Hi,
I have a FortiGate 200E connected to Core Switch (HP Aruba 5406R). WAN1 is configured as the primary connection on the FortiGate for all VLANs traffic. Now I want to configure a PPPoE backup connection on WAN2 as a failover only to 2 specific VLANs but not all. Do I need to setup OSPF on both HP switch and FortiGate or there's any other simple solution for this. I would really appreciate your help if someone has experience with this scenario. Thanks a lot in advance.
Regards,
Mohammad
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to use policy routing to force traffic for all but those two VLANs to use WAN1. Leave the two VLANs you want to fail over out of the policy route and they will follow whatever the routing table gives them. (This assumes you're using a floating static default route or something for WAN2.)
Absolutely right as lobstercreed suggested, you need to create policy routes for the specific VLAN's traffic to go through WAN2. There is no need to create OSPF either on switch or FW.
Regards,
Syed
I think maimaq meant all internet traffic from all internal vlans go out to the internet via wan1 (including those 2 vlans), and when wan1 goes down only internet traffic comeing from those 2 vlans fails over to wan2.
Is this correct?
If so, set proper policies toward wan1 and wan2 (limit to only two vlan sources), and two static default routes (priority 0[default] on wan1 and priority 10[lower priority] to wan2), and then set a proper "link-monitor" (there are many discussions on the foruum and FTNT on-line documents available) toward wan1 to remove the wan1 default route when it goes down. That would do it.
Offcourse yes he meant so, he must have a policy for all the VLAN's (including 2 VLAN's) towards WAN1 and in case if WAN1 gets down, the policy based route will allow only 2 VLAN's in subject to go from WAN2. Indeed there is a need to create a link monitor (with priorities) which keeps on checking the heartbeat and move the traffic to WAN2 (from specific VLAN's) when WAN1 is down.
Regards,
Syed
Thank you so much @lobstercreed, @Toshi and @ahmedsf for your quick response. And thanks Toshi for clarification, you absolutely got my point, that's how I want. The reason we want to direct traffic only from two VLANs, because they are critical and wan2 is 9Mbps (low speed).
I watched a Fortinet video on failover to backup connection exactly the way you guys explained "setting 2 default routes with link-monitor" but I was not sure when the primary connection goes down only limited Vlans traffic can be directed to wan2 using policy.
I am waiting for my client confirmation to schedule a downtime to implement this. Will keep you posted if this worked or not. Thanks a lot and have a great day/night :)
Hi All,
I have newly started working on FortiGate firewalls, therefore still have some confusion and need your help again.
1. As @Toshi explained the priority that's clear but how about Admin distance, should I keep it same for both Wan1 and Wan2 ?
2. I have added a screenshot for policy route for one of the Vlan (Silverware), please check if that's right. Do I still have to mention the subnet in IP/Netmask for the VLAN if it's attached in the address field already?
3. What should be the Gateway address? ISP GW for the Wan2 or static route?
4. And lastly, I don't want load balancing while configuring SDWAN how I can setup that without LB?
Thanks for your help
Mohammad,
Sorry for not replying...I thought maybe one of the other gentlemen would and I've been busy. I'll try to answer each thing.
maimaq wrote:1. As @Toshi explained the priority that's clear but how about Admin distance, should I keep it same for both Wan1 and Wan2 ?
Yes, they should have the same admin distance. See https://kb.fortinet.com/kb/viewContent.do?externalId=FD32103 for more info on how this works.
maimaq wrote:2. I have added a screenshot for policy route for one of the Vlan (Silverware), please check if that's right. Do I still have to mention the subnet in IP/Netmask for the VLAN if it's attached in the address field already?
It looks right to me. No, the IP/Netmask is if you want to specify something besides what is in your attached address object(s).
maimaq wrote:3. What should be the Gateway address? ISP GW for the Wan2 or static route?
Gateway address is always the next hop via the specified interface, so yes it would be the ISP GW.
maimaq wrote:4. And lastly, I don't want load balancing while configuring SDWAN how I can setup that without LB?
This is part of why I didn't respond as I don't have specific experience with SD-WAN, but I believe you are able to create SD-WAN rules that specify what traffic should prefer a certain interface all the time. This is the only way to really get around the load-balance feature as far as I know. Actually though, if you're creating a policy route as mentioned in points 2/3, that should achieve the same thing if I'm not mistaken.
I hope this helps, though it is very late. Perhaps you have already gotten all your answers.
Thanks - Daniel
Thanks, @Daniel for the detailed explanation and really appreciate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.