Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sgClarence
New Contributor

Static route not working for 2nd ISP link

We are setting up static IPs from two ISP provider on one Forgitate 300.

The first ISP setup using default static route works, but adding the 2nd ISP doesn't.

Static routes and Policies are as follow

 

Static Routes :

0.0.0.0/0.0.0.0, GW: up.ISPa.169.229 using port 5 for ISP-A

0.0.0.0/0.0.0.0, GW: down.SVRa.38.80 using port 6 for Server-Segment-A

up.ISPb.100.28/255.255.255.252, GW: up.ISPb.100.29 using port 1 for ISP-B

down.ISPb.36.144/255.255.255.240, GW: down.SVRb.36.144 using port 2 for Server-Segment-B

 

Policies:

Port1 -> Port 2: all, NAT disabled

Port2 -> Port 1: all, NAT disabled

Port5 -> Port 6: all, NAT disabled

Port6 -> Port 1: all, NAT disabled

 

Should we abandon default route (0.0.0.0/0.0.0.0) and use ISP-A parameters instead?

Does the sequence of static route matter? i.e. by define it first will cause all traffic to route to default?

Yeehar
Yeehar
16 REPLIES 16
parteeksharma

 

Hi Yeehar,

As per the fortigate behavior the distance and priority value matters in the selection of the static route. The static route having lower distance will be preferred. When two routes have an equal distance, the route with the lower priority number will take precedence.



Best regards,
Parteek

vsahu
Staff
Staff

Hello Yeehar,


You can check this below document for more information on routing behavior 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...

 

* In general terms whichever route AD value is less will be in the routing table others will not

* If two routes have the same AD value and Priority is same then the firewall will do ECMP, to have redundancy change the Priority in the route setting

 

To check routing use the below command:

get route info routing-table database  --> to check active and inactive both routes

get router info routing-table details --> It will show active route which firewall will use to send traffic.

 

Regards,

 

Regards,
Vishal
sgClarence

Hi Vishal Sahu,

 

We are trying to combine two edge routers giving by two different ISP into a single Fortigate, is this possible?

 

We have tried specifying two static routes.

When only one ISP is connected, the route works for each ISP configuration.

However, when both were plug in, all access are blocked, i.e, we tried to ping from mobile phone to the static IP provided by respective ISP.

 

Thanks for trying understand our attempts.

sgClarence_1-1661943830817.png

 

 

Yeehar
Yeehar
vsahu

Yeehar,

 

* Your topology will work if the route and policy configuration is correct, make sure NAT is enabled in both the policy that you've configured for WAN1 and WAN2.

Can you share the output of, when both routers are connected

get route info routing-table database 

get router info routing-table details

show router static

 

 

Regards,
Vishal
sgClarence

Thanks, Vishal Sahu!

We've confirmed that pulling out either port 1&2 or port 5&6 works, i.e. each settings for respective ISP is working correctly. When both sets are plugged in, all public IP are not accessible.

Here's the output

 

get route info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] via 29.51.169.229, port5
*> [10/0] via 120.78.100.29, port1
C *> 121.3.36.144/28 is directly connected, port2
S 121.3.36.144/28 [10/0] via 121.3.36.144, port2
S 29.51.38.80/28 [15/0] via 29.51.38.80, port6
C *> 29.51.38.80/28 is directly connected, port6
C *> 29.51.169.228/30 is directly connected, port5
C *> 129.126.100.28/30 is directly connected, port1
C *> 192.168.1.0/24 is directly connected, port10

get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [10/0] via 29.51.169.229, port5
[10/0] via 120.78.100.29, port1
C 121.3.36.144/28 is directly connected, port2
C 29.51.38.80/28 is directly connected, port6
C 29.51.169.228/30 is directly connected, port5
C 129.126.100.28/30 is directly connected, port1
C 192.168.1.0/24 is directly connected, port10

show router static
config router static
edit 1
set gateway 29.51.169.229
set device "port5"
next
edit 2
set dst 29.51.38.80 255.255.255.240
set gateway 29.51.38.80
set distance 15
set device "port6"
next
edit 3
set gateway 120.78.100.29
set device "port1"
next
edit 4
set dst 121.3.36.144 255.255.255.240
set gateway 121.3.36.144
set device "port2"
next
end

Yeehar
Yeehar
vsahu
Staff
Staff

Hello Yeehar,

 

The configuration is correct you can take a flow filter and snifer when both the links are connected and check where it's getting dropped, or firewall is sending the traffic to the next hop or not.

 

> First enable the flow filter in one SSH and Sniffer in another session simultaneously 

> Then initiate the ping to 8.8.8.8

 


Flow filter:

diag debug disable
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr 8.8.8.8
diag debug flow filter proto 1
diag debug flow show iprop en
diag debug flow show fun en
diag debug flow trace start 1000
diag debug enable

Sniffer:

diag sniffer packet any "host x.x.x.x and host 8.8.8.8 and proto 1" 4 0 a

 

 

Regards,
Vishal
sgClarence

Hi Vishal Sahu,

 

We didn't quite follow 8-(

we started a SSH session to setup the diagnostic settings at source address 29.51.38.81 followed by diag sniffer packet any "host 29.51.38.81 and host 8.8.8.8 and proto 1" 4 0 a.

Then at the CLI console in the web interface, we did a ping 8.8.8.8.

 

We are doing while single ISP connection is active to test if we are setting up correctly.

There wasn't any result displayed at the SSH session. 

Are we doing it right?

 

Yeehar
Yeehar
rosatechnocrat
Contributor II

Dear sgclarence,

 

You can use the SDWAN feature to achieve this. If you configure SDWAN you will be able to load balance the traffic between both the links and also can utilize the links based on latency or the applications. 

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
sgClarence

Hi Rosatechnocrat,

 

SDWAN seems to be an overkill for consolidating two ISP edge routers on a single Fortigate. 

Yeehar
Yeehar
Labels
Top Kudoed Authors