Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
g3rman
New Contributor

OSPF Routing - Need to adjust priorities

Howdy experts,

 

I have a firewall connected via a LAN link to my data center and I also have a backup VPN connection via the Internet to the same data center.

The router at the remote office learns routes via EIGRP and redistributes them into OSPF which the firewall picks up on the "LAN" port. The backup VPN connection learns OSPF routes from the firewall in our data center which also learns routes from OSPF. Below is a snippet of the routing table.

The setup works fine, but the routes being learned across the backup VPN are more preferred than the routes learned via the "LAN" interface. I would appreciate suggestions on how to make the routes learned across the VPN less preferred.

I already monkeyed with OSPF interfaces and costs but couldn't make it work. For now the VPN tunnel is up but OSPF is passive on the VPN interface. EDE_PFAU, kannst Du helfen? :)

 

Routing database when OSPF on the VPN interface is disabled:

O E2 *> 10.68.255.4/30 [110/20] via 10.68.255.1, lan, 2d14h49m O E2 *> 10.77.8.0/22 [110/20] via 10.68.255.1, lan, 2d12h49m O E2 *> 10.77.141.208/28 [110/20] via 10.68.255.1, lan, 2d12h49m O E2 *> 10.77.248.0/23 [110/20] via 10.68.255.1, lan, 2d12h49m O E2 *> 10.77.250.0/23 [110/20] via 10.68.255.1, lan, 2d12h49m Routing database when OSPF on the VPN interface as well as the LAN interface is enabled: O E2 *> 10.68.255.4/30 [110/10] via 10.68.255.1, VPN, 2d14h49m O E2 *> 10.77.8.0/22 [110/10] via 10.68.255.1, VPN, 2d12h49m O E2 *> 10.77.141.208/28 [110/10] via 10.68.255.1, VPN, 2d12h49m O E2 *> 10.77.248.0/23 [110/10] via 10.68.255.1, VPN, 2d12h49m O E2 *> 10.77.250.0/23 [110/10] via 10.68.255.1, VPN, 2d12h49m

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

Looks like your ospf interface costs are reversed. Based on the snippet VPN interface has cost 10 and lan interface has 20. Reversing them should flip the preferred interface. 

g3rman

Thanks Toshi. I already saw that. Now the question is "How do I make the VPN routes have a higher cost?"

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
Toshi_Esumi
Esteemed Contributor III

I didn't know those 10 and 20 were default values if not specified. I understood when I read below cookbook. In our case, we always specify the cost under ospf-interface config just like in the cookbook so I didn't realize.

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_OSPF/Con...

 

 

Labels
Top Kudoed Authors