Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LiaoYuRuei
New Contributor

Route branch local traffic to Internet via HQ's FGT without VPN ?

Topology:

 

Hello All, I have the privilege to manage two FGTs.

(I can control NAT, Route... etc on two FGTs.)

 

Question:

1.Can I route local traffic to 8.8.8.8 via following path ?

   [ Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> ISP2 -> Internet ]

   In other words, when local PCs visit Internet, they have to go through FGT2 first.

2.If possible, how to implement it?

 

4 Solutions
rwpatterson
Valued Contributor III

Create a VPN and route the traffic across it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
emnoc
Esteemed Contributor III

Hmm.not so quick.

 

He mention no  vpn,  but you have another option. GRE-tunnel  the traffic back to the HQ , but keep these thoughts in mind.

 

[ul]
  • GRE offers no  protection or encryption.
  • Any thing that can inspect  1 or 2 level deep will ID the traffic.
  • PMTUD and max datagram  could be a issues ( UDP is even worst ), you can fixup TCP with mss.tcp adjustments.[/ul]

    Overhead with  GRE might be slightly less than ESP encryption from a function and layer3 header

     

    Ken

     

  • PCNSE 

    NSE 

    StrongSwan  

    View solution in original post

    PCNSE NSE StrongSwan
    ede_pfau

    I'm afraid that with a static WAN address the next hop (gateway) must be within the same subnet. The scenario I posted will only work if the WAN interface was connecting via PPPoE. Thanks for the KB articles which state this very clearly.

     

    Now IMHO your best bet is to connect site-to-site via SSL VPN in tunnel mode, on a non-standard port, i.e. not 443 but 12345 or such (1023 < port < 65535). If arbitrary traffic is allowed but just not IPsec (udp/500, udp/4500, ESP) this might work.

    Ede Kernel panic: Aiee, killing interrupt handler!

    View solution in original post

    Ede Kernel panic: Aiee, killing interrupt handler!
    ede_pfau

    Yes, 'site-to-site' is rubbish, sorry. SSLVPN using FortiClient.

    Ede Kernel panic: Aiee, killing interrupt handler!

    View solution in original post

    Ede Kernel panic: Aiee, killing interrupt handler!
    23 REPLIES 23
    LiaoYuRuei

    ede_pfau wrote:

    Yes, 'site-to-site' is rubbish, sorry. SSLVPN using FortiClient.

     

    OK, I see.

    If using this method, I have to make more effort on user training.

    Anyway, it's also a solution, thanks a lot.

    LiaoYuRuei

    Hello all, thank you very much,

    let me make a conclusions for the above discussions.

     

    If I want to route traffic from local PCs in branch to Internet via HQ's FGT.

    There are some methods:

    1.Site-to-Site VPN between 2 FGTs with static route and policy control

    2.GRE Tunnel between 2 FGTs with static route and policy control

    3.client to site VPN, branch's PCs connect to HQ's FGT (SSL, PPTP...etc)

    TIP: all above using VPN.

     

    If there is any way to work fine without VPN, please share to me, thanks!!

    AK
    New Contributor

    Hello,

    no, the destiantion ip is important. This is 8.8.8.8.

     

    And the first ISP route this to google.

     

    You need a Site-to-Site IPsec VPN Tunnel between the both FG.

    This is totally easy to configure.

     

    And you need a second default route in the VPN Tunnel.

    http://cookbook.fortinet.com/remote-browsing-using-site-to-site-ipsec-vpn/

     

    Regards

    Andreas

    LiaoYuRuei
    New Contributor

    rwpatterson wrote:

    Read the linked materials on BOGONs.

     

    No

     

    You cannot route to any 192.168/16 network over the Internet without a VPN. End of story.

    Hello, rwpatterson, Thanks your reply.

    I'm sorry. It's my fault. I think that I do not express my question clearly on the title.

    All I want to do is that routing local traffic to Internet via FGT2.

    The traffic path what I want is: Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> Internet,

    and I don't care where the FGT2's local subnet is reachable or not,

    I just want the traffic of local PC visiting Internet should go to FGT2 first.

     

    If it is possible? If possible, could you tell me how to implement it?

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors