Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sgClarence
New Contributor

Created on ‎08-30-2022 02:55 PM

Static route not working for 2nd ISP link

We are setting up static IPs from two ISP provider on one Forgitate 300.

The first ISP setup using default static route works, but adding the 2nd ISP doesn't.

Static routes and Policies are as follow

 

Static Routes :

0.0.0.0/0.0.0.0, GW: up.ISPa.169.229 using port 5 for ISP-A

0.0.0.0/0.0.0.0, GW: down.SVRa.38.80 using port 6 for Server-Segment-A

up.ISPb.100.28/255.255.255.252, GW: up.ISPb.100.29 using port 1 for ISP-B

down.ISPb.36.144/255.255.255.240, GW: down.SVRb.36.144 using port 2 for Server-Segment-B

 

Policies:

Port1 -> Port 2: all, NAT disabled

Port2 -> Port 1: all, NAT disabled

Port5 -> Port 6: all, NAT disabled

Port6 -> Port 1: all, NAT disabled

 

Should we abandon default route (0.0.0.0/0.0.0.0) and use ISP-A parameters instead?

Does the sequence of static route matter? i.e. by define it first will cause all traffic to route to default?

Yeehar
Yeehar
Labels:
3142
0 Kudos
16 REPLIES 16
vsahu
Staff
Staff

Created on ‎09-01-2022 05:51 AM

You can follow the below guide for reference: 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313


You can use this command but it will show any traffic for ping to 8.8.8.8

diag sniffer packet any "host 8.8.8.8 and icmp" 4 0 a

 

Regards,
Vishal
861
0 Kudos
sgClarence
New Contributor
In response to vsahu

Created on ‎09-01-2022 05:30 PM Edited on ‎09-01-2022 05:39 PM

Hi Vishal Sahu,

 

We managed to observe ping results using one ISP connectivity via Port5/6 set and will try again during weekend with both ISP services connected 8-)

 

We've configured Port 7 as 192.168.1.99 with DHCP enabled.

At static route, a new entry 192.168.1.99/255.255.255.255 is pointing to 29.52.38.81 (port 6) as gateway and the earlier policy forwards all traffic from port 7 to port 6 with NAT enabled.

 

However, internet is not accessible.

Any idea what additional rules might be required on Fortigate?

Thanks again for your suggestion.

Yeehar
Yeehar
849
0 Kudos
vsahu
Staff
Staff
In response to sgClarence

Created on ‎09-02-2022 01:21 AM

Hello Yeehar,

 

Can you elaborate on the section "At static route, a new entry 192.168.1.99/255.255.255.255 is pointing to 29.52.38.81 (port 6) as gateway."

As enabling DHCP has nothing to do with the route also you're enabling the DHCP on port 7 so why the route will be pointing to port 6?

Also for internet traffic flow a policy from LAN to WAN is required with NAT enabled and a route is required so your setup seems correct only when both the links are there need to check the traffic flow using sinffer and flow filter


Regards,
Vishal
838
0 Kudos
sgClarence
New Contributor
In response to vsahu

Created on ‎09-02-2022 01:35 AM Edited on ‎09-02-2022 01:37 AM

Hi Vishal Sahu,

 

The static route 192.168.1.99/255.255.255.255 attempts to set 29.52.38.81(port6) as the gateway for internet access from LAN, otherwise the default route takes place to 29.51.169.229(port5) which is no good as this is our ISP downstream port. We would like the public IP of our internet access to be 29.52.38.81(port 6). 

Would policy route be more appropriate than static route?

Yeehar
Yeehar
835
0 Kudos
vsahu
Staff
Staff
In response to sgClarence

Created on ‎09-02-2022 08:31 AM

Yeehar,

 

Yes if you want some subnets to use a different interface for the Internet than all the other LANs then use policy routing that's the best option.

 

 

Regards,
Vishal
829
0 Kudos
sgClarence
New Contributor
In response to vsahu

Created on ‎09-02-2022 10:07 PM Edited on ‎09-02-2022 10:09 PM

Vishal Sahu,

 

We have created a policy route instead which takes Incoming Port 7, source address 0.0.0.0/0 to destination 0.0.0.0/0 to Outgoing interface Port 6 and gateway address 29.52.38.81.

 

We could ping 29.52.38.81 on LAN, however unable to ping 8.8.8.8, i.e. no internet access. Did we do the policy route correctly?

sgClarence_0-1662181716828.png

 

 

Yeehar
Yeehar
822
0 Kudos
vsahu
Staff
Staff
In response to sgClarence

Created on ‎09-03-2022 03:42 AM

Yeehar,

 

Yes, the configuration is correct but for testing, I'll suggest putting only one test machine IP as the source only.

 

Regards,
Vishal
816
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.