Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
baze7
New Contributor

VPN Dedicated WAN interface

I have 3 WAN interfaces. I want 1 of these to be dedicated for VPN traffic. I have setup several Site to Site IPsec Tunnels. They work fine as long at the WAN interface is the highest priority in the static routes. But I do not want outbound internet traffic to go out this interface, so if I adjust the priority of distance then the VPN won't connect. Can I somehow specify 1 IP in the destination of a static route to force the connection to use the interface I want to use? Or should I somehow do this a different way? There will eventually be 15 vpn connection I want to do this way.

 

 

5 REPLIES 5
funkylicious
SuperUser
SuperUser

Hi,
One way of doing this would be through Policy Routes, where you specify the srcaddr and dstadd and the outbound interface as long as the main interface and this interface that you want to use for outbound traffic, would have the same distance/prio for ECMP so both are installed in the routing table.

A more flexibile way to do it would be to configure SDWAN and then configure the SDWAN rules to do basically the same thing as Policy Route but with more features/options.

---------------------------
geek
---------------------------
---------------------------geek---------------------------
baze7

I thought about SDWAN. I will give that a shot also.

 

Thanks

johnathan
Staff
Staff

"Can I somehow specify 1 IP in the destination of a static route to force the connection to use the interface I want to use?"
This is how I would do it, and not have a default route on that specific interface at all.

Another way to do it would be to have all three WAN interfaces be separated based on priority instead of distance.
When  you have the distance the same, they will all be active in the routing table and be able to send traffic. You can have WAN1 and WAN2 be a priority of 5, and your VPN-WAN priority of 6.


This would make it so user traffic will never go to VPN-WAN, unless WAN1 and WAN2 are both down. VPN tunnels  would still be able to establish, however.


See this document for a bit more detail: 
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/25967/equal-cost-multi-path

"Never trust a computer you can't throw out a window."
baze7

Thanks for the reply. How do I specify just 1 IP address is a static route?  Using a range and just put in the 1 IP?

Toshi_Esumi

config router static

  edit 0

    set dst x.x.x.x 255.255.255.255        <-- x.x.x.x is the site-to-site peer public IP
   either {
    set gateway <gateway_IP>  [if static]
    } or {

     set dynamic-gateway enable [if DHCP or PPPoE]
    }

    set device <the_wan_interface>

  next

end

 

Then don't set a default route to the same wan interface. If DHCP or PPPoE pulling the default gatway,

config sys int

  edit <the_wan_interface>

     set defaultgw disable
  next
end

 

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors