Hi everyone out there good day.
My name is John and therefore i got an issue that i need the forum help
I got a fortigate 500D therefore im configuring Load Balance with two isp, but right now im stacked at point where im prompted to Edit the wan link load balance interfaces, exactly where i have to add and Adit wan 1 and wan 2. but when i click on creat new in order to Add interfave Member, on onterfaces i can only see the wan2 which is my new or Second isp connection, as the wan 1 that already existes as my default primary isp DoesNot apears there. So on Add interfaces, the wan 1 (my default isp already running) it doesnt appear to be add on wan link load balance interface Member, so then i can creat the policies for both interfaces connections.
Though i read a video where they say, i should go to; System--Interfaces and then delete all the policies on those interface that will join Member like Wan 1 and Wan2.. but i got so much Policies on that interface, that i cannot affort to delete it, as im not expert on it too, to later on configure all those policies again. Can you help me on How do I Go About that? to have both connectins (two ISP working?) Thank you in advanced and soory for disturbing John Lemon
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello John,
The issue here as you explained you need to remove any object using WAN1 before it becomes available as load balancing member.
I think the best option is to configure ECMP load balancing (check following links) :
You have to enable Advanced Routing Feature under "System >> Config >> Features" to see "Router" tab then browse to "Static >> Settings"
Regards,
Hi Awasfi.
plenty of thanx for your kind reply Sir. i really fully appreciate so much.
Listen, please do allow me to go through the attached links and get back to you as sooner as possible
For now
Kind regards
John
The link I provided earlier for v5.2, I think your FortiGate on v5.0. Please check the following:
Hi Awasfi!!
thank you so much for your effort.
I will go through the bellow link and will revert back to you sooner.
once again thank you so much
John
Hi Awasfi!
Once again, thanx alot for your reply.
Well i went through the links you have attached and things didnt go that well as expected and here i explain:
1º. As you said, i should activate the Advanced Routing Feature. Thats Already Activated since then.
2º. As for Configure ECMP Load balancing Method.
When Going to: Router>>Static>> Settings, it doent appears ECMP feature, it only show the Link Health Monitor option to creat a new one.
I have attached two images that show the exemple of the two explanations i mentioned here.
So, is there any other way i can configure Load Balance by adding WAN 1(which already exist and has route and other policy object already configured) to Join INTERFACE MEMBER? without Removing none of those objects on WAN1?? before it eventually becomes available as load balancing member.?
Coz i can delete them all....but, as i said, im new to the fortigate industry and got no that much expearince, and might struggle later on to have it reconfigured its policies again.
Please help
John
Hi Awasfi!
Once again, thanx alot for your reply.
Well i went through the links you have attached and things didnt go that well as expected and here i explain:
1º. As you said, i should activate the Advanced Routing Feature. Thats Already Activated since then.
2º. As for Configure ECMP Load balancing Method.
When Going to: Router>>Static>> Settings, it doent appears ECMP feature, it only show the Link Health Monitor option to creat a new one.
I have attached two images that show the exemple of the two explanations i mentioned here.
So, is there any other way i can configure Load Balance by adding WAN 1(which already exist and has route and other policy object already configured) to Join INTERFACE MEMBER? without Removing none of those objects on WAN1?? before it eventually becomes available as load balancing member.?
Coz i can delete them all....but, as i said, im new to the fortigate industry and got no that much expearince, and might struggle later on to have it reconfigured its policies again.
my fortigate version is v5.2.2
Please help
John
Hi all
here my view:
I do not recommend to use the WAN Link Load Balancing function instead do it manually and you do not have to delete any rule etc. or/and any interfaces etc. What you can do manually is actually exactly the same as done under WAN Link Load Balancing but more granular and flexible. What I do is following:
1. Configure both interfaces like wan1 and/or wan2. If you do static or DHCP or PPPoE does not matter. What you have to be careful is that for DHCP and/or PPPoE the "distance" is set to 10 (unter interface config over gui). This means every route in FGT is by default distance 10 priority 0. If it is a dynamic interface the distance has to be set under the interface config. For dynamic interface you can activate retrieve default gateway from ISP no problem as long as you set the distance to 10. Do not activate overrite internal DNS server. Why you will see later!
2. If static configuration for interface do static routing for default gateway for both interfaces like wan1 and wan2. Also here have a look to distance 10 and priority 0.
3. If both ISP are up and for dynamic interfaces distance is set to 10 as static routing is set to distance 10 as priority 0 you have ECMP which means Equal Cost Multipathing which means Source based IP routing.
