Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Xaak
New Contributor

Trouble with dual wan setup

This is what I'm trying to set up on an Fortigate 60F with firmware version 7.41:

 

Wan1 - multiple static IPs

subnet 192.168.2.0/24 on vlan switch internal on internal 1 port

Administrative Distance: 10 via static route

various inbound and outbound policies.

this contains public facing servers, domain infrastructure and other servers with static ips mostly for inbound.

various inbound and outbound policies.

This part is working fine.

 

What I've set up on wan 2

Wan2 - DHCP

Subnet 192.168.3.0/24 on vlan switch internal1 on internal2 port

Distance 10 via wan2 interface

inbound policy block all ports

outbound policy allow all ports (for now, will lock down once things are working)

This would be PCs, phones and other devices for internet access, with addresses assigned by domain dhcp service.

 

What's happening (while playing around with various settings) is that either wan2 isn't working for internet, or the internet on both interfaces is completely hosed.

 

Also required, bidirectional access between vlan switches, which I haven't tried to set up yet.

 

What am I doing wrong?

 

 

 

 

 

 

1 Solution
Toshi_Esumi

18 REPLIES 18
Toshi_Esumi

So, the two parallel default routes are ok. But the last line doesn't make sense.
"C 192.168.3.0/24 is directly connected, Internal wan2"

It is not bound to either "internal1" vlan switch you mentioned or "internal2" physical interface. What exactly did you configure on both "internal" and "wan2" interfaces?

Go to "config sys int" then "edit internal" -> "show", then "next"->"edit wan2"->"show".
you can get out with "end" at the end.

 

Toshi

Xaak

Ok, I deleted the previous internal1 because it was mentioned in a previous post that the name could be a problem.  Then I created a new virtual switch "internal wan2".  it is bound to the interface internal2.

Toshi_Esumi

Then that's fine. Now you need to have two policy routes from internal to wan1 and "internal wan2" to wan2. You can configure them in GUI. Should be under "Network" menu. How to create them should be relatively self-explanatory.

 

Toshi

Toshi_Esumi

You probably still need to have regular policies to allow traffic to both wan1 and wan2. But I think you already have them. But just missing policy routes.

Xaak

What policy routes am I missing?

 

Toshi_Esumi

Toshi_Esumi

I forgot to tell but you have to enable Advanced Routing at Feature Visibility like below to see Policy Route menu.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

Xaak

I figured out the advanced routing thing, set it up, and I'm all good now.  Both wans are being routed correctly now.  Thanks for your patience and help.

Toshi_Esumi

After you figured out, I just found a KB that seems to be for the same scenario. I should have found this at the beginning.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Policy-routes-with-multiple-ISP/ta-p/21094...

Tonight I've been working for our FGTs upgrade maintenance, so I searched these references inbetween cluster upgrades.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors