Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
riaanb
New Contributor

resolved -- Dual WAN - inbound NAT on second WAN

Hi I am struggling to get inbound NAT via the second (non default GW) WAN working. When I change the default GW to be on the 2nd WAN network my Virtual IP NAT policy works, when the default GW is on WAN1, it does not. We have tried to configure a policy based route to route the outbound traffic via WAN 2 - but have failed. The policy route is as follows: Protocol: 6 incoming interface:LAN interface source: (internal IP on which service we are NATing to is running) Dest: 0.0.0.0/0.0.0.0 Destination ports: 8080 to 8080 Outgoing interface: WAN2 interface Gateway Interface: WAN2 router IP We have played with the different interfaces. What order does things happen in? Inbound VIP policy -> NAT to internal service -> NAT to public network (on default GW network -> Policy based route ?? Any pointers? Thanks! Riaan
-- riaan Fortigate 80c - 4.0 MR2 patch 7
-- riaan Fortigate 80c - 4.0 MR2 patch 7
13 REPLIES 13
Carl_Wallmark
Valued Contributor

Hi, the highlighted line indicates that the packets going out dont come back on the same interface, the fortigate will then drop them.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
riaanb
New Contributor

Thanks I have figured out what I have been doing wrong. I did not add a default route out for the second ADSL connection. I added a static route of 0.0.0.0 for the 2nd ADSL with a priority of 10. I was under the impression that the policy based route would negate the need for this. This technote details how to route inbound traffic via secondary WAN connection: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31240 Thanks all! Riaan
-- riaan Fortigate 80c - 4.0 MR2 patch 7
-- riaan Fortigate 80c - 4.0 MR2 patch 7
ede_pfau
SuperUser
SuperUser

The reason why you need a second default route here is the following: as an anti-spoof measure the FGT will reject incoming traffic to which it does not have a valid route back. A default route ' clears' all incoming traffic. BUT, you should give the secondary default route a higher priority (= less preference) than the primary default route via wan1. If you look at the routing monitor you should see both default routes but only one (the primary) will be used for egress traffic. The secondary default route is mentioned in the cited KB article, alas without any explanation why it' s needed (keyword: anti-spoof). They just write that it will ' allow packet ingressing wan2 from the internet' .
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
riaanb
New Contributor

Thanks for the explanation Ede
-- riaan Fortigate 80c - 4.0 MR2 patch 7
-- riaan Fortigate 80c - 4.0 MR2 patch 7
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors