Static: config router static edit 4 set device " wan1" set gateway 88.2.X.X next edit 2 set device " wan2" set gateway 10.17.X.X (This in double NAT, only web traffic). next end Policy: config router policy edit 6 set dst 10.17.29.0 255.255.255.0 set input-device " V_200" set output-device " V_100" next edit 7 set dst 10.17.28.0 255.255.255.0 set input-device " V_200" set output-device " internal" next edit 8 set dst 10.17.27.0 255.255.255.0 set input-device " V_200" set output-device " V_101" next edit 9 set dst 10.17.23.0 255.255.255.0 set input-device " V_100" set output-device " V_200" next edit 10 set dst 10.17.28.0 255.255.255.0 set input-device " V_100" next edit 2 set input-device " V_100" set output-device " wan1" next edit 3 set input-device " V_101" set output-device " wan1" next edit 4 set input-device " internal" set output-device " wan1" next end

Hm... Honestly its really hard to tell without having much more information... But some of your PBRs seem obvious and not necessary: All PBR-Rules but 2,3 and 4 are not necessary and should be made through normal routing decision -> delete them! You just confuse the VIP connection tracking with that!! If you just want every traffic to go to wan1, but some (from vlan200) to go to wan2 then: -> delete all your policy routes -> set the route priority on the wan1 lower then on wan2 (metrics must be the same!) -> define only policy route from vlan200 -> wan2 -> check, that the related policies exist, which allow the traffic to pass!

Hi again. I follow your indications. Delete policy routes, set priority on WAN1 (via console), define only V200->Wan2 PBR and veriry rules. Now, if I do not define VXX->Wan1 users on this vlan do not connect to Internet. But if I define VXX->Wan1, I need define VXX->VYY rules for certain visibility inter-Vlan, and problems with virtual IP continues. I change static routes to only wan1 and delete all PBR. Works fine, but I can not operate with load balance on wan2. Problem. If I use one PBR to connect to vlan to internet (V200->Wan2), I need other PBR to connect with more vlan. Problems, problems.... Thanks.

Remember, that there are some design-limitation in the case of having VIPs, load sharing and redundancy... http://kc.forticare.com/default.asp?id=376&Lang=1&SID= It might be good leaving the load sharing part off for the first step!! Keep it as simple as possible, Low-End-Fortigates can only have a maximum of 16 PBRs!!! Another question: You cannot reach your VIPS? Where are thoe VIPs created (wan1?) Do you have implicit policies to reach those VIPs as well? cheers.roman

Solved!!!!!! Uff, por fin..... I found the question. Show router static show this: edit 3 set device " wan1" set gateway 88.X.X.X next edit 4 set device " wan2" set gateway 10.17.X.X next I supose than route 3 is thas support priority, but no, and i don' t know why. Now, default route is wan2, and a PBR forces vlan 200 to route througth wan1. But PBR overrides entries on route table and i have needed generate 3 new PBR for vlan_200->vlan_1, vlan_200->vlan_100 and vlan_200->vlan_101. Virtual IP to servers on vlan_100 and vlan_200 works fine and i added a static route from my network to connects on same IP (wan1). Now link redundancy and load sharing works. I' ve tested it. Thanks Romanr.