Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dbrady
New Contributor

WAN LLB & Policy Routes

Hi

 

I am new to Fortigate and i've got a query regarding my setup.

Device 100E running v5.4.5,build6225.

 

I've created a WAN LLB for interfaces WAN1 & WAN2 and setup LLB rules to priortise oubound traffic out certain interfaces. This works fine and fails over if one interface goes down.

 

For inbound i've created policy routes as certain traffic on each WAN interface needs to be directed to different destinations.

for e.g - inbound traffic on WAN1 on port 80 routed to 192.168.3.3

             inbound traffic on WAN2 on port 80 routed to 10.0.0.10

 

The FW rules have been created to allow this traffic but as i've created a LB i can't select the individual interfaces but only the WAN-load-balance.

 

The FW is not yet in production but i'm just wondering whether this setup will work?

 

 

8 REPLIES 8
Allan_Lago
New Contributor

Hello dbrady,

 

Policyt route will work fine if want to route traffic trought a especif internet Link. But to Inbound NAt you have to use a VIP object with a firewall policy.

 

Go to Policy and Objects > Virtual Ips > Create a new VIP object to match your NAT requirements.

 

To route Inbound Traffic From WAN1:80 to 192.168.3.3:80 you must have somthing like this:

 

config firewall vip     edit "NAT_HTTP"         set extintf "wan1"         set portforward enable         set mappedip "192.168.3.3"         set extport 80         set mappedport 80     next end

 

After you create a VIP object you have to create a Firewall rule to allow this traffic.

 

config firewall policy     edit 0         set srcintf "wan1"         set dstintf "internal1"         set srcaddr "all"         set dstaddr "NAT_HTTP"         set action accept         set schedule "always"         set service "ALL"         set logtraffic all     next

 If you do this thought the GUI remeber to disable NAT on your firewall policy.

 

 

 

   Allan Lago

   Security Analist

   allan.lago@itsense.com.br

   +55 21 96436-1884

   +55 54 99100-0949

   https://itsense.com.br

Allan Lago Security Analist allan.lago@itsense.com.br +55 21 96436-1884 +55 54 99100-0949 https://itsense.com.br
dbrady

Hi Alago,

 

Thank you for your reply.

I was advised that you can't use WAN LLB and VIPs? Which is why i created policy based routes for the inbound traffic?

 

 

 

Allan_Lago

Hi dbrady,

 

That's not correct. You can use VIP with LLB or SD-WAN. I personally use it with SD-WAN without any problem.

 

Try it out and post some feedback please ; )

 

   Allan Lago

   Security Analist

   allan.lago@itsense.com.br

   +55 21 96436-1884

   +55 54 99100-0949

   https://itsense.com.br

Allan Lago Security Analist allan.lago@itsense.com.br +55 21 96436-1884 +55 54 99100-0949 https://itsense.com.br
dbrady

Hi Alago,

 

Thanks again, i will remove the PBR and create VIPs and amended the FW policy accordingly.

 

I will be onsite later to test this setup and will feedback my results.

Allan_Lago

Hey Dbrady,

 

Did it worked?

 

 

 

   Allan Lago

   Security Analist

   allan.lago@itsense.com.br

   +55 21 96436-1884

   +55 54 99100-0949

   https://itsense.com.br

Allan Lago Security Analist allan.lago@itsense.com.br +55 21 96436-1884 +55 54 99100-0949 https://itsense.com.br
dbrady

Hey Alago,

 

Yes the VIPs did work with the LLB setup, initially everything was working ok. Outbound/Inbound traffic (although I couldnt get FTP to work inbound) Fortinet are investigating why.

 

FTP traffic was hitting the VIP and then somehow routing back out the WAN. Debug shows 'Match policy routing' although I have no PBR inplace.

 

I made a change to a WAN LLB rule to test outbound traffic which now seems to have affected ALL inbound traffic and its having the same outcome I was having with FTP. Changed the rule back to what it was and this has had no affect. It seems already odd.

 

Bebug output below. Any advice would be greatly appreciated.

