Hi,
We have a simple architecture :
- a wan int for incoming request to our servers with static nat
- several int for internal servers and users ressources
- a single default route for outgoing and reverse traffic
- several static routes for different ressources and sites
All goes well.
We recently had to manage a new public range, with new internal servers. For different internal reasons, the two public wan have to be separated and using the same vdom.
We dedicated a wan int to the new range. Default route is still on the old one.
When we try to reach the new public int from outside, the famous "msg="reverse path check fail, drop"" raised.
Doc : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Detailed-Guide-on-dual-WAN-setup-for-targe... was very good information, but does it apply only for egress traffic, or is it for ingress traffic too ?
In other words, we want to expose services on internet on two separates wan int on the same vdom. But the second seems to be unreacheable as the default route is mapped on the first one : packets arrive on second int but do not reach internal servers with "reverse patch check". When adding a static route on the external requesting address, it works. But we cannot list all internet address on our routing table...
Adding a second default route (with higher priority - then policy route to forward wanted traffic on second wan) seems to be the solution, but we are afraid that it should disturb the original workflow.
Are we on the good way ? Adding a second default route with higher priority and policy routes should it be safe for the old working system ?
BR
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
no way. A proper route needs to exist (default route in your situation because the destinations are random) for any policy-routes to work. Same as SD-WAN settings.
Toshi
Of course the KB doesn't mention anything about out-to-in traffic therefore no mentioning about VIPs.
But once two default routes are placed, return traffic for the out-to-in should follow the reverse path. If it comes in wan1 then the return goes out wan1. Same goes with wan2. Again, as long as a default route exists on each wan interface.
Yes, it should work.
Toshi
Thanks a lot.
We wander about route policies : using route policy seems to be not applied if there is not default route, whereas it is read before static table (as explained in doc).
Is there anyway to use route policy without adding default route on second int or having a reverse path in static table is mandatory ?
no way. A proper route needs to exist (default route in your situation because the destinations are random) for any policy-routes to work. Same as SD-WAN settings.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.