- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VIP' s, dual WAN fun, and more ....
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VIP' s, dual WAN fun, and more ....
Ok, so now I' m going to join the " How do I make WAN2 work" (basically) crowd. Let me pre-apologize for the length of this post, I' m just trying to be as thorough as possible.
Current setup:
WAN1, Cable ISP, Static IP address, everything works great for 2+ years, VIP' s get routed, etc
WAN2, DSL ISP, Static IP address, just got turned on today (verified via my laptop configured with static IP info and plugged directly into the DSL modem).
Now I know I need to do configuring with policy routing and probably some more configuration, but I did setup a VIP pointing from one of the static DSL IP addresses to a virtual linux server (when the VIP points to one of my static cable IP' s, it works), and try to FTP into it from my remote network in california (I' m based out of Hawaii) - it fails.
So I need to know where I went wrong basically.
Here is what the master plan is for the dual wan setup: keep all traffic incoming and outgoing on the cable modem, however, in the event of a cable outage, re-route all traffic to the DSL line.
I know I have to recreate the cable VIP setup on the DSL side, and create new public DNS entries for failover duties so e-mail keeps flowing.
So here is what I have configured so far:
System -> Network -> wan1 (CABLE):
Manual address mode; IP/Netmask: 67.52.67.90/255.255.255.248; Admin access=Ping; Administrative status=Up
System -> Network -> wan2 (DSL):
Manual address mode; IP/Netmask: 72.253.160.96/255.255.255.0; Admin access=Ping; Administrative access=Up
System -> Network -> Options -> DNS Settings: I run my own DNS servers (and they forward to OpenDNS), but I have the DNS from my cable ISP entered, and I have enabled DNS forwarding from " internal" . Dead gateway detection is set to 5 seconds and 5 pings.
System -> Config -> Operation = NAT (obviously? lol)
Router -> Static -> Static Route: IP/Mask is set to 0.0.0.0/0.0.0.0 on all 4 entries.
Gateways are (in order top to bottom):
192.168.10.1 wan1 distance=10
67.52.67.89 wan1 distance=1
72.253.160.1 wan2 distance=3
192.168.10.1 wan2 distance=10
I have NO policy routes set (yet?). I have also configured NOTHING in Router -> Dynamic.
Under Firewall -> Policy I have the following:
internal(LAN) -> wan1(CABLE): source/destination=all, service=any, shedule=always, action=accept.
internal(LAN) -> wan2(DSL): source/destination=all, service=any, schedule=always, action=accept.
I have duplicated 2 VIP' s from the cable side of things to the DSL side of things as well, to which when I hit the public DSL IP from behind the FortiGate, it forwards it to the appropriate LAN IP (my virtual Linux server), yet when I attempt to hit our Linux website via one of my remote computers, it just times out.
Clues to what I did wrong? I' ve been reading the routing forum for the past week trying to make sense of all this before I even had the DSL turned on. The forticare docs weren' t much help either :(
Help me obi-wan kenobi' s! :p
Rick Payton, IT Support
Morikawa & Associates
http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired)
FortiGate-60B v4.0 build 328 MR2 Patch 8
FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch
8 FortiAnalyzer-100B v4.0 build 513 MR3
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its explained here:- http://kc.forticare.com/default.asp?id=376&Lang=1&SID=
but in essence, if you are happy to have the DSL as purely backup, then go for the redundancy setup, which is two default routes, one per wan interface with the CABLE one having a lower distance number. then setup ping servers on the two wan interfaces. so that when the pings stop, it will failback to the higher distance default route.
But with this, you cannot use the wan2 when it hasnt failed over, just like what you are experiencing at the moment (ie the failed incoming 2nd vip).
as the return traffic goes out via the first path, hence it fails.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok from that link, it looks like if I' m going to stick with the master plan, I need to follow scenario #1, though scenario #3 seems to be the best way (and seemingly more complicated way).
After giving it some thought, I' m going to go with #3 - now I' m assuming with #3, if I create a VIP on both links pointing to the same internal server, I should be able to hit the internal server from EITHER public IP, correct?
Off to try and make sense of things, thanks for the response ukwizard!
EDIT: Now if I' m reading this right, I need to muck around with Policy routing, and make both policies identical, save for making one policy point towards the cable link, and the other point towards the dsl link. Yes?
EDIT #2: Ok, so far I have the distance on both gateways set to match each other. I have NOT set policy routes (yet), so all internal client initiated traffic is still going over the cable link. However, VIP' s work on both links now (tested via remote location). So far, so good. I' ll save the policy routing for later, when (if? :p ) I get a response back.
Rick Payton, IT Support
Morikawa & Associates
http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired)
FortiGate-60B v4.0 build 328 MR2 Patch 8
FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/
FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch
8 FortiAnalyzer-100B v4.0 build 513 MR3
Related Posts
- Setting Up NAT64 to handle 64:ff9b::... 45 Views
- Fortigate 7.2 SDWAN + ADVPN 170 Views
- The BGP metric does not Influence... 713 Views
- Adding 26 locations with dual redundant... 206 Views
- FortiClient VPN 7.2.2.0753 on Ubuntu 22.04.3... 604 Views
Labels
-
FortiGate
6,514 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.