This is what I'm trying to set up on an Fortigate 60F with firmware version 7.41:
Wan1 - multiple static IPs
subnet 192.168.2.0/24 on vlan switch internal on internal 1 port
Administrative Distance: 10 via static route
various inbound and outbound policies.
this contains public facing servers, domain infrastructure and other servers with static ips mostly for inbound.
various inbound and outbound policies.
This part is working fine.
What I've set up on wan 2
Wan2 - DHCP
Subnet 192.168.3.0/24 on vlan switch internal1 on internal2 port
Distance 10 via wan2 interface
inbound policy block all ports
outbound policy allow all ports (for now, will lock down once things are working)
This would be PCs, phones and other devices for internet access, with addresses assigned by domain dhcp service.
What's happening (while playing around with various settings) is that either wan2 isn't working for internet, or the internet on both interfaces is completely hosed.
Also required, bidirectional access between vlan switches, which I haven't tried to set up yet.
What am I doing wrong?
Solved! Go to Solution.
Have you configured like below already?
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/144044/policy-routes
Hi @Xaak
What is you intention ,do you want the dual WAN setup for redundancy ?
If Yes , than you need to change the administrative distance on WAN2 "Distance 10 via wan2 interface", because currently both WANs are configured with value 10. (the lower the value the higher the priority)
No, I want each wan port to have it's own vlan switch and subnet that can access it.
Servers use wan1 and pcs and other devices use wan2.
Your descriptions of set up is troubling me. You have to separate wan side and LAN side when you describe them, unless you configured policy routes to bind LAN1 subnet to use WAN1, and LAN2 subnet to use WAN2.
For WAN side, WAN1's IP is configured statically out of multiple available IPs on the circuit, while WAN2 pulls an IP from your ISP via DHCP. This part is clear.
For LAN side, by default the FG60F has "internal" VLAN switch interface configured and it includes all internal1 - 5 physical interfaces as members. And all VLAN subinterfaces you configure on "internal" would be spread/shared with those all internal1 - 5 interfaces (or ports, you might call them). So unless you remove "internal2" interface from the "internal" vlan switch, you can't (or can but not effective) configure an IP like 192.168.2.1/24 on internal2 interface.
Is this what you configured, or different?
Toshi
Vlan switch internal has only Internal1 (port 1 as I called it). Vlan switch internal1 has only internal2 (port 2 as I called it). The remaining internal interfaces are currently unmapped.
Created on 11-30-2023 05:22 PM Edited on 11-30-2023 05:27 PM
I don't think you can use the same name "internal1" for a new VLAN switch interface while internal1 physical interface still exists as a member of internal vlan interface.
Or maybe allowed, but it's confusing.
And you looks like intending to bind LAN1 to wan1 and LAN2 to wan2. Then you have to have two policy routes.
Make sure two default routes exist in routing-table in CLI "get router info routing-table all" for both wan1 and 2.
The second wan is dhcp. From what I understand it automatically creates the route.
Created on 11-30-2023 07:33 PM Edited on 11-30-2023 07:36 PM
You still need to make sure it doesn't override the wan1 default route or isn't orverriden by it. It's just a simple CLI command to see it. It should show like below. It's at the top of the output. My case is SD-WAN with two static default routes and with different weight(20 and 1).
fg40f-utm (root) # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
[1/0] via y.y.y.y, a, [1/1]
---<snip>----
Toshi
Fortinet_Gateway # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via xx.xx.xxx.xx, wan1, [1/0]
[10/0] via xx.xxx.xxx.x, wan2, [1/0]
C xx.xx.xxx.xx/xx is directly connected, wan1
C xx.xxx.xxx.x/xx is directly connected, wan2
C xxx.xxx.x.x/xx is directly connected, IPSEC Remote
C 192.168.2.0/24 is directly connected, internal
C 192.168.3.0/24 is directly connected, Internal wan2
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.