Hello, I have a big problem. The HQ has two WANs with 2 different ISPs.
I would like to route the HQ's Internet traffic over WAN1 and create a tunnel to the branch office over WAN2.
The problem is that as soon as I enable WAN2 all clients from LAN1 try to connect over WAN2.
The configuration here:
WAN1 = Network > Interfaces > ppoe = O.K
WAN2 = Network > Interfaces > ppoe (VLAN40) = O.K
Static Route > Destination = 0.0.0.0 0.0.0.0> Interface = WAN1 > Distance 5 > Priority=0
Static Route > Destination = IP of Branche/32 > Interface = vlan40 > Distance 5 > Priority=3
IPSEC Tunnel to Branche = Up
Policy from LAN1 > VLAN40 = disabled
Policy from LAN1 > WAN1 = outgoing all enabled
Log > Forward Traffic > all Clients from LAN1 try to use Destination Interface VLAN40 > implicit Deny
I tried diag ip rtcache flush > no success
All clients from LAN1 use outgoing interface VLAN40 until I disable the interface
What is wrong?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hallo
Have you tried with policy routes:
As @AEK suggests, policy routing is one way to accomplish.
Another way to accomplish without policy routes is:
1. "set defaultgw disable" on both wan1 and wan2(VLAN40) interface config
2. set a simple static default route to wan1 and another static default route with higher priority number (lower priority) like 10 to wan2:
config router static
edit 0
set device wan1
set dynamic-gateway enable
next
edit 0
set device VLAN40
set dynamic-gateway enable
set priority 10
next
end
At this point, all HQ users internet should go out to wan1 if the default policy exists
3. set up your IPsec VPN to branch by specifying wan2(VLAN40)
4. set more specific routes for branch office's subnets toward the tunnel interface
5. Then set up proper policies for traffic to branch(es)
And, the third option is to set up SD-WAN and build up rules to route sperifically. This is more advanced/controllable policy routing.
In other words:
option1 - good old "FW" guy's way
option2 - good old "Router" guy's way
option3 - newer "SD-WAN" guy's way
Toshi
Then, I'm a good old router guy, of course. ;)
Toshi
What do you have in the routing-table at the beginning? Below is my SD-WAN 40F's.
fg40f-utm (root) # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
[1/0] via y.y.y.y, a, [1/1]
<snip>
If it's a dynamic IP on wan2, you might need to set a DDNS and use the DNS name on the branch side as static/main mode IPsec to connect to wan2.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1066 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.