HI all,
Sorry new to Fortigate and trying to work out a problem.
I have a situation, two extenal WANs, both different IP scopes. I have a requirement that if our primay link drops can the public IPs of the primary WAN still be accessible via WAN2 and then through the firewall to the primary WAN interface. We have public facing servers that use NAT, all of the public IPs for them are on the primary WAN. But of course if the primary drops none of these are accessible even though external traffic can still get to WAN2.
Hope that makes sense.
Many thanks.
Chris.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Chris,
how about to access those servers actually via some FQDN like serverA.yourdomain.com where DNS record will contain A records for both your WAN IP addresses?
So servers will be accessible via two different VIP settings and one of IPs will work eventually.
As you are probably not going to be able to affect routing of your public IPs and how they are reachable from public internet, unless you have some sort of dynamic routing with your ISPs and so things like BGP / AS etc.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Tom,
Good shout. Unfortunately the scope for the secondary WAN is a /30. The primary is /24 and we use a lot of these addresses.
Thanks for the reply.
Chris.
Hi Chris,
then explore BGP and dynamic routing, so subnets assigned to you (your AS - Autonomous System) will be always reachable via dynamically changing routes based on some pre-set metrics.
It might be somehow doable if both WAN connections are from one provider (I doubt that) so that provider might be willing and able to make some static routes with some priorities and maybe health-checks like ping servers. Something like to our SDWAN. But I'm not sure.
If those WAN connections are from different providers then I do not see much of other options here besides some dynamic routing and so some form of BGP.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
HI Tom.
Both links from the same provider and they are prepared to run BGP for us.
However...
If I have a server public IP 1.1.1.1 on WAN1 and private 10.10.10.10 I still need to be able to route traffic from our WAN2 (lets say 2.2.2.2) circuit to the public IP of the siad server and then to it's NATed address 10.10.10.10.
I was wondering if we should have a rule allowing traffic from the WAN2 interface to WAN1 interface.
I hope this makes sense.
Chris.
As Tom points out, it's up to your ISP side if the route toward your /24 can be failed over to your secondary circuit. Generally they can't especially those /24 and /30 are bound to the interfaces on the ISP side. If the primary has /30 on the interface on both ISP and your FGT ends, then /24 is routed through the interface, yes, you can fail it over to the secondary with BGP.
Toshi
HI Toshi,
We can get the ISP to fail over to the backup circuit using BGP etc. However I still have various public addresses I need to be accessible. The moment the circuit fails over these are no longer accessible.
The only way I can think of achiving this is if there is a route within the fortigate itself so that traffic can pass from the backup interface and 'see' the public IPs on the primary interface and then hence get translated via NAT to the real IPs of the servers internally.
I hope this makes sense.
I am considering one of Tom's ideas if I can change the secondary to a /24 and have multiple FQDN, one address on the primary and one on the secondary.
Created on 04-22-2022 07:48 AM Edited on 04-22-2022 07:49 AM
If your primary WAN interface has 1.1.1.1/24 configured, when the circuit goes down that directly-connected route would disappear from the routing-table. Check with "get router info routing-table all" when you unplug the cable from WAN.
Toshi
Hi Toshi,
Yeah I was thinking that maybe if only the route to the primary died and the device it is connected was up then the ip scope on the primary would still be in the routing table. Hope this makes sense.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.