Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Routing Internet traffic over the vpn into an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing Internet traffic over the vpn into another site is that possible? [SOLVED]
Hi to all.
I would like some help from you guys.
I have a IPSEC VPN site to site working and it' s all good!
Let me set the variables for my question
SITE -1 International Breakout
SITE -2 Local Bandwidth
My question is this. I want all my users internet traffic from the local lan on the site 2 to be route using the VPN and breakout out on site-1 and then use the internet.
Let me explain why I need this, I am currently in South Africa and here we have what we call Local Bandwidth which mean that I can only browse in local sites in South Africa and this is all manage by my ISP as Bandwidth is a very $$$ in South Africa alot of people uses local Bandwidth for they business.
In site 2 where my router is, there is only local Bandwidth and the user need to use international Bandwidth that is why I need site 2 internet traffic to be route using the vpn and then Breakout into the internet in site 1
As far as i was able i manage to create a policy that send all web trafic from SITE -2 over the vpn to site one, but I don’t know how to set-up SITE - 1 to be able to allow this traffic
How can I achieve this?
Thanks alot
Daniel De Abreu
Daniel De Abreu
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I sincerely hope you have set up your VPNs in Interface Mode so that you have virtual interfaces, routes to these interfaces and policies.
If not, recreate your VPN in Interface Mode.
Next, to route all traffic over the VPN you need to set the default route (0.0.0.0/0) in site 2 to the VPN interface of FGT2.
Traffic arriving on FGT1' s tunnel end will have the addresses from LAN2. So now you need a policy ' VPN_IF' to ' WAN' and allow this traffic outbound.
Return traffic will follow the route you already have set, namely that the addresses from LAN2 are to be found behind the (FGT1' s) VPN interface.
All of this works without having to assign addresses to the actual VPN interfaces, ie. tunnel ends.
In short, to have ALL traffic routed over to FGT1' s site is only a minor addition to the current setup.
The easiest way to change the default gateway for your hosts in LAN2 is to change the setting in the DHCP server, obviously.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede.
Thanks very much for your support and getting back to me on this matter.
Yes my VPN was set as a Tunnel mode and then I fallow your advice and recreate everything into interface mode and then I was able to route the traffic over the vpn.
I am really appreciated your input and I really a lot about this and after a lot of research I got another solution that I would like to share here.
What I did was a policy base routing.
I set the policy’s allowing traffic on the fortigates over the VPN in SITE-1 and SET-2 and then simple create a policy base route as this FOR HTTPS also repeat the same for http.
config router policy
edit 1
set input-device " LOCAL-LAN"
set src 172.18.0.0 255.255.0.0
set dst 0.0.0.0 0.0.0.0
set protocol 6
set start-port 443
set end-port 443
set gateway 1.1.1.1
set output-device " VPN-TO-SITE-1"
next
end
After done that i manage to browse the internet in SITE-2 using the gateway on SITE-1 and it work nice.
I would like to ask one last question?
With this set-up all work fine but it' s is abit slow I just would like to know if someone know how could I have a faster VPN? Maybe change my encryption?
Thanks alot for all help.
Daniel De Abreu
Daniel De Abreu
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
good thah it works for you now.
The encryption itself is not slowing down the traffic, I guess, although I would use AES128/SHA1 as an efficient combination in contrast to 3DES/MD5. When SITE-2 browses, the webpages are UPloaded by SITE-1 and that is where the slowdown comes from. I don' t know anything about your WAN connections but I assume it' s some form of ADSL in which the upload direction has (much) less bandwidth than the download direction. Correct me if I' m wrong.
Now to your second solution: you used Policy Routing to force specific traffic over the tunnel. Policy Routing is independent of the type of tunnel setup (policy based or interface based) and bypasses the regular routing. It is one way to achieve what you want BUT it will only work for the port you specify, and it will need one Policy Route per port used. For example, try to run Spotify and you' ll see it won' t work as it is not using HTTP or HTTPS...but in general this would be an alternative if regular routing would not be possible.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfauHi ede_pfau. I just would like to thank you and everyone that help me on this matter. I was checking why the internet traffic is so slow over the vpn and it a problem on the service provider on the fault line, this problem had being address at the moment and as soon as the line work 100% all should be fine, and yes I know that i am only routing http and https over the vpn and that is what we need there at the moment. One more time thanks alot for all your h
Daniel De Abreu
Daniel De Abreu
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi...I was going to try to experiment and do this same exact thing, however, I' m confused as to this instruction:
Next, to route all traffic over the VPN you need to set the default route (0.0.0.0/0) in site 2 to the VPN interface of FGT2.I have my VPN in interface mode, but just not sure where to make that change above. Thanks so much Robert
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You create a static route (Router>Static>Static Route) with these parameters:
Dest. IP/Mask: 0.0.0.0/0
Device: (drop-down) (select VPN interface)
Gateway: (leave at 0.0.0.0)
Distance: 5
Priority: 10
assuming you do not already have a static route to this destination.
If you have a PPPoE or DHCP WAN connection then there might be a setting to get the default gateway (= the route to 0.0.0.0/0) dynamically. The lower distance of 5 here gives the static route preference over the route to the WAN interface.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
going to try to experiment and do this same exact thing, however, I' m confused as to this instruction:HI to all. Just want keep all updated here, my problem with the speed on the vpn was a bug on the FOS 5 patch 4 that only has affected the 40c Unity. Just revert to FOS 5 PATCH 3 and all should be fine. Please let me know if anyone need help with that. Thanks alot,.
Daniel De Abreu
Daniel De Abreu
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Daniel De Abreu Just want keep all updated here, my problem with the speed on the vpn was a bug on the FOS 5 patch 4 that only has affected the 40c Unity.The bug has been fixed in the up-coming 5.0.5. If you are a beta tester, you might have received build 5.0.246. It' s good in that build.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vanc.
Thanks very much for the information, appreciated!
Thanks
Daniel De Abreu
Daniel De Abreu
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,708 -
FortiClient
1,766 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
434 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate-VM
14 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.