Hi all,
i have a firewall that has internet on port1 and also is used as a VPN user dialup using that same port. All works fine.
I have installed a new router on port 10.
so now I want the users inside the firewall to get their internet from port 10 instead of port 1, so I changed the default 0.0.0.0/0 static route to be port 10 with the IP of the router attached. Now the users are getting their internet from port 10, all is good? Not really...
now all the user vpn dialup are failing. they are not connecting when dialing up to port 1 even though the internet is still attached.
What I am thinking and correct me if im' wrong, but looks like the userdialup is calling into port 1, but since the user is dialing up from an unknown subnet, the firewall uses the default route to respond back to the user, hence is sending the return traffic via the other router (now the new default route) and since it has no clue of this transaction, the packets are dropped on the router and the client fails to connect.
is my statement above correct? If not, please correct me.
If it is correct, then how can I fix this, without having to move the publIC used for dialup vpn to the other router and doing a 1to1 nat via the router? Can i not have best of both worlds? Internet from port 10 and userdialup for public port 1?
Thanks for the help.
Regards, NSE4
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you ran "flow debug", you would see errors and dropped packets due to "asymmetric route". The dialup vpn traffic comes in at port1 and tries going out through port10 based on your 0/0 route, which is not allowed by default.
Instead, what you can do is to set two default routes but different "priority" numbers. When you create the default route toward port 10, you didn't specified priority so it got '0'. You can configure another default route but higher priority number, like '10'. The higher the number is, the lower the priority is.
Then when internal users/devices generate traffic (sessions) toward the internet, it follows priority 0 default route. But return packets for the dialup vpn would go back to where the session was initiated from, which is port1 as long as the low priority (10) default route exist. The routing table would look like below. This is from one of our 1500D's vdom, which is doing exactly what you want to do.
xxx-fg1 (vdom-name1) # get router info routing-t all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 69.170.170.146, vlanxxxx-to-MPLS, [0/50] <- priority 0, another FW is in this direction [10/0] via 69.170.165.98, vlan-on-vdomlink-to-INET, [10/50] <- priority 10, VPNs come from this interface <snip>
I highly doubt that would work. Your understanding of priority is not correct. Your low priority 10 route will never be present in the active RIB and would only be activated if the 1st default is marked down , or interface goes down etc......
OP, can you use the virtual-wan setup and just have two WANs in a "virtual-wan" ? here your setup will work and with the added, you have 2 active uplinks
Ken Felix
PCNSE
NSE
StrongSwan
Same distance and same priority better use load balancing methods like SDWAN for wan forwarding traffic .
Same distance and different priority -Routing information will be on RIB but traffic try to route through low priority interface .
You need to configure policy base route to push the traffic through Higher priority .
Different distance - and same priority - Only Low distance route will be on Routing table and higher route will be inactive .
For redundancy purpose :
Check the active routing table :
#get router info routing-table all
To check the inactive route
#get router info routing-table database
Regds,
Ashik
As I showed of the routing table, both default routes are in the routing table and working as intended for last at least 8 years. It was originally suggested by TAC and we've been using it since then.
Will maybe your right but I trust fortios and priority low always equal best route, maybe in your case the when traffic hit the interface with the higher priority it returns the traffic via the same interface
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.