m=146282 for a similar discussion (it starts in Spanish but then changes to English). Also https://forum.fortinet.com/tm.aspx?m=147125 has similar info. Note that this all gets more complicated if the two companies have publicly accessible servers, VIPs, VPNs, etc.
A short example of this:
Company A has their lan on FGT interface port3, subnet is 10.10.10.0/24.
Company A traffic normally goes out interface wan1.
Company B has thier lan on FGT interface port4, subnet is 10.20.20.0/24
Company B traffic normally goes out interface wan2.
First off, set up link health monitors for both wan1 and wan2 (cli command config sys link-monitor) so that when those interfaces go down the routing tables actually get updated.
Now set up two static default routes to wan1 and to wan 2, both with the same distance of 10, but with different priorities, priority of 5 for the wan1 route and 20 for the wan2 route. This will mean both routes get added to the routing table (while the wan1 and and wan2 interfaces are live) but only the higher priority (smaller number) route with the priority of 5 will get used. So right now all traffic that isn't more specifically routed will go out wan1.
Now add a single policy route, which specifies a source subnet of 10.20.20.0/24 (Company B) and a destination interface of wan2 (don't specify a gateway address - use 0.0.0.0). The policy route is hit before your static routes and thus forces traffic from the Company B subnet out the lower priority route to wan2. Note that this only works if that route is in the routing table. That's why we added it with the same distance but a lower priority (larger number).
Now, if wan1 goes down your link-monitor for it will remove any static routes that reference it from the routing table. In that case, traffic from Company A will just use the lower priority route out wan2. Traffic from Company B will continue to use the same route out wan2 as well.
If wan2 goes down, your link-monitor will remove the static route to wan2. In that case, traffic from Company A will continue out wan1 as before. Traffic from Company B will match to the policy route that specifies wan2, but since their is no route with wan2 left in routing table the policy route will have no effect. Instead the static route out to wan1 will get used.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the info, did not really thought about this approach... will that configuration automatically update its static routes when e.g. not working WAN2 will be brought back online?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My understanding is that it should update its static routes once WAN2 comes back online. I tested this a while back, and seem to remember that it took a little while for the route to reappear, but I don't recall how long it took.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Managing shared and device-specific policies with... 202 Views
- FortiGate 601F v7.2.8 HA Pair with... 481 Views
- Hub and spoke vpn question 374 Views
- Multiple VRF Aware Remote Access SSL... 520 Views
- How to config multiple wan routing... 560 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.