Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mtbark
New Contributor

New route kills email server

We have just added another internet connection at the school where I work. This now gives us our original connection to the state as well as the new connection to the ISP. Before the second connection was installed all our internet traffic went through the stat network. We have Exchange server that we use for email it receives the school emails via a relay with the state. I have IPPools and VIP setup on the Fortigate for the email server to communicate with the state relay. We want to force all traffic out the ISP connection and send only state network traffic out the state connection. Our problem is when we setup the routing for this the email server no longer recieves emails nor can it send. We set Policy Routing to force the traffic bound for a state network IP out the state connection and added firewall policies as well. So far everything we have tried does not work. Any help on this would be appreciated.

1 REPLY 1
echo
Contributor II

Can you please rewrite what did you mean by this: "We want to force all traffic out the ISP connection and send only state network traffic out the state connection." Did you mean by "all traffic" that all traffic that is _not_ coming from the Exchange server? And use state network traffic only for the Exchange server? Also, I understood that you called old ISP as "stat/state" and the new one "ISP" -- a bit confusing because both are actually ISP's from technical viewpoint.

What are the distances set for 0.0.0.0/0 routings? If these are different, then the one that has bigger distance number is effectively shut down. Equal these and use different priorities: the one that is meant for all other traffic except the e-mail server (new ISP as I got it) has smaller priority and the old one has bigger. Since you have created ippool and vip for the old state network for e-mail server you don't need policy routes. But if it still doesn't work, then policy route should still work in this configuration. And you can do vice versa with priorities and create a different policy route for the traffic that is all except the e-mail server but that can be harder to distinguish if they are all in the same network.

Do you use zones for both internet interfaces? Like untrust zone having both interfaces as memebers? Or some other way?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors