Separate WAN for different VLAN

peter-supply · ‎01-17-2025

We currently have two ISPs setup as an SD-WAN on a Fortigate 200 in an HA pair. We need to add a third ISP, but we do not want to make the third ISP a part of the SD-WAN. The third ISP will be used exclusively for a specific internal VLAN and a specific type of traffic.

That is, we need to direct a specific VLAN out the third ISP. The specific VLAN only should go out the "third WAN."

I found another forum post that seems to indicate that this is possible:

https://community.fortinet.com/t5/Support-Forum/Multiple-WANs-for-separate-LANs/m-p/95377#M95287

The VLAN is currently going out our SD-WAN.

If I have it correct that such a setup is possible, what are the steps?

1) Add ISP to the Fortigate.

a) Configure an available port with info for ISP.

2) Create a Firewall policy for VLAN to go out ISP #3.

3) Create a Policy Route to direct WAN traffic from the specific VLAN out ISP #3

Does this sound right? Any other considerations/concerns?

dingjerry_FTNT · ‎01-17-2025

Hi @peter-supply ,

I am not sure whether you have VDOM or not. Anyway, if 3 default routes are in the same place (VDOM, same routing table) , make sure that they have the same AD.

The rest of them seems good to me.

Regards,

Jerry

peter-supply · ‎01-17-2025

We do not use VDOM. Do you have any recommendations as to how the Policy Route be setup? Thanks.

dingjerry_FTNT · ‎01-17-2025

Let's call the interface facing the VLAN "VLAN-Interface", the VLAN is called "VLAN-subnet".

The Source Interface is "VLAN-Interface";

The Destination interface is the interface connecting ISP#3;

Source address is "VLAN-subnet";

Destination address is all.

Regards,

Jerry

dingjerry_FTNT · ‎01-17-2025

You may need to check this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-Firewall-Policy-Routes/ta-...

Regards,

Jerry

Separate WAN for different VLAN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website