Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marcual_j
New Contributor

Two Internet connection

Hello, 

 

I have two different Internet connection with a two different ISP. I want to use one connection for some users and another for other users, all of them in the same network, but I don't want to balance, the users that go for connection1 always should go for this connection

 

I have one default static route 0.0.0.0/0.0.0.0 to one of these connections but I don't know how can create the another routes because always affect all connections

 

I've tried with policy routes, but I have the same problem

 

Anyone knows how can I set in FortiGate?

 

Best regards, 

 

Josep

 

 

10 REPLIES 10
Sunil_Panchal_NSE7
New Contributor III

dear friend,

     it not a big deal , you only need to specify the user range like ,

you have two ISP  network on 2 different port of wan .

so what do is that you have internal range of any series like 192.168.1.1-192.168.1.254 ok

then split the user with create object in address of half ip and create policy for that special half user .

you will have specific IP range dedicated to 1-1 wan line .

just you. need to be care full fro whom you want to assign  for what .

marcual_j

Thank you for your answer

 

The problem is always with default route, because in the default route I have to indicate the default gateway. Each internet connection has a different default gateway and I cannot define a different default route per user

 

Best regards

 

 

MikePruett

Depending on the version of code you are running you can setup Wan Link Load Balancing. From there you are able to set your default route to this new interface (which is made up of the two individual wans) you can then assign how you want it to do load balancing across the connections. Then you can set rules saying if source A is trying to go to dest A use WAN1 etc.

 

If you want to source determined routing you could just do some policy based routes that say all traffic from SUBNETA go out WAN1 and all traffic from SUBNETB go out WAN2.

 

Let me know if this helps you out or not (I write in stream of consciousness so I don't always clearly convey what I'm trying to say lol)

 

 

Mike Pruett Fortinet GURU | Fortinet Training Videos
marcual_j

Thanks for your answer. 

 

I think is the best solution, but the problem is I don't have this option to create a Wan Link Load Balancing.

 

I'm using a FortiGate 200D

 

Best regards

 

Josep

ede_pfau
Esteemed Contributor III

Actually, with some help from the CLI, you can have 2 working default routes at the same time. Define both with same distances. Now change to the CLI (console) and enter

conf route static

   edit <n1>

      set priority 15

   next

   edit <n2>

      set priority 16

   next

endCheck with the Routing monitor that now there are 2 default routes, possibly with 2 gateways.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
marcual_j

Thank you for your answer

 

But in this case, if I define two default routes with different priority, I cannot choose who use one or other, can I?

 

BR

 

Josep

ede_pfau
Esteemed Contributor III

No, I think you'll have to use different IP ranges to group your users if you want to go that path. I just wanted to show how you can keep 2 default routes to 2 different gateways at the same time. You'd have to use Policy Routes to route depending on source address.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Carl_Wallmark

There is one more option, auth-path.

 

You authenticate your users with radius, and based on who they are they will be routed to the correct interface, it was introduced a long time ago, but it is still active in 5.4.1 :)

 

http://kb.fortinet.com/kb/documentLink.do?externalID=13610

 

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Jeff_Roback

 

I just finished researching this in depth for our team, so here's a summary of what I found out about this.  This is derived rom the manuals and several different  KB's.    Forgive the formatting... it's cut and pasted, but hopefully this is helpful.

 

Setting up fortinet Fortigate firewalls for dual wan scenarios with >=2 Internet Connections

 

General strategy for setup:

 

Static      default route      for each      wan interface  (explanation of why is below)

[ul]same distance for each route[/ul][ul]different priority for each route (lower priority wins)[/ul]

 2.  Link health monitor for each route. 

[ul]
  • This is what allows the route to be removed from the routing table if the link is unusable. 
  • This route gets removed from routing table if the IP's given here aren't reachable.[/ul]

    3. Policy Route for traffic that should use the secondary interface (the one Higher priority)

    [ul]
  • MUST leave default gateway as 0.0.0.0
  • This allows it to be removed if that interface goes down.[/ul]

    Traffic flows like this:

     1. Routes specify where to send traffic. 

    [ul]
  • This will generally be an interface (wan1, wan2, lan, etc) or a VPN tunnel to a remote site.
  • the VPN appears as a virtual interface just like an internet connection.[/ul]

     

    Routing Notes:

     

    Each Policy route is inspected top to bottom  As soon as one matches it wins and traffic goes that way

    [ul]
  • If a policy route refers to an interface that is down (via the link health monitor) then it will be       skipped.If no policy route matches,      then inspect each Static route, going from the lowest priority up.as soon as traffic matches, it goes that way.

