Topology:
Hello All, I have the privilege to manage two FGTs.
(I can control NAT, Route... etc on two FGTs.)
Question:
1.Can I route local traffic to 8.8.8.8 via following path ?
[ Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> ISP2 -> Internet ]
In other words, when local PCs visit Internet, they have to go through FGT2 first.
2.If possible, how to implement it?
Solved! Go to Solution.
Create a VPN and route the traffic across it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hmm.not so quick.
He mention no vpn, but you have another option. GRE-tunnel the traffic back to the HQ , but keep these thoughts in mind.
[ul]
Overhead with GRE might be slightly less than ESP encryption from a function and layer3 header
Ken
PCNSE
NSE
StrongSwan
I'm afraid that with a static WAN address the next hop (gateway) must be within the same subnet. The scenario I posted will only work if the WAN interface was connecting via PPPoE. Thanks for the KB articles which state this very clearly.
Now IMHO your best bet is to connect site-to-site via SSL VPN in tunnel mode, on a non-standard port, i.e. not 443 but 12345 or such (1023 < port < 65535). If arbitrary traffic is allowed but just not IPsec (udp/500, udp/4500, ESP) this might work.
Yes, 'site-to-site' is rubbish, sorry. SSLVPN using FortiClient.
Not possible. Once the traffic hits the GW at your ISP, they have no idea where to route packets destined to 192.168.x.y.
toshiesumi wrote:Hello Toshi Esumi, thanks your reply.Not possible. Once the traffic hits the GW at your ISP, they have no idea where to route packets destined to 192.168.x.y.
In order to avoid misunderstandings, I modified the question.
I want to route local traffic to Internet (via FGT1 -> ISP1 -> ISP2 -> FGT2 -> Internet),
In other words, I want to local PC visit Internet via FGT2, does it possible?
p.s. I can manage two FGTs (include the NAT feature)
An aside: You have the same private subnet on both units. CHANGE ONE (or both!). You will run into more issues down the road if you use the common subnets when you set up networks. 192.168.0, 192.168.1, 192.168.2, 192.168.3. These ship on a majority of devices from the factory, so if/when you meet someone down the road you need to connect to and they do the same, you are going to have issues.
Onto the main question: Cannot be done without a VPN. No ISP will allow the RFC 1918 subnets onto the Internet. End of story. So, no VPN = no remote gateway Internet routing.
Look up "RFC 1918" (https://tools.ietf.org/html/rfc1918) for yourself, superseded by RFC 3330 (https://tools.ietf.org/html/rfc3330) then by RFC 5735 (https://tools.ietf.org/html/rfc5735).
More reading material on the subject could be found here: [link]https://en.wikipedia.org/wiki/Bogon_filtering[/link]
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:An aside: You have the same private subnet on both units. CHANGE ONE (or both!). You will run into more issues down the road if you use the common subnets when you set up networks. 192.168.0, 192.168.1, 192.168.2, 192.168.3. These ship on a majority of devices from the factory, so if/when you meet someone down the road you need to connect to and they do the same, you are going to have issues.
Onto the main question: Cannot be done without a VPN. No ISP will allow the RFC 1918 subnets onto the Internet. End of story. So, no VPN = no remote gateway Internet routing.
Google "RFC 1918" for yourself
Hello rwpatterson, thanks for your reply!!
(I've modefied the subnet of topology)
If I use NAT on FGT1, the source IP of outgoing traffic will be 221.27.31.2,
after that, is it be possible to implement what I want?
Read the linked materials on BOGONs.
No
You cannot route to any 192.168/16 network over the Internet without a VPN. End of story.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:Read the linked materials on BOGONs.
No
You cannot route to any 192.168/16 network over the Internet without a VPN. End of story.
Hello, rwpatterson, Thanks your reply.
I'm sorry. It's my fault. I think that I do not express my question clearly on the title.
All I want to do is that routing local traffic to Internet via FGT2.
The traffic path what I want is: Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> Internet,
and I don't care where the FGT2's local subnet is reachable or not,
I just want the traffic of local PC visiting Internet should go to FGT2 first.
If it is possible? If possible, could you tell me how to implement it?
Create a VPN and route the traffic across it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hmm.not so quick.
He mention no vpn, but you have another option. GRE-tunnel the traffic back to the HQ , but keep these thoughts in mind.
[ul]
Overhead with GRE might be slightly less than ESP encryption from a function and layer3 header
Ken
PCNSE
NSE
StrongSwan
emnoc wrote:Hmm.not so quick.
He mention no vpn, but you have another option. GRE-tunnel the traffic back to the HQ , but keep these thoughts in mind.
[ul]
GRE offers no protection or encryption. Any thing that can inspect 1 or 2 level deep will ID the traffic. PMTUD and max datagram could be a issues ( UDP is even worst ), you can fixup TCP with mss.tcp adjustments.[/ul] Overhead with GRE might be slightly less than ESP encryption from a function and layer3 header
Ken
Hello emnoc,
I think that I should study first about the GRE tunnel, thank you.
2018.07.06
I've tested, using GRE-tunnel is ok, but it seems to be a type of VPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1741 | |
1109 | |
755 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.