Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Emref
New Contributor II

VIP using Static IP from WAN1, but shift Outgoing Traffic to WAN2? (SD-WAN / VIP)

Hello,

 

I recently installed a second WAN on my FortiGate 40F. I've been facing an issue I'm not able to resolve and looking for some help. I am a beginner though, so I'll try my best to explain my goal clearly and current

 

Goal:

- My wan1 has a bunch of static IPs, while wan2 doesn't have any. 

- I would like to access my file server via a static IP from wan1 from the internet (only wan1 has static IPs)

- I would like the application to only upload traffic via wan2 because it is 25x faster.

So, it should listen on wan1, but actually use wan2 only for data transmission. 

 

Current Setup:

- Configured SD-WAN and added both members. WAN2 has a higher priority, and in general it is being used most of the time, which is good for me. - working fine

- Created VIP for my server (external 37.37.37.37, internal 192.168.5.111) - working fine

 

My Policies

- SD-WAN to LAN (source all, destination VIP)

- LAN to SD-WAN (source all, destination all)

 

 

FOUND SOLUTION - Thank you everyone!:

Possible solution was to create DDNS and necessary firewall policies with that for dynamic/non-static IP.

 

- In my case: I got 1 static IP as well from my WAN2 ISP. My ISP router was giving me a local address & I can't configure it manually; it has to be DHCP.

- Solved by creating a DMZ for the Fortigate on the ISP router. Then, creating firewall policies & VIPs using the Fortigate IP address ON THE ISP ROUTER (192.168.118.4 in my case).

 

Thanks again everyone! A very pleasurable experience here, my first time on the forum!

1 Solution
Dhruvin_patel

Greetings!

 

In this case create a port forwarding on ISP router, https://www.hellotech.com/guide/for/how-to-port-forward

ISP router should translate the traffic from public IP to private IP of FortiGate.

 

Thank You!

Dhruvin Patel

View solution in original post

12 REPLIES 12
AEK
SuperUser
SuperUser

Hello Emref

In TCP/IP world, by definition, when an external client establishes a connection with a public IP (that is set up on WAN1), and the client's request is sent to that pub IP, the server's response cannot be sent via another pub IP (through WAN2).

I don't know a way to do it on FortiGate. And even in case you find a way to do it, you client will not accept the returning response.

AEK
AEK
Mrinmoy
Staff
Staff

VIP and SD_WAN are diffrent. If both WAN interfaces are up and routing installed in the routing table. You should able to use VIP via WAN1 and send regular traffic via WAN2. For VIP traffic, the firewall will not use WAN2 as the session will be created for WAN1.

Mrinmoy Purkayastha
Emref
New Contributor II

Thanks for your response.

 

So that means outgoing traffic from the device will have to be from WAN1 since the incoming came from WAN1.

 


My only solution is to purchase a static IP for WAN2 I guess?

Dhruvin_patel

Greetings!

 

So that means outgoing traffic from the device will have to be from WAN1 since the incoming came from WAN1.

>>> Yes that's true as the traffic is received from WAN1 it should go out of WAN1 Because one ISP will not allow the traffic from another ISP IP address. 

 

My only solution is to purchase a static IP for WAN2 I guess?

>>> You can create a VIP after creating DDNS.

The following document shows the VIP configuration with DDNS. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DynDNS-VIP/ta-p/197935

 

Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

Dhruvin Patel
Mrinmoy
Staff
Staff
ap
Staff
Staff

Hi @Emref ,

 

Once session is established on fortigate using public IP of WAN1, how the source machine (external client) will determine that it needs to send the actual data traffic using WAN2?

 

You can use WAN2 for VIP (even though it doesn't have static IP). You can use o.o.o.o as external IP along with port forwarding for specific port as shown in below example:

 

q1.png

 

 

You can use fortiguard ddns to map your Wan2 public Ip to domain as per below article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Dynamic-DNS-Fortigate/ta-...

 

You can use this domain name when initiating file transfer connection from external client.

 

Regards,
Ankit
If you have found a solution, please like and accept it to make it easily accessible to others.

Emref
New Contributor II

Thank you so much @Mrinmoy @ap @Dhruvin_patel for your help. I think I am 90% through, but I'm still missing something! Just keep in mind I have an SD-WAN setup for 2 wans. Here's what I did:

 

- Created DDNS for my WAN2. I can confirm its working as I resolved it using nslookup from the external network. Let's assume this DDNS is test.fortiddns.com.

When I ping it, I get packet loss, which I assume is because there is no firewall policy to allow this in.

 

Created a VIP (fileserverVIP), on the interface wan2, mapping 0.0.0.0 to 192.168.4.111 with the Port Forwarding I need (ext7777 to int7777).

At this step, I still couldn't access it. So I added this VIP to my existing Firewall Policy.

 

- Added VIP to Firewall Policy on (SD-WAN to LAN) source: all, destination: (multiple VIPs & new 'fileserverVIP')

 

I still can't access it via the supposed link which is test.fortiddns.com:7777. I'm not getting any hits on my VIP.

 

(Sorry if this is basic, I'm trying to learn!)

 

Emref
New Contributor II

Update:

 

I got a static IP for my WAN2, but unfortunately, the ISP doesn't allow bridge mode on the router. Therefore, I am stuck with getting 192.168.118.1 as the router's IP, and an IP of 192.168.118.4 - ie: I cannot set manual IP for the Interface. The DDNS is still configured and resolving correctly.

 

Even though this is exactly the same scenario for my wan1 (local ip) but I am able to use my static IP group in the firewall policy and it is working with no issue. For example, VIP policy for 37.37.37.37 and 37.37.37.38 will resolve to 192.168.4.111 with port forwarding even though I have not configured it in the interface.

 

Can't seem to understand why it won't work for WAN2. Is this a limitation for SD-WAN?

 

Wan2 is not able to 

Dhruvin_patel

Greetings!

 

I understand that the ISP router doesn't allow bridge mode on router and as a result, the wan2 get the IP 192.168.118.4.

 

First of all, does ddns entry getting resolved to public IP?

 

Regards!

Dhruvin Patel
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors