dual WAN, but not load balancing nor ECMP

Agent_1994 · ‎08-04-2016

Hello!

I've the following situacion on a customer's site:

[ul]

Fortigate connected to two WAN links, both via an ethernet cable. Let's call them WAN_A and WAN_B.

These links are connected to the same VDOM.

WAN_A is the default gateway. WAN_B will just listen for connections to a SSL VPN and will have certain virtual IPs, it wont be used as a default gateway nor load balancer.

There is a 0.0.0.0/0.0.0.0 (default) static route pointing to GW_WAN_A on WAN_A's interface.

For the time being, i've enabled PING on WAN_B.[/ul]

How do i make this work?, i've tried:

[ul]

Another default route to GW_WAN_B with a higher administrative distance. Didn't work (can't ping).

A policy route with the following specs: [ul]

Incoming interface: WAN_B

Protocol: ANY

Source Address/Mask: 0.0.0.0/0.0.0.0

Destination Address/Mask: WAN_B_IPS/MASK

Action: Forward traffic

Outgoing interface: WAN_B

Gateway Address: GW_WAN_B[/ul]

The policy route triggered the RPF, i've disabled it but it didn't work either.[/ul]

I'd appreciate if anyone can point me in the right direction.

Greets.

MikePruett · ‎08-08-2016

What version of code are you using?

Are you wanting to load balance the outgoing traffic as well?

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Agent_1994 · ‎08-08-2016

Thanks for replying!

The customer has 5.2.8, but can be upgraded to 5.4 (it's planned).

We're not trying to load balance, all outgoing connections will go through WAN_A. WAN_B is for incoming connections only (SSL_VPN and some virtual ips).

MikePruett · ‎08-08-2016

Ahh ok, I read the original title as you have dual WAN setup but it wasn't loadbalancing lol.

Now I see that you were saying that you don't want the typical deployment. My bad...it's a Monday morning.

The routes you are configuring (policy based ones) would be for traffic going outbound. Not return traffic for incoming listeners.

If you remove the policy route and the default route relating to WANB does it try to go back out the WANA interface when responding? (asynchronous route?)

Mike Pruett

Fortinet GURU | Fortinet Training Videos

ede_pfau · ‎08-08-2016

It shouldn't, as the session is opened from incoming traffic, and in the session table there's a field for the corresponding interface.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Agent_1994 · ‎08-08-2016

ede_pfau wrote:
It shouldn't, as the session is opened from incoming traffic, and in the session table there's a field for the corresponding interface.

Yes, i believe it's correct for the session table. But nowhere on this router's configuration is an entry for the default gateway for "ISP_B". Even when it knows that the connection came from "port4" (WAN_B), it doesnt know where to send it.

MikePruett · ‎08-08-2016

Do you know where these external connections will be coming from? Certain public subnets etc?

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Agent_1994 · ‎08-08-2016

MikePruett wrote:
Do you know where these external connections will be coming from? Certain public subnets etc?

Nope, if that were the case i'd use static routes :(

localhost · ‎08-30-2016

Try to set same distance for both default gateways (a and b) but different priorities.

Priority field is hidden by default in the GUI.

The higher the priority number, the less likely the route is to be selected over others. The default is 0.

This way you can connect to both ip's from the outside, but only one wan interface will be used for outgoing traffic. And if the primary wan interface goes down, traffic will be routed of the 2nd wan interface.

Rafael_Rosseto · ‎11-18-2016

Hello,

Have you found what is causing it? I'm having the same.