- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- dual wan with policy routes?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 02-05-2009 01:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dual wan with policy routes?
hi all,
i have this lan-situation: http://www.zebis.ch/dualwan.gif
all traffic from clients must go out -> wan1
all traffic from webserver (dmz2) must go out -> wan2
all outside traffic with destination to webserver will come in -> wan2
on my FG-A100 2.08MR12 i did this with:
- a static default route on each wan
- and one policy route " incoming dmz2, outgoing wan2, src/dst 0.0.0.0/0.0.0.0"
this worked fine since i made a update to 3.0 MR7P2
since that, some clients cannot go out. sniffering the FW tells me,
the FW will drop ip-pakets... when i shut down wan2, everything works fine,
but our webserver is off-line from the outside world....
any ideea how to solve this routing? i konw it can be done with
vdom, but this means e complet redraw of the network, which i
will do later...
thanx, claudio
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make sure that both static 0.0.0.0/0 routes have the same metric.
You can give one route a higher prio (through CLI) if needed (so in your case the route to wan1 will have higher prio and is sort of def-GW)
I' d suggest not to use a ping server in a first step - not to introduce another piece of complexity in the beginning.
You still need policies for both Interfaces of course.
Make sure you do not have asymmetric routing.
eg - if a " normal" packet from Lan is sount out through wan2 (maybe proxy is in DMZ?) than the back-packets may arrive on wan1 - which than are dropped as there is no state.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes,
static routes are fine, same metric, no pingserver...
firewall policies ar on both interfaces...
routing policy is just one : incomming dmz2 -> outgoing ->wan2
do i need more routing policies???
which?
thanx, claudio
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Minutella,
for your scenario you need at first 2 static routes for your connection to outside (one for wan1 one for wan2), both must have the same distance, maybe 10.
Then you have to add 4 policy routes, maybe your clients are on int1 and your webserver on dmz2 and you want the internal clients use wan1 and the dmz2 server should use wan2 only:
Incoming WAN1 force to INT1
Incoming INT1 force to WAN1
Incoming WAN2 force to DMZ2
Incoming DMZ2 force to WAN2
Adjusting the two default routes to the same distance and making pol. routing as above will do your job...
Going further:
If you want to, you can also make a setup, that is dedicated source and destination ip range or maybe just force http traffic in and out by using the tcp 6 prot and http source and dest. ports for wan2 and leaving any other traffic handled by a default policy route to wan1.
Not applicable
Created on 05-12-2009 05:19 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying close to the same setup. But when you setup the policy routes, what do you enter for the gateway for the internal and dmz interfaces. Would it be the ip address of the fortigate for that interface?
ex. internal network 192.168.1.0/24 fortigate would be 192.168.1.1
dmz 192.168.2.0/24 fortigate would be 192.168.2.1
Not applicable
Created on 05-13-2009 08:35 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just put 0.0.0.0 for the gateway per Fortinet' s recommendation -- this is a good article: http://kc.forticare.com/default.asp?id=376&SID=&Lang=1
Search on BLANK to see how they recommend configuring the policy route
Related Posts
- IPsec phase1 negotiation failes due to... 61 Views
- Fortiproxy - how exactly is traffic... 40 Views
- Virtual IP for npm breaks my... 174 Views
- Failover routing to APN 105 Views
- IPsec Tunnel to StrongSwan fails after... 160 Views
Labels
-
FortiGate
6,624 -
FortiClient
1,319 -
5.2
801 -
5.4
639 -
FortiManager
573 -
FortiAnalyzer
418 -
6.0
416 -
5.6
362 -
FortiSwitch
340 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
249 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
104 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
75 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
29 -
Firewall policy
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
19 -
FortiPortal
18 -
ZTNA
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.