Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
comas17
New Contributor

Route traffic to wan1 and wan2 basing on the destination address

Hi all in our office (branch office) we have a Fortigate 60C and we are currently connected on one only ISP; FGT-60C configuration is quite simple: all internal traffic goes to wan1 There is also a static VPN configured with our headquarter so we have also a couple of static ruotes and some policies to route voip traffic to our switchboard (located on headquarter) and also traffic to our internal network located in our headquarter Now in the branch office we want to add another ISP connection; it will be PPoE and it will be connected to wan2 We want to configure in this way  - Internal traffic going to web (all external addresses) goes through wan2 (the new connection)  - Internal traffic going to headquarter goes to VPN configured in wan1 What do I need to configure ? Do I need to configure a new policy "internal - wan2" (all - all - accept) and disable the current one "internal - wan1" ? I suppose I will need to change/add also the current static routes; how ? Thank you Corrado

1 Solution
gschmitt
Valued Contributor

comas17 wrote:

Create a new policy route going to your HQ network from destination interface internal and set it to Stop Policy Routing Create a new policy route going to 0.0.0.0/0.0.0.0 with destination interface internal and set it to wan2

 

Make sure Advanced Routing is enabled in the Features

 

Go to Router > Static > Policy Routes and select Create New

Protocol ANY

Incoming Interface internal (where your clients are located)

Source address / Mask: The network of your clients (like 192.168.1.0/24)

Destination address / mask: your HQ network (like 10.1.1.0/24

Action Stop Policy Routing

 

This basically tells the FortiGate that, if the above conditions are matched, to drop back to your static routes

 

Now create a new policy route same as above but:

Destination address / mask: 0.0.0.0/0.0.0.0

Action: FOrward Traffic

Outgoing Interface: wan2

Gateway Address: your ISP Gateway (this should be listed on the info your ISP gave you=

View solution in original post

9 REPLIES 9
gschmitt
Valued Contributor

Keep the old routes in place

Create a new policy internal to wan2 as you said

Create a new policy route going to your HQ network from destination interface internal and set it to Stop Policy Routing

Create a new policy route going to 0.0.0.0/0.0.0.0 with destination interface internal and set it to wan2

comas17

thank you

I cannot find how to configure this "Stop Policy Routing". I searched on the kb and I found this

http://kb.fortinet.com/kb/documentLink.do?externalID=FD35136

but I do not have these options on my FGT-60C (firmware is 5.2.1)

Thank you

gschmitt
Valued Contributor

comas17 wrote:

I cannot find how to configure this "Stop Policy Routing". I searched on the kb and I found this

http://kb.fortinet.com/kb/documentLink.do?externalID=FD35136

but I do not have these options on my FGT-60C (firmware is 5.2.1)

Thank you

Interesting? The very article you linked says "added in 5.2." so you should have it...

 

In that case just set it to your tunnel interface

comas17

I found it.

Advanced routing was disabled; after enabling (widget "Features") now it appears as in kb page

Thank you

comas17

Can you give some more details on these 2 steps ? (I'm quite a newbie)

 

Create a new policy route going to your HQ network from destination interface internal and set it to Stop Policy Routing Create a new policy route going to 0.0.0.0/0.0.0.0 with destination interface internal and set it to wan2

 

Thank you

gschmitt
Valued Contributor

comas17 wrote:

Create a new policy route going to your HQ network from destination interface internal and set it to Stop Policy Routing Create a new policy route going to 0.0.0.0/0.0.0.0 with destination interface internal and set it to wan2

 

Make sure Advanced Routing is enabled in the Features

 

Go to Router > Static > Policy Routes and select Create New

Protocol ANY

Incoming Interface internal (where your clients are located)

Source address / Mask: The network of your clients (like 192.168.1.0/24)

Destination address / mask: your HQ network (like 10.1.1.0/24

Action Stop Policy Routing

 

This basically tells the FortiGate that, if the above conditions are matched, to drop back to your static routes

 

Now create a new policy route same as above but:

Destination address / mask: 0.0.0.0/0.0.0.0

Action: FOrward Traffic

Outgoing Interface: wan2

Gateway Address: your ISP Gateway (this should be listed on the info your ISP gave you=

comas17

Thank you

justa nother detail; currently there is a static route configured for my wan1

Destination : 0.0.0.0

Gateway: my ISP gateway

Interface: wan1

 

Do i need to change/modify/remove it ?

gschmitt
Valued Contributor

No, as I said keep your static routes.

You can think of it that way: your policy routes override the static routes, if there isn't a policy route your static route is active.

comas17

I configured as you said and it is perfectly working, thank you !

(I still have some questions on how to configure redundant vpn, load balancing, etc, but I'll open new discussions on it,  I hope you can help me again )

Labels
Top Kudoed Authors