Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Static route not working for 2nd ISP link
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Static route not working for 2nd ISP link
We are setting up static IPs from two ISP provider on one Forgitate 300.
The first ISP setup using default static route works, but adding the 2nd ISP doesn't.
Static routes and Policies are as follow
Static Routes :
0.0.0.0/0.0.0.0, GW: up.ISPa.169.229 using port 5 for ISP-A
0.0.0.0/0.0.0.0, GW: down.SVRa.38.80 using port 6 for Server-Segment-A
up.ISPb.100.28/255.255.255.252, GW: up.ISPb.100.29 using port 1 for ISP-B
down.ISPb.36.144/255.255.255.240, GW: down.SVRb.36.144 using port 2 for Server-Segment-B
Policies:
Port1 -> Port 2: all, NAT disabled
Port2 -> Port 1: all, NAT disabled
Port5 -> Port 6: all, NAT disabled
Port6 -> Port 1: all, NAT disabled
Should we abandon default route (0.0.0.0/0.0.0.0) and use ISP-A parameters instead?
Does the sequence of static route matter? i.e. by define it first will cause all traffic to route to default?
Yeehar
Yeehar
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yeehar,
As per the fortigate behavior the distance and priority value matters in the selection of the static route. The static route having lower distance will be preferred. When two routes have an equal distance, the route with the lower priority number will take precedence.
Best regards,
Parteek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Yeehar,
You can check this below document for more information on routing behavior
* In general terms whichever route AD value is less will be in the routing table others will not
* If two routes have the same AD value and Priority is same then the firewall will do ECMP, to have redundancy change the Priority in the route setting
To check routing use the below command:
get route info routing-table database --> to check active and inactive both routes
get router info routing-table details --> It will show active route which firewall will use to send traffic.
Regards,
Regards,
Vishal
Vishal
Created on 08-31-2022 03:57 AM Edited on 08-31-2022 04:04 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vishal Sahu,
We are trying to combine two edge routers giving by two different ISP into a single Fortigate, is this possible?
We have tried specifying two static routes.
When only one ISP is connected, the route works for each ISP configuration.
However, when both were plug in, all access are blocked, i.e, we tried to ping from mobile phone to the static IP provided by respective ISP.
Thanks for trying understand our attempts.
Yeehar
Yeehar
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeehar,
* Your topology will work if the route and policy configuration is correct, make sure NAT is enabled in both the policy that you've configured for WAN1 and WAN2.
Can you share the output of, when both routers are connected
get route info routing-table database
get router info routing-table details
show router static
Regards,
Vishal
Vishal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, Vishal Sahu!
We've confirmed that pulling out either port 1&2 or port 5&6 works, i.e. each settings for respective ISP is working correctly. When both sets are plugged in, all public IP are not accessible.
Here's the output
get route info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via 29.51.169.229, port5
*> [10/0] via 120.78.100.29, port1
C *> 121.3.36.144/28 is directly connected, port2
S 121.3.36.144/28 [10/0] via 121.3.36.144, port2
S 29.51.38.80/28 [15/0] via 29.51.38.80, port6
C *> 29.51.38.80/28 is directly connected, port6
C *> 29.51.169.228/30 is directly connected, port5
C *> 129.126.100.28/30 is directly connected, port1
C *> 192.168.1.0/24 is directly connected, port10
get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 29.51.169.229, port5
[10/0] via 120.78.100.29, port1
C 121.3.36.144/28 is directly connected, port2
C 29.51.38.80/28 is directly connected, port6
C 29.51.169.228/30 is directly connected, port5
C 129.126.100.28/30 is directly connected, port1
C 192.168.1.0/24 is directly connected, port10
show router static
config router static
edit 1
set gateway 29.51.169.229
set device "port5"
next
edit 2
set dst 29.51.38.80 255.255.255.240
set gateway 29.51.38.80
set distance 15
set device "port6"
next
edit 3
set gateway 120.78.100.29
set device "port1"
next
edit 4
set dst 121.3.36.144 255.255.255.240
set gateway 121.3.36.144
set device "port2"
next
end
Yeehar
Yeehar
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Yeehar,
The configuration is correct you can take a flow filter and snifer when both the links are connected and check where it's getting dropped, or firewall is sending the traffic to the next hop or not.
> First enable the flow filter in one SSH and Sniffer in another session simultaneously
> Then initiate the ping to 8.8.8.8
Flow filter:
diag debug disable
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr 8.8.8.8
diag debug flow filter proto 1
diag debug flow show iprop en
diag debug flow show fun en
diag debug flow trace start 1000
diag debug enable
Sniffer:
diag sniffer packet any "host x.x.x.x and host 8.8.8.8 and proto 1" 4 0 a
Regards,
Vishal
Vishal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vishal Sahu,
We didn't quite follow 8-(
we started a SSH session to setup the diagnostic settings at source address 29.51.38.81 followed by diag sniffer packet any "host 29.51.38.81 and host 8.8.8.8 and proto 1" 4 0 a.
Then at the CLI console in the web interface, we did a ping 8.8.8.8.
We are doing while single ISP connection is active to test if we are setting up correctly.
There wasn't any result displayed at the SSH session.
Are we doing it right?
Yeehar
Yeehar
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear sgclarence,
You can use the SDWAN feature to achieve this. If you configure SDWAN you will be able to load balance the traffic between both the links and also can utilize the links based on latency or the applications.
Rosa Technocrat --
Also on YouTube---
Please do Subscribe
Also on YouTube---
Please do Subscribe
Rosa Technocrat --Also on YouTube---Please do Subscribe
Created on 09-01-2022 05:23 PM Edited on 09-01-2022 05:36 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rosatechnocrat,
SDWAN seems to be an overkill for consolidating two ISP edge routers on a single Fortigate.
Yeehar
Yeehar
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortinet with Starlink. If not active... 118 Views
- Dialup L2TP IPSEC Dynamic routing after... 100 Views
- Standalone FortiSwitch default route 203 Views
- issue sending backup to ftp server 237 Views
- Output traffic with default route BGP 746 Views
Labels
-
FortiGate
8,522 -
FortiClient
1,724 -
5.2
801 -
FortiManager
716 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
463 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
225 -
FortiWeb
201 -
5.0
196 -
IPsec
191 -
FortiNAC
181 -
FortiGuard
136 -
6.4
128 -
SD-WAN
112 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
85 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
74 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
48 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
41 -
DNS
41 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
SSO
31 -
Interface
31 -
NAT
31 -
RADIUS
30 -
FortiConnect
28 -
FortiLink
27 -
FortiWAN
26 -
Web profile
26 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
21 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Intrusion prevention
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1665 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.