Hello,
I'm working on a F60E (v7.0.11 build0489) with 2 WAN connections.
They are both using PPPoE authentication, one of them is on VLAN 835.
The 2 connections work well individually but I can't find a way to configure them together with failover (not SDWAN).
The behaviour is pretty strange as even if I set same distance but different priorities this is always the WAN2 who handle traffic.
As you can guess WAN2 has to be my backup link and WAN1 my primary.
I tried link-monitor but it didn't help.
Here is part of my configuration.
(I temporarily disable WAN2)
config system interface
edit "wan1"
set vdom "root"
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set mode pppoe
set allowaccess ping https snmp
set status down
set type physical
set alias "OVH-SDSL"
set role wan
set snmp-index 2
set username "********"
set password ENC ********
next
edit "ORANGE-FIBRE"
set vdom "root"
set mode pppoe
set allowaccess ping https snmp http
set role wan
set snmp-index 18
set username "********"
set password ENC ********
set interface "wan1"
set vlanid 835
next
config system link-monitor
edit "ORANGE-FIBRE"
set srcintf "ORANGE-FIBRE"
set server "8.8.8.8"
next
edit "OVH-SDSL"
set srcintf "wan2"
set server "8.8.8.8"
next
end
If anybody know how to handle this case please tell me :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
If you need "Orange-Fibre" to be the preferred link when both links are up and active in the route table, set a higher priority value for wan2 pppoe link(remember higher the priority value, least would be the preference)
Best regards,
Jin
Hi,
Thanks for your help.
This is what I did and it looks like there is an unexptected behaviour with 2 PPPoE connections.
I've already set up somehting very similar on another Fortigate (100D) which was using only one PPPoE connection and everything is working as expected (like you said).
Maybe I'm missing something but I was pretty surprised.
you can check the route table after enabling both links. But if you only need one link as active all the time and other as backup, we could also think of setting a higher distance on one link which can act as secondary/backup.
Best regards,
Jin
routing does not care about wether your interface does pppoe or not.
If you do not want to use sdwan you have to have two default routes with different prio/distance.
And you have to add both links to your internet policies.
Then primarily the default route (and with it the link) with the lowest prio/distance will be used and if that is not available the next higher one will be used.
It might thus be easier to achieve this using sdwan because then you only have to add both links as members of an sdwan zone and create an sdwan rule with manual member selection and add the members in the order you want them to be used. Then create some sdwan health check to enable the FGT to detect wether a link is down or not.
Then just use the sdwan interface in your internet polices and that's it. Sdwan will automagically take care for all the rest for you :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Is there a reason you don't want to use SD-WAN?
Can you show us the routing table "get router info show routing-table all" and "show router static" when both links are up?
Also can you show us the relevant FW policy/policies allowing the traffic over both links?
I really appreciate everyone help, thanks to all !
@jintrah_FTNT wrote:
you can check the route table after enabling both links. But if you only need one link as active all the time and other as backup, we could also think of setting a higher distance on one link which can act as secondary/backup.
That's an idea but it would be nice if I can keep monitoring both wan links (snmp from WAN).
I keep this option as something to try as monitoring backup link is not mandatory.
@sw2090 wrote:It might thus be easier to achieve this using sdwan because then you only have to add both links as members of an sdwan zone and create an sdwan rule with manual member selection and add the members in the order you want them to be used. Then create some sdwan health check to enable the FGT to detect wether a link is down or not.
Then just use the sdwan interface in your internet polices and that's it. Sdwan will automagically take care for all the rest for you :)
About SDWAN, I gave a try but I wasn't able to set 100% of traffic on a specific WAN, there is always a small part of traffic that go to WAN2 (1-99%). But as you said this looks like ok with sdwan health check.
I'll give a try !
@gfleming wrote:Is there a reason you don't want to use SD-WAN?
Can you show us the routing table "get router info show routing-table all" and "show router static" when both links are up?
Also can you show us the relevant FW policy/policies allowing the traffic over both links?
I'm using "zones" to get firewall rules easier to manage.
I'll post routing table as soon as I can give a try (Fortigate is in production, I'm not onsite ...).
I'm thinking about something else I saw on other theads, is the "Automatic gateway retrieval" on my 2 static routes can be a problem ?
Anyway @All, I'll try the different possibilities and give you feedbacks.
To configure WAN failover on two PPPoE connections on a FortiGate with separate VLANs, you can follow these steps:
1. Configure both PPPoE connections on the FortiGate, assigning each connection to a separate VLAN interface.
2. Create a new virtual interface that will be used for the WAN failover. Go to Network > Interfaces and click Create New.
3. Select Virtual Interface and configure it with an IP address and subnet mask that is on the same network as the two PPPoE connections.
4. Go to Network > Static Routes and create a new route for the WAN failover. Set the destination IP address to 0.0.0.0/0 and set the next hop to the virtual interface that was created in step 3.
5. Go to Network > Interface > Physical and select the primary WAN interface (WAN1). Set the distance to 10 and the priority to 1.
6. Go to Network > Interface > VLAN and select the VLAN interface that is associated with WAN2. Set the distance to 20 and the priority to 2.
7. Go to Network > Policy Routes and create a new policy route for the WAN failover. Set the source interface to the virtual interface that was created in step 3, and set the destination interface to the physical WAN interface (WAN1). Set the service to ALL and set the gateway to the WAN2 VLAN interface.
These steps should configure the FortiGate to use WAN1 as the primary connection and WAN2 as the backup connection, with failover configured to automatically switch to the backup connection if the primary connection fails.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.