Hello: I have a Fortinet 60F, I changed the wan1 connection to Starlink, addressing mode dhcp and static route with dhcp too. If I enable wan1, the PCs can have internet with Starlink and with the other connection but the VPN drops, I have to disable wan1 for the VPN to work. I don't know if I have something else to configure or if the VPN is configured incorrectly, I have virtual IPs that point to one connection or another, I don't know if it is that, I attached one with the Starlink connection.
We use forticlient for vpn connection.
I hope you can guide me to solve these problems.
Greetings
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 11-15-2024 09:28 AM Edited on 11-15-2024 09:30 AM
No. That first screen shot is for the default route. Not interface. You need to change the distance of the interface wan1.
You might need to use CLI to change that.
Config system interface
edit wan1
set distance 10
next
end
Toshi
What distance is the static route for the non-Starlink WAN? They should probably be the same if you intend traffic to go over both links at once.
Than Johnathan for your answer. I attach image.
I don't think the VIP is affecting the behavior you're seeing. But that VIP is only for VNC/RDP access at TCP 10221. If you have doubt, you can remove it for now. But the VIP might not work well with Startlink since the IP is not startic, assigned by the Startlink's router.
For the VPN drop issue, it's up to the other wan (wan2) interfaces setting. Depending on your intended usage of both wan connections (load balance with VPN on wan2 only, or all outgoing is for wan1 while VPN coming in wan2, etc.) you need to set (or manipulate) your two default routes intentionally.
If you check the routing table ("get router info routing-table all" in CLI) you would understand why those VPNs are dropped. Likely the default route to wan2 is not there.
Toshi
Thanks for responding. We do not do load balancing, when necessary we change the connection by hand. What I do need is for the VPN to go out even through wan2 if it is not possible through both (wan1 and wan2, this would be ideal) and it worked until we changed to starlink. I attach the result of the command you suggested.
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan1, [1/0]
C 128.1.1.0/24 is directly connected, dmz
C x.x.x.x/27 is directly connected, wan2
C 192.168.1.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, internal
Created on 11-15-2024 08:04 AM Edited on 11-15-2024 08:04 AM
As suspected, you lost the default route toward wan2. That's why VPN dropped obviously.
Is wan2 IP static? Then do you have a static default route to wan2 configured?
Static routes' default distance is 10, while DHCP introduced default route (from wan1) has distance 5. That's why it lost the wan2 default route, if that's the case.
You can either change "distance" of wan1 to 10 "set distance 10", or set 5 as the distance of the static default route to wan2 "set distance 5".
Either case, you have to set a higher priority on the default route, like 10, than the wan1 default route (priority 1).
So that both default routes would be in the routing table. Then your site-to-site VPN would come up.
Toshi
Toshi, I am attaching screenshots of how the static routes are.
If I understand correctly, the only thing I have to change is the distance on the interface from wan1 to 10?
Created on 11-15-2024 09:19 AM Edited on 11-15-2024 09:20 AM
If you make wan1 distance to 10, both default routes (DHCP one to wan1 and static one to wan2) would be the same in the routing table.
But you're showing "Advanced options: priority 2". I'm not sure what it would do, did you have it from the beginning? Your routing table is showing 1.
In any case, you need to set Priority on the static default route to wan2 as like 10. Not 1.
Toshi
Created on 11-15-2024 09:28 AM Edited on 11-15-2024 09:30 AM
No. That first screen shot is for the default route. Not interface. You need to change the distance of the interface wan1.
You might need to use CLI to change that.
Config system interface
edit wan1
set distance 10
next
end
Toshi
Created on 11-15-2024 10:25 AM Edited on 11-15-2024 10:26 AM
Toshi, Yes, I did that, it seems to work now.
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.x.x5, wan2, [1/0]
[10/0] via 192.168.1.1, wan1, [1/0]
C 128.1.1.0/24 is directly connected, dmz
C x.x.x.224/27 is directly connected, wan2
C 192.168.1.0/24 is directly connected, wan1
C 192.168.2.0/24 is directly connected, internal
Thank you for your help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.