Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Two Internet connection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two Internet connection
Hello,
I have two different Internet connection with a two different ISP. I want to use one connection for some users and another for other users, all of them in the same network, but I don't want to balance, the users that go for connection1 always should go for this connection
I have one default static route 0.0.0.0/0.0.0.0 to one of these connections but I don't know how can create the another routes because always affect all connections
I've tried with policy routes, but I have the same problem
Anyone knows how can I set in FortiGate?
Best regards,
Josep
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dear friend,
it not a big deal , you only need to specify the user range like ,
you have two ISP network on 2 different port of wan .
so what do is that you have internal range of any series like 192.168.1.1-192.168.1.254 ok
then split the user with create object in address of half ip and create policy for that special half user .
you will have specific IP range dedicated to 1-1 wan line .
just you. need to be care full fro whom you want to assign for what .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer
The problem is always with default route, because in the default route I have to indicate the default gateway. Each internet connection has a different default gateway and I cannot define a different default route per user
Best regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on the version of code you are running you can setup Wan Link Load Balancing. From there you are able to set your default route to this new interface (which is made up of the two individual wans) you can then assign how you want it to do load balancing across the connections. Then you can set rules saying if source A is trying to go to dest A use WAN1 etc.
If you want to source determined routing you could just do some policy based routes that say all traffic from SUBNETA go out WAN1 and all traffic from SUBNETB go out WAN2.
Let me know if this helps you out or not (I write in stream of consciousness so I don't always clearly convey what I'm trying to say lol)
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer.
I think is the best solution, but the problem is I don't have this option to create a Wan Link Load Balancing.
I'm using a FortiGate 200D
Best regards
Josep
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, with some help from the CLI, you can have 2 working default routes at the same time. Define both with same distances. Now change to the CLI (console) and enter
conf route static
edit <n1>
set priority 15
next
edit <n2>
set priority 16
next
endCheck with the Routing monitor that now there are 2 default routes, possibly with 2 gateways.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer
But in this case, if I define two default routes with different priority, I cannot choose who use one or other, can I?
BR
Josep
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I think you'll have to use different IP ranges to group your users if you want to go that path. I just wanted to show how you can keep 2 default routes to 2 different gateways at the same time. You'd have to use Policy Routes to route depending on source address.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is one more option, auth-path.
You authenticate your users with radius, and based on who they are they will be routed to the correct interface, it was introduced a long time ago, but it is still active in 5.4.1 :)
http://kb.fortinet.com/kb/documentLink.do?externalID=13610
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just finished researching this in depth for our team, so here's a summary of what I found out about this. This is derived rom the manuals and several different KB's. Forgive the formatting... it's cut and pasted, but hopefully this is helpful.
Setting up fortinet Fortigate firewalls for dual wan scenarios with >=2 Internet Connections
General strategy for setup:
Static default route for each wan interface (explanation of why is below)
[ul]same distance for each route[/ul][ul]different priority for each route (lower priority wins)[/ul]2. Link health monitor for each route.
[ul]3. Policy Route for traffic that should use the secondary interface (the one Higher priority)
[ul]Traffic flows like this:
1. Routes specify where to send traffic.
[ul]
Routing Notes:
Each Policy route is inspected top to bottom As soon as one matches it wins and traffic goes that way
[ul]Note: If you need certain traffic to skip the priority routes, (for example forcing certain IP's to use the primary route even though there's a policy route to send that subnet via the secondary route), you can put an entry HIGHER in the list of policy routes for the IP(s) that stays "stop policy routing"
Policies specify what is done to the traffic as it passes this interfaceCheck if traffic is allowed to pass by Source address, dest address, or portWhat inspection should be done on that traffic AV, Website BlockingNAT of the source IP address (sNAT) Changing the private 10.x.x.x address to a public IP address[/ul]DIRECTION of traffic from the fortigate's perspective is important to understand:
[ul]In general, keep in mind that with the FortiGate we are always thinking of traffic in terms of where the traffic first originated (ie which machine asked for the traffic).
When an end user is watching a youtube video, that is controlled by a policy from LAN to WAN.the fortigate catches the outbound request for the traffic from the user and automatically associates all the inbound traffic from wan to lan with that original session.No settings are needed for WAN to LAN for this traffic, even though most of the traffic is flowing from the Internet to the user, it is considered LAN to WAN traffic.Note this uses the sNAT indicated in the WAN to LAN policy to change the source address of the traffic to appear to be coming from a public adress. the IP Pool selected in the policy does thisWhen someone on the Internet connect to the exchange server, this is controlled by a policy from WAN to LAN.The fortigate catches the inbound request from WAN to LAN and automatically allows returning traffic from the server back to the itnernet client.[/ul]
NAT Notes:
IP Pools
Used to change the Source IP address for outbound traffic. eg. A client browsing the internet.
Virtual IP
Used to change the Destination IP address for inbound traffic.
eg. giving a public IP address to an internal server
Fortinet Fortigate Routing Methodology:
Here's the reasoning for this:
Static Routes in the Fortinet have a Distance and a Priority
for multiple routes:
Distance Priority Result Good Thing?
Same Same Load is shared across both links (ECMP) No...no control of traffic
Different Same Routing table will only have route with lower distance. No, One link can't be used.
Same Different Routing table has both routes, but will only use the one with the lower priority Yes!
So having two routes, with the same distance and one having a lower priority will do this:
By default, traffic will go out the route with the LOWER priority (yes, it's backwards).
[ul]Jeff Roback
Jeff Roback
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,698 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.