    Note:  If you need certain traffic to skip the priority routes, (for example forcing certain IP's to use the primary route even though there's a policy route to send that subnet via the secondary route), you can put an entry HIGHER in the list of policy routes for the IP(s) that stays "stop policy routing"

    Policies      specify what is done to the traffic as it passes this interfaceCheck if traffic is allowed to pass by Source address, dest address, or portWhat inspection       should be done on that traffic   AV, Website BlockingNAT of the source       IP address (sNAT)  Changing the        private 10.x.x.x address to a public IP address[/ul]

    DIRECTION of traffic from the fortigate's perspective is important to understand:

    [ul]
  • In general, keep in mind that with the FortiGate we are always thinking of traffic in terms of where the traffic first originated (ie which machine asked for the traffic).

    When an end user is      watching a youtube video, that is controlled by a policy from LAN to WAN.the fortigate       catches the outbound request for the traffic from the user and       automatically associates all the inbound traffic from wan to lan with       that original session.No settings are       needed for WAN to LAN for this traffic, even though most of the traffic       is flowing from the Internet to the user, it is considered LAN to WAN       traffic.Note this uses       the sNAT indicated in the WAN to LAN policy to change the source address       of the traffic to appear to be coming from a public adress.   the IP Pool        selected in the policy does thisWhen someone on the Internet      connect to the exchange server, this is controlled by a policy from WAN to LAN.The fortigate       catches the inbound request from WAN to LAN and automatically allows       returning traffic from the server back to the itnernet client.
  • Even though most of the       traffic will be going from the email server (LAN) to the client (WAN),       this is considered a WAN to LAN flow, since it was initiated on the WAN.
  • In this case, the       DESTINATION IP is changed ( the public IP used by the client on the       itnternet is mapped to the private IP of the email server using a Virtual       IP.)  this is        controlled by the VIrtual IP.Servers that also initiate      traffic to the internet and  need to      use a specific public IP address       (Like email servers sending SMTP messages out) also need to be set      up like clients, so they will also have their own LAN to WAN policy rule      with a dedicated IP address (Using a IP Pool).

     

    [/ul]

     

    NAT Notes:

    IP Pools

    Used to change the   Source IP address for outbound traffic.                 eg. A client browsing the   internet.

     

     

    Virtual IP

    Used to change the   Destination IP address for inbound traffic.           

    eg. giving a public IP address   to an internal server

     

     

     

     

    Fortinet Fortigate Routing Methodology:

     

    Here's the reasoning for this:

    Static Routes in the Fortinet have a Distance and a Priority

     

    for multiple routes:

     

    Distance     Priority    Result                                                                                        Good Thing?

    Same         Same         Load is shared   across both links (ECMP)                                       No...no control of   traffic

    Different     Same         Routing table will only have route with lower distance.                     No, One link can't   be used.

    Same         Different     Routing table has   both routes, but will only use the one with the lower priority    Yes! 

     

     

    So having two routes, with the same distance and one having a lower priority will do this:

     

     By default, traffic will go out the route with the LOWER priority (yes, it's backwards).

    [ul]
  • The unused secondary route needs to be in the routing table to allow traffic to be hard coded to this interface and to      allow management on either interface.
  • Without this route, incoming      traffic fails reverse lookup… the router won't accept traffic from      somewhere it can't route to.  It      just has to see that this route exists and it will allow the traffic.  If the distances were different, the      higher route would not appear in the routing table.[/ul]
  • Jeff Roback

    Jeff Roback
    Labels
    Top Kudoed Authors