Hello,
I need to setup a second WAN link strictly as backup of WAN1, using SD-WAN. Is it possible to do that? e.g. passing traffic strictly from WAN1 and if and only if WAN1 fails, then pass traffic through WAN2. From what I have seen, SD-WAN is not capable for this configuration, but do you know if there is any configuration trick to do this?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If that's what your intending use of two WAN interfaces, I wouldn't bind them in an SD-WAN interface. Instead, just set up a fail-over between two individual interfaces.
Agreed. The entire purpose of SD-WAN is to make the two interfaces appear as one to make it smoother and easier to do things like balancing/sharing/etc. No reason to set it up if you're not going to use the functionality it provides.
Thanks for the answer. Is this CLI only? I have an 60E and I don't see any GUI for that.
The easiest way to do it is right from the plain old routing setup in the GUI. Set both interfaces as active routes, but have heavily mismatched cost/weight settings. Everything will default to the primary link as path of least resistance until something happens to not let traffic pass.
It does need to be in CLI. You do need the priority and/or distance to be different as mentioned above. But, you also need a link-monitor defined which is CLI only now. If you don't it won't actually remove the static route when WAN1 goes down(unless the actual physical link breaks to bring the interface down)
You only need to configure one to monitor WAN1, since if WAN2 goes down it doesn't effect anything as everything is going WAN1 anyways.
config sys link-monitor
edit 1
set server 8.8.8.8 (or whatever you want to ping to determine failure)
set srcintf wan1
set update-cascade-interface disable
end
Also, don't forget the rules to allow traffic out WAN2
You can use SD-WAN to perform Backup easily.
Consider putting all interfaces in the SD-WAN one. Then create 2 SD-WAN Rules.
First rule with Primary interface as Member.
Second rule with Second interface as Member.
SD-WAN is more visual and powerful that policy based routing, link monitor, and can achieve more complex scenario based on Availability of remote service, or SLA. Instead of relying on next step interface status.
You could write for example following with SD-WAN Rules:
Network A -> Use Primary link LINK1 / Use Backup link LINK2
Network B -> Use Primary link LINK2 / Use Backup link LINK1
Network C -> load-balance through LINK1 & LINK2
Even if you intention today is only to perform Backup, because of cost or instability of the Backup link, consider usiong the SD-WAN, for future date when you would decide to change your uplink strategy. No change will be necessary to the configuration being ready to work. If binding tens of policies or features to a physical interface stick the configuration to a physical model, harder to change later.
My contribution.
hm I am running into the same issue more a less:
I have two or three internetlinks that should be used for load balancing
plus a cellular one that should only be used as fallback when all others are down.
I now did this test on a FGT running 6.2.4
[ul]I then plugged in a client to a port that is in the subnet to match the sdwan rules and gave it an ip (mandatory ;) ).
Then I looked at the external ip it went out to the internet. It was isp1 or isp2 wan ip. Correct so far.
So it matched rule #1 and went over the loadbalancer with isp1 and 2. Fine so far.
Now I unplugged isp1 and 2 - so all are down except the cellular one.
Performance sda confirms that to me.
Looking at the wan ip on my client again shows it now went out over the cellular link (Fallback). Fine too.
I plugged isp1 and 2 back in then and after some seconds (maybe delayed by browser cache) I could see it was going out to the internet over isp1 or 2 again. Fine.
Just I am not sure if that is authentic with only one client. Plus we do not have 6.2 on our other FGT...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.