Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tobisfr
New Contributor

SD-WAN and NAT with IP-Pool

Hi,

i have two WAN interfaces (two different ISPs) configured as SD-WAN

WAN1: with 4 external IPs

WAN2: simple Gateway with 1 external IP

 

I wan't our FortiMail appliance to use both WAN interface for outgoing SMTP connections ( WAN2 if WAN1 is down). But how can i configure that it uses only 1 of the 4 IPs with WAN1?

 

(latest 5.6 FortiOS)

 

Thanks in advance,

Tobi

3 REPLIES 3
AdiMizil
New Contributor III

HI tobisfr,

 

Please provide more info re FortiMail deployment . Gateway mode deployment : in front of firewall, behind firewall or in a DMZ  ?

https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/f7766de2-243a-11e9-b20a-f8bc12...  - page 46

 

A screen shoot of the Ipv4 policy for internet access for the FortiMail appliance  and one from the SD-WAN rules ( if it exists)- from the Fortigate unit

 

Then we can discuss about SD-WAN , DNS records for MX, SPF etc. 

 

Kind regards,

Adi

 

 

tobisfr

Hi,

 

the FortiMail is behind the Firewall

- MX-Record Pointing to one A-Record

- A-Record Pointing to the two external IP-Adresses of our ISPs

- PTR Records on this IPs set to A-Record

 

Receiving Mail works fine with the two WAN interfaces ( Set

 

At the moment I only use WAN1 to send external Mail:

- In the policy I do NAT with IPPool Mode one-to-one

- Set a Policy Route with source "Fortimail" und Port 25 to use WAN1

 

No I don't now how to configure both WAN Interfaces the send with the correct NAT-Adress.

 

 

 

AdiMizil
New Contributor III

I would try like that :

 

Create another IP Pool with the other public IP address from WAN2 (I don't know if One to One type will break current internet access for WAN2, I would also try also with Overload)

Change outgoing interface from WAN1 to SD-WAN in IPv4 policy

Set Dynamic IP POOL with both IP POOLS created.

 

MOVE this rule above existing IPv4 internet access rules so this will get hit first . 

 

TEST the rule and test the internet access for the company.

 

for testing you can try this on cli 

 

diagnose sniffer  packet  wan2 "tcp and port 25" 4

or

diagnose sniffer packet "tcp and port 25" 4    - for all interfaces or diagnose sniffer packet wan1 wan2 "tcp and port 25" 4

 

 

There is another option for SD-WAN , search on youtube "SD-WAN Rule Improvement: Load Balancing | FortiOS 6.2 " - but you don't have control over which interface traffic goes as this relies more on SLA's. It worth checking.  

 

P.S. - update public DNS records , SPF record to white list all your PUBLIC IP addresses from WAN 1 and WAN2 . 

 

Kind regards, 

Adi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors