- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vpn drops with starlink
Hello: I have a Fortinet 60F, I changed the wan1 connection to Starlink, addressing mode dhcp and static route with dhcp too. If I enable wan1, the PCs can have internet with Starlink and with the other connection but the VPN drops, I have to disable wan1 for the VPN to work. I don't know if I have something else to configure or if the VPN is configured incorrectly, I have virtual IPs that point to one connection or another, I don't know if it is that, I attached one with the Starlink connection.
We use forticlient for vpn connection.
I hope you can guide me to solve these problems.
Greetings
Solved! Go to Solution.
- Labels:
-
FortiClient
-
FortiGate
Created on 11-15-2024 09:28 AM Edited on 11-15-2024 09:30 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. That first screen shot is for the default route. Not interface. You need to change the distance of the interface wan1.
You might need to use CLI to change that.
Config system interface
edit wan1
set distance 10
next
end
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What distance is the static route for the non-Starlink WAN? They should probably be the same if you intend traffic to go over both links at once.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Than Johnathan for your answer. I attach image.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think the VIP is affecting the behavior you're seeing. But that VIP is only for VNC/RDP access at TCP 10221. If you have doubt, you can remove it for now. But the VIP might not work well with Startlink since the IP is not startic, assigned by the Startlink's router.
For the VPN drop issue, it's up to the other wan (wan2) interfaces setting. Depending on your intended usage of both wan connections (load balance with VPN on wan2 only, or all outgoing is for wan1 while VPN coming in wan2, etc.) you need to set (or manipulate) your two default routes intentionally.
If you check the routing table ("get router info routing-table all" in CLI) you would understand why those VPNs are dropped. Likely the default route to wan2 is not there.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding. We do not do load balancing, when necessary we change the connection by hand. What I do need is for the VPN to go out even through wan2 if it is not possible through both (wan1 and wan2, this would be ideal) and it worked until we changed to starlink. I attach the result of the command you suggested.
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan1, [1/0]
C 128.1.1.0/24 is directly connected, dmz
C x.x.x.x/27 is directly connected, wan2
C 192.168.1.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, internal
Created on 11-15-2024 08:04 AM Edited on 11-15-2024 08:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As suspected, you lost the default route toward wan2. That's why VPN dropped obviously.
Is wan2 IP static? Then do you have a static default route to wan2 configured?
Static routes' default distance is 10, while DHCP introduced default route (from wan1) has distance 5. That's why it lost the wan2 default route, if that's the case.
You can either change "distance" of wan1 to 10 "set distance 10", or set 5 as the distance of the static default route to wan2 "set distance 5".
Either case, you have to set a higher priority on the default route, like 10, than the wan1 default route (priority 1).
So that both default routes would be in the routing table. Then your site-to-site VPN would come up.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Toshi, I am attaching screenshots of how the static routes are.
If I understand correctly, the only thing I have to change is the distance on the interface from wan1 to 10?
Created on 11-15-2024 09:19 AM Edited on 11-15-2024 09:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you make wan1 distance to 10, both default routes (DHCP one to wan1 and static one to wan2) would be the same in the routing table.
But you're showing "Advanced options: priority 2". I'm not sure what it would do, did you have it from the beginning? Your routing table is showing 1.
In any case, you need to set Priority on the static default route to wan2 as like 10. Not 1.
Toshi
Created on 11-15-2024 09:28 AM Edited on 11-15-2024 09:30 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. That first screen shot is for the default route. Not interface. You need to change the distance of the interface wan1.
You might need to use CLI to change that.
Config system interface
edit wan1
set distance 10
next
end
Toshi
Created on 11-15-2024 10:25 AM Edited on 11-15-2024 10:26 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Toshi, Yes, I did that, it seems to work now.
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.x.x5, wan2, [1/0]
[10/0] via 192.168.1.1, wan1, [1/0]
C 128.1.1.0/24 is directly connected, dmz
C x.x.x.224/27 is directly connected, wan2
C 192.168.1.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, internal
Thank you for your help.