Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
garjithb
New Contributor

VRRP and BGP

I have 2 Fortigate 601E. X1 has our private IP range and X2 has our public IP range.

Each of these is connected to 2 separate ISPs. So I cannot run full HA. I run vrrp on X1 and X2 interfaces.

I have put the vrrp of both X1 and X2 in the same group. This way if X1 fails over, X2 will fail over as well.

I run full BGP with each ISP and announce my public IP.

I prepend the inbound via Fortigate2 to make sure that all the internet traffic comes to fortigate1. Outbound traffic will take fortigate1 because of VRRP.

 

Now the question,

 

1. When X1/X2 fails over, I want to failover the incoming traffic from the internet to ISP2 on Fortigate 2. Otherwise, the incoming traffic will hit Fortigate1 and get blackholed. Outbound traffic won't have an issue because of vrrp.

 

2. What is the best design to accommodate a situation where Fortigate1 reboots and comes back in 2-3 minutes? (Should I keep Fortigate2 as master even when Fortigate1 comes up? This again will cause an issue with BGP failover, as internet routing for my public IP will take some time to failover to Fortigate2.)

 

3. What is the best design to make sure to accommodate the situation where the master ISP goes down?

 

4. Do you run iBGP between the FortiGate over my own private subnet or my own public subnet?

6 REPLIES 6
scan888
Contributor

Hi 

 

Your rather complicated design is not quite easy to answer with the little information you have.

 

I try to answer you questions:

  1. This is only possible with RIPE IP-Range and Dual-Homed BGP. Do you have an RIPE-Range?
  2. In your situation, I always try to wire both ISPs to both FortiGates. Either directly from the ISP router to both firewalls or via a switch stack and VLANs. This way I can simply use an active-pasive cluster or if there are two datacenters, two A-P clusters with session sync in between.
  3. See point 2
  4. What is your idea behind iBPG?

 

Regards

- Have you found a solution? Then give your helper a "Like" and mark the solution.
garjithb

I hope the attached diagram represents the infra better.

In short, I own my own /24 public subnet and my own ASN. This is a very small site for us. So getting another router on the edge is not worth spending the money on. 

 

1. This is only possible with RIPE IP-Range and Dual-Homed BGP. Do you have a RIPE-Range?
 -> Yes, I own a RIPE-provided public IP and ASN.
 -> Not all the ISPs will give you 2 links(If that is what you meant by dual-homed)

2. In your situation, I always try to wire both ISPs to both FortiGates. Either directly from the ISP router to both firewalls or via a switch stack and VLANs. This way I can simply use an active-passive cluster or if there are two data centers, two A-P clusters with session sync in between.
 -> This is the ideal design if I can spend money on another pair of switches. Unfortunately, the location is not too big to spend money on 2 additional switches.

4. What is your idea behind iBGP?

 -> If the outbound traffic can reach a location faster via ISP2.

garjithb

Screenshot 2023-01-13 at 9.48.48 AM.png

Toshi_Esumi
Esteemed Contributor II

I agree with @scan888. The problem OP has is 600E series has only two 10G ports. If both LAN and WAN sides need to be 10G, adding the 2nd WAN to each unit is not possible. Need a higher model.

iBGP is for when LAN side is on FGT1 while WAN side is FGT2 then outgoing traffic comes in FGT1 then routed to FGT2 over an interconnect between them to let it go out to WAN from FGT2. But the FGT2 sees the return route directly through LAN since the VRRP and drop the traffic with "return path check fail".

 

Toshi

garjithb

Thank you for the response. The issue is not with the port speed. So I am not sure how the higher model will help me here. 

You are spot on with the iBGP requirement.

Toshi_Esumi
Esteemed Contributor II

Then you can terminate two ISP circuits and one internal interface on one FGT. Then set up HA without VRRP. You have to have a switch or two to span one circuit/lan interface to both FGTs though.

With this way, you don't have to worry about iBGP or asymm routing.

 

Toshi