- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: WAN2 on 60D
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN2 on 60D
Hi there,
We're currently using FortiWiFi 60D, running OS v5.0 build 4459.
We previously has one internet line connected to WAN1 with a fixed IP - say 172.1.2.10 ; All internet traffic is working fine with a static route for 0.0.0.0 to WAN1. External parties can Ping this IP successfully.
Now we added a 2nd internet line, again with a fixed IP - say 172.1.2.20. The line was installed and we've set up a laptop with the given IP, submask and DNS details and connected to the modem. All is working fine, the laptop an browse internet and can be Ping from external.
However, when I set up the fixed IP on WAN2 port and connected WAN2 to the modem. I cannot Ping the IP address from external parties. The line status is up and all seems working.
Do I have to do other set up? or need to upgrade the OS?
Thanks,
KW
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your pinging from outside is coming into WAN2 but the response is trying to go out WAN1 by following the default route, but dropped because of asymmetric route. If you're just testing, you can set a /32 route toward WAN2 for the ping source. But you likely want to set at least another default route with higher priority value (the higher, the lower the priority is) like 10 via CLI toward WAN2, so that WAN2 would act as a backup internet.
If you want to set load-balancing, there are other documentations available. I would just google it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply Toshi.
I've now added another default route for 0.0.0.0 to WAN2, with priority = 10. The original default route for WAN1 has priority = 0. Both have distance = 10.
I've also added another policy to all internal LAN to allow ALL thru WAN2 interface too.
I tried to ping the WAN2 line's gateway IP, and it ping successfully. The Policy screen on Firewall also shows increasing number of packets going thru that WAN2 policy.
I tried to ping the fixed IP on WAN2 interface from internal, but ping failed.
I can ping the fixed IP on WAN1 interface successfully from internal and also from outside.
Ping to WAN2 IP also failed from outside.
I'd more research on google, and all was suggesting just needing to add default route and duplicate the policies - which I did. I don't need to set up failover, as all I want is a NAT thru WAN2 IP to an internal web server.
Just not sure why it still fail, and any suggestions?
Thanks,
KW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doublecheck 1) ping is allowed on WAN2 interface, then 2) any trusthosts are configured. If so you need to add the ping source to it. Likely 2). Pinging interface doesn't require a policy.
To allow just one web site to go through WAN2, you don't need the default route but need a specific static route toward WAN2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Are you setting two lines for the redundancy purpose?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Toshi:
I disagree about not having to have a second default route. If a packet arrives on WAN2, it's source address is unknown to the FGT. The destination address may or may not be NATted by a VIP, this doesn't matter in this context. The FGT will drop the packet because of unknown origin (reverse path check failure).
To cover ALL conceivable addresses, you need a default route.
@KW:
Pinging successfully is second to being able to reach the internal server successfully. You haven't posted if you can do that or not. If you use a VIP, it won't forward ICMP by default. In FortiOS v5.4 you can enable ICMP forwarding in the VIP setup (CLI).
Again, for being able to ping the FGT's WAN interface 'ping' must be allowed in the interface setup ('allow access'). And of course trusted hosts apply if configured.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just picked up KW's statement "all I want is a NAT thru WAN2 IP to an internal web server." He didn't mention about sessions in out-to-in direction initiated by other outside parties. I assumed all sessions through WAN2 is from in-to-out only initiated by internal users/devices as well. If that's really the case as long as the FG has a route (and a policy) to the destination (could be /32) the FG doesn't need to know to reach other destinations on the internet through WAN2. They would go out through WAN1 with the original default route.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm so sorry. I read is as "an Internet web server" instead of "an Internal web server". I was wrong. You need a default route.
My apology.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi KW,
a firmware upgrade is the first step I'd suggest. We also had a smimilar problem some time ago on a 60C and it turned out to be a firmware bug in managing the "double wan routing". It was some 5.x version..
Now the box is running 5.2.6 and we got no problem anymore.
Bye
Gianluca
FGT: 50E,100D, 200D, 600D
FMG: VM64
FAZ: VM64
FGT: 50E,100D, 200D, 600DFMG: VM64
FAZ: VM64
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At least it can't hurt to update to 5.0.13 (current). Stay with the 5.0 line (not 5.2) and please follow the recommended upgrade path - it might require intermediate firmware versions to keep the config intact. (Get hints from search in the forums "Upgrade Matrix").
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Forti High Availability using different hardware 212 Views
- How to configure physical internal switch... 177 Views
- Connecting Two SIP Trunks with Different... 389 Views
- Traceroute choosing available interface member lower... 204 Views
- Email POP3 block 202 Views
Labels
-
FortiGate
6,753 -
FortiClient
1,344 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
346 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
86 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.