4. Now check your routing monitor if both interfaces of ISP are up and running and you will recognize that you will have 2 default gateways up and running with distance 10 priority 0. If not so please check again distance and priority config for static route as interfacces. If you modify whatever in routing please bring routing table up to date:
# execute router restart
5. Now you have to tell FGT if a interface wan1 and/or wan2 is up and running. This is done with Dead Gateway Detection or under 5.2 with Link Monitoring. This is configured under "Router > Static > Settings". For both interface meaning for wan1 and wan2 do a config using a server/routing which you ping. You can for testing use 8.8.8.8 but you should not. Do not use the routing in front of the firewall use a router in the internet which means: best is one which cross your ISP to be sure that in case the ISP have a routing problem the interface goes done etc. Be also careful that you do NOT define the default gateway within this config leave it as 0.0.0.0. This means default gateway for interface is taken by routing table which is important by dynamic config like DHCP PPPoE. Check after config the routing table again and if your ping server is available you will have still two entries meaning default gateways. If one of the ping server is not available FGT goes to routing table and removes the corresponding entry for the interface meaning default gateway and you will have after that only one. If the ping server comes again up the default gateway of the interface will be added again. This happens for dynamic interface config or/and static routing.
6. Now what is important is to know how FGT is doing routing which means FGT is doing following for routing:
0) Routing Cache 1) Policy Route 2) Longest Match 3) Distance 4) Priority 5) Metric (Dynamisches Routing) 6) ECMP (Equal Cost Multiple Path)
If you look to the list above you will recognise that we have overall equal which means this is the reason we have at the moment ECMP because of having same Distance, Priority, Longest Match, Metric etc. ECMP does by RFC Source based IP which means more or less round robing ones wan1 and for another wan2 etc. This is not usable which means we do Policy Routing which means: Go to Router > Static > Policy Route and config a entry like:
Activate TCP
Source IP LAN IP
Destination 0.0.0.0
Source Port 0 - 65535
Destination Port 0 - 65535
Interface wan1
Default Gateway 0.0.0. (do not define IP for Default Gateway leave 0.0.0.0)
If you define so all TCP based Ports 0 - 65535 will use wan1 without exception. If you need UDP do the same. What is important for this config is following:
DO NOT USE FOR PROTOCOL "ANY" never use this position because ANY does not mean any Protocol ANY means whatever you configure in any time for any situation wan1 is used neverless if you have a dmz that traffic goes over wan1 and dmz is not anymore accessible. From this point of view NEVER NEVER use ANY! Now define for whatever you need configs for Policy Route for wan1 and/or wan2 based on Source, Destination, Protocoll etc. and NOTE always for this table:
Top - Down - first match wins
From this point of view lets imaging you will use second line for VoIP only and first line for whatever you configure three Policy Routes:
Activate UDP
Source IP LAN IP
Destination [VoIP Controller IP or 0.0.0.0]
Source Port 0 - 65535
Destination Port 5060 -5060
Interface wan2
Default Gateway 0.0.0. (do not define IP for Default Gateway leave 0.0.0.0)
Activate TCP
Source IP LAN IP
Destination 0.0.0.0
Source Port 0 - 65535
Destination Port 0 - 65535
Interface wan1
Default Gateway 0.0.0. (do not define IP for Default Gateway leave 0.0.0.0)
Activate UDP
Source IP LAN IP
Destination 0.0.0.0
Source Port 0 - 65535
Destination Port 0 - 65535
Interface wan1
Default Gateway 0.0.0. (do not define IP for Default Gateway leave 0.0.0.0)
Thats it.....on CLI you can also block or under 5.2 negate rules! Keep in mind: All what you not define which means what will be not matching in Policy Routes will be using the routing table. This is the reason you have only to define main path not second path which means: If you define for wan1 all TCP Ports and wan1 will go done the traffic goes automatically to wan2 because we have only default gateway left and the traffic HAS TO GO OVER this DEFAULT GATEWAY. If you acceppt the traffic is another question :)
7. At least and a final step implement Firewall Policy Rule which allows the traffic or even block. This means if you want to allow over wan2 the VoIP traffic but you do not want that this traffic goes over wan1 in case of failover you implement first a rule which allows the traffic over wan2 and after this rule a rule which blocks the traffic over wan1.
This configuration can be done without deleting rule or interfaces or whatever. If at later phase a third ISP is coming no problem do so on the fly. What you have at least be careful is following:
- Go all through your service like smtp, voip etc. ask yourself if it will work if the traffic goes over another interface like: SMTP is going over wan1 MX exists. Do we have a MX for wan2? If VoIP goes over wan2 wil the VoIP provider accept the traffic coming over wan1? And so on........! Another problem you have to solve is the dns problem which means: under normal circumstances you can not define dns server from ISP wan1 and/or wan2. Here in switzerland the ISP's will not accept dns requests from wan2 going to wan1 etc. etc. The only solution is to define on the FGT for system DNS server a internal DNS server like the Active Directory. In the Active Directory you will have for none local domains a forwarder which is defined with some ISP dns servers. Remove them and add "root" dns servers because everyone of the world can ask from wherever he comes the "root" dns servers. In this way you will not have any dns issue.
Thats it...flexible...easy to configure and easy to control.
have fun
Andrea
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.