We are setting up static IPs from two ISP provider on one Forgitate 300.
The first ISP setup using default static route works, but adding the 2nd ISP doesn't.
Static routes and Policies are as follow
Static Routes :
0.0.0.0/0.0.0.0, GW: up.ISPa.169.229 using port 5 for ISP-A
0.0.0.0/0.0.0.0, GW: down.SVRa.38.80 using port 6 for Server-Segment-A
up.ISPb.100.28/255.255.255.252, GW: up.ISPb.100.29 using port 1 for ISP-B
down.ISPb.36.144/255.255.255.240, GW: down.SVRb.36.144 using port 2 for Server-Segment-B
Policies:
Port1 -> Port 2: all, NAT disabled
Port2 -> Port 1: all, NAT disabled
Port5 -> Port 6: all, NAT disabled
Port6 -> Port 1: all, NAT disabled
Should we abandon default route (0.0.0.0/0.0.0.0) and use ISP-A parameters instead?
Does the sequence of static route matter? i.e. by define it first will cause all traffic to route to default?
Hi Yeehar,
As per the fortigate behavior the distance and priority value matters in the selection of the static route. The static route having lower distance will be preferred. When two routes have an equal distance, the route with the lower priority number will take precedence.
Best regards,
Parteek
Hello Yeehar,
You can check this below document for more information on routing behavior
* In general terms whichever route AD value is less will be in the routing table others will not
* If two routes have the same AD value and Priority is same then the firewall will do ECMP, to have redundancy change the Priority in the route setting
To check routing use the below command:
get route info routing-table database --> to check active and inactive both routes
get router info routing-table details --> It will show active route which firewall will use to send traffic.
Regards,
Created on 08-31-2022 03:57 AM Edited on 08-31-2022 04:04 AM
Hi Vishal Sahu,
We are trying to combine two edge routers giving by two different ISP into a single Fortigate, is this possible?
We have tried specifying two static routes.
When only one ISP is connected, the route works for each ISP configuration.
However, when both were plug in, all access are blocked, i.e, we tried to ping from mobile phone to the static IP provided by respective ISP.
Thanks for trying understand our attempts.
Yeehar,
* Your topology will work if the route and policy configuration is correct, make sure NAT is enabled in both the policy that you've configured for WAN1 and WAN2.
Can you share the output of, when both routers are connected
get route info routing-table database
get router info routing-table details
show router static
Thanks, Vishal Sahu!
We've confirmed that pulling out either port 1&2 or port 5&6 works, i.e. each settings for respective ISP is working correctly. When both sets are plugged in, all public IP are not accessible.
Here's the output
get route info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via 29.51.169.229, port5
*> [10/0] via 120.78.100.29, port1
C *> 121.3.36.144/28 is directly connected, port2
S 121.3.36.144/28 [10/0] via 121.3.36.144, port2
S 29.51.38.80/28 [15/0] via 29.51.38.80, port6
C *> 29.51.38.80/28 is directly connected, port6
C *> 29.51.169.228/30 is directly connected, port5
C *> 129.126.100.28/30 is directly connected, port1
C *> 192.168.1.0/24 is directly connected, port10
get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 29.51.169.229, port5
[10/0] via 120.78.100.29, port1
C 121.3.36.144/28 is directly connected, port2
C 29.51.38.80/28 is directly connected, port6
C 29.51.169.228/30 is directly connected, port5
C 129.126.100.28/30 is directly connected, port1
C 192.168.1.0/24 is directly connected, port10
show router static
config router static
edit 1
set gateway 29.51.169.229
set device "port5"
next
edit 2
set dst 29.51.38.80 255.255.255.240
set gateway 29.51.38.80
set distance 15
set device "port6"
next
edit 3
set gateway 120.78.100.29
set device "port1"
next
edit 4
set dst 121.3.36.144 255.255.255.240
set gateway 121.3.36.144
set device "port2"
next
end
Hello Yeehar,
The configuration is correct you can take a flow filter and snifer when both the links are connected and check where it's getting dropped, or firewall is sending the traffic to the next hop or not.
> First enable the flow filter in one SSH and Sniffer in another session simultaneously
> Then initiate the ping to 8.8.8.8
Flow filter:
diag debug disable
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr 8.8.8.8
diag debug flow filter proto 1
diag debug flow show iprop en
diag debug flow show fun en
diag debug flow trace start 1000
diag debug enable
Sniffer:
diag sniffer packet any "host x.x.x.x and host 8.8.8.8 and proto 1" 4 0 a
Hi Vishal Sahu,
We didn't quite follow 8-(
we started a SSH session to setup the diagnostic settings at source address 29.51.38.81 followed by diag sniffer packet any "host 29.51.38.81 and host 8.8.8.8 and proto 1" 4 0 a.
Then at the CLI console in the web interface, we did a ping 8.8.8.8.
We are doing while single ISP connection is active to test if we are setting up correctly.
There wasn't any result displayed at the SSH session.
Are we doing it right?
Dear sgclarence,
You can use the SDWAN feature to achieve this. If you configure SDWAN you will be able to load balance the traffic between both the links and also can utilize the links based on latency or the applications.
Created on 09-01-2022 05:23 PM Edited on 09-01-2022 05:36 PM
Hi Rosatechnocrat,
SDWAN seems to be an overkill for consolidating two ISP edge routers on a single Fortigate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.