Hello,
I have a client with 2 WAN connections. They would like to use WAN2 as a "failover only" for WAN1 (i.e., no load balancing).
They would also like to route Guest VLAN traffic out WAN2 only.
I have searched the KB articles and the forum, and I am still a bit confused as to how to properly implement this scenario.
I believe I need to do the following:
[ul]Is this the correct way to implement the scenario I described above? Am I missing anything?
Thank you so much for your time.
-Jon
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
VSI wrote:Skip these two steps :)
[ul]Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down) Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]
Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route
VSI wrote:"source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.
No, it shouldn't. Policy Routes only affect the selected Source Interfaces and since it's a Guest VLAN your normal internal LAN shouldn't be affected.
gschmitt wrote:VSI wrote:Skip these two steps :)
[ul]Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down) Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul] Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route
The doc says : The route with the lowest value in the priority field is considered the best route. It is also the primary route.
So the default route priority which is wan1 here should be less.
VSI wrote:Skip these two steps :)
[ul]Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down) Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]
Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route
Thanks for the reply!
As I understand policy routes they are applied before static and connected routes. So, if we have a route with destination 0.0.0.0/0.0.0.0 it will route all traffic using this policy route. When I enter the policy route using "source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.
This would not achieve the desired result, so my thought was to specify policy routes for all other internal LAN traffic to go out WAN1, and put these policies at the top of the order list.
Does this make sense or am I still wrong?
This post might explain it better: https://forum.fortinet.com/tm.aspx?m=112840
Thanks again for your reply and assistance!
VSI wrote:"source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.
No, it shouldn't. Policy Routes only affect the selected Source Interfaces and since it's a Guest VLAN your normal internal LAN shouldn't be affected.
Ok, we will skip those steps and test it out, thanks again.
I'll post our results, good or bad :)
gschmitt wrote:VSI wrote:Skip these two steps :)
[ul]Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down) Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul] Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route
The doc says : The route with the lowest value in the priority field is considered the best route. It is also the primary route.
So the default route priority which is wan1 here should be less.
allwynmasc wrote:Correct, by increasing the priority I meant lowering the number.
The doc says : The route with the lowest value in the priority field is considered the best route. It is also the primary route.
So the default route priority which is wan1 here should be less.
Damn this quirky language
gschmitt wrote:allwynmasc wrote:Correct, by increasing the priority I meant lowering the number.
The doc says : The route with the lowest value in the priority field is considered the best route. It is also the primary route.
So the default route priority which is wan1 here should be less.
Damn this quirky language
haha right . .
Update: this is working properly after skipping the steps identified by gschmitt. Thanks for the assistance!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.