 

FTP traffic using port 38521

id=20085 trace_id=2861 func=init_ip_session_common line=5047 msg="allocate a new session-00047b9d" id=20085 trace_id=2861 func=fw_pre_route_handler line=182 msg="VIP-10.0.0.251:38 521, outdev-wan1" id=20085 trace_id=2861 func=__ip_session_run_tuple line=2894 msg="DNAT 62.232.x.x:38521->10.0.x.x:38521" id=20085 trace_id=2861 func=vf_ip_route_input_common line=2583 msg="find a route : flag=00000000 gw-10.0.x.x via lan" id=20085 trace_id=2861 func=fw_forward_handler line=577 msg="Denied by forward p olicy check (policy 0)" id=20085 trace_id=2862 func=print_pkt_detail line=4903 msg="vd-root received a p acket(proto=6, 92.40.x.x:50534->62.232.x.x:38521) from wan1. flag , se q 2651949740, ack 0, win 8192"

 

 

inbound on port 443

id=20085 trace_id=4930 func=init_ip_session_common line=5047 msg="allocate a new session-0005c475" id=20085 trace_id=4930 func=fw_pre_route_handler line=182 msg="VIP-192.168.x.x:443, outdev-wan2" id=20085 trace_id=4930 func=__ip_session_run_tuple line=2894 msg="DNAT 109.174.x.x:443->192.168.x.x:443" id=20085 trace_id=4930 func=vf_ip_route_input_common line=2573 msg="Match policy routing: to 109.174.170.57 via ifindex-8" id=20085 trace_id=4930 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-109.174.x.x via wan2" id=20085 trace_id=4930 func=fw_forward_handler line=577 msg="Denied by forward policy check (policy 0)" id=20085 trace_id=4931 func=print_pkt_detail line=4903 msg="vd-root received a packet(proto=6, 62.232.x.x:56094->109.174.x.x:443) from wan2. flag , seq 2759382607, ack 0, win 64240"

 

inbound on port 1723

id=20085 trace_id=4881 func=init_ip_session_common line=5047 msg="allocate a new session-000599c3" id=20085 trace_id=4881 func=fw_pre_route_handler line=182 msg="VIP-192.168.x.x:1 723, outdev-wan1" id=20085 trace_id=4881 func=__ip_session_run_tuple line=2894 msg="DNAT 62.232.x.x:1723->192.168.x.x:1723" id=20085 trace_id=4881 func=vf_ip_route_input_common line=2573 msg="Match policy routing: to 109.174.170.57 via ifindex-8" id=20085 trace_id=4881 func=vf_ip_route_input_common line=2583 msg="find a route : flag=04000000 gw-109.174.x.x via wan2" id=20085 trace_id=4881 func=fw_forward_handler line=577 msg="Denied by forward p olicy check (policy 0)"

 

 

id=20085 trace_id=4883 func=init_ip_session_common line=5047 msg="allocate a new session-0005a56c" id=20085 trace_id=4883 func=fw_pre_route_handler line=182 msg="VIP-192.168.x.x:443, outdev-wan2" id=20085 trace_id=4883 func=__ip_session_run_tuple line=2894 msg="DNAT 109.174.x.x:443->192.168.x.x:443" id=20085 trace_id=4883 func=vf_ip_route_input_common line=2573 msg="Match policy routing: to 109.174.x.x via ifindex-8" id=20085 trace_id=4883 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-109.174.xx.x via wan2" id=20085 trace_id=4883 func=fw_forward_handler line=577 msg="Denied by forward policy check (policy 0)" id=20085 trace_id=4884 func=print_pkt_detail line=4903 msg="vd-root received a packet(proto=6, 62.232.x.x:55862->109.174.x.x:443) from wan2. flag , seq 454712933, ack 0, win 64240"

 

 

Not sure what "Match policy routing: to 109.174.x.x via ifindex-8" is?

dbrady
New Contributor

Managed to fix the issue and far so everything is working as should.

 

The issue i think was related to a WAN LLB rule i created to test inbound to WAN1 to route traffic out WAN2 (vice versa) so I deleted that and it appears to have sorted the issue.

 

One other question i have is that I have created a VIP for WAN1 port 1723 and i have also created a PBR to include the source IP address and port 1723. Reason being is the policy used for the VIP is disabled by default and only enabled on a adhoc basis but we want the PBR to be enabled permanently.

 

Would this work? I.e VIPs and PBR or would it be best to create a PBR instead of the VIP and have it below the other PBR rules?

vinayakpandit
New Contributor

Hello,

I've query regarding implementation of WAN redundancy (Active+Active + Fail-over) .

 

Device 200B running v5.2.4,build688 (GA) with 16 Ports   

I have 2 links for Internet (diff ISPs) and 2 links for MPLS (P2P data)

 

I wanted to load balance both links with fail-over.

 

Requirement - 

 

@ Internet - traffic will flow 50+50 and if 1 link down then 2nd link will carry the load (port10 & port11)

 

@ MPLS - traffic will flow 50+50 and if 1 link down then 2nd link will carry the load (port8 & port9)

 

Please help me out to fulfill this requirement.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors