| Description |
This article describes how to add a new DHCP addressing mode wan connection as a redundant connection without affecting the primary connection.
When trying to add a new redundant DHCP addressing mode wan connection to an existing primary wan connection, could bring down the network.
This network down situation occurs because when a default route is created manually the default AD value set is 10, but when a dhcp based wan is added FortiGate installs the default route automatically with AD set to 5.
Verification
Using GUI: Network - > Static Routes
Using CLI:
config router static edit 1 set status enable set dst 0.0.0.0 0.0.0.0 set gateway 10.9.15.254 set distance 10 < --- Default AD value is 10 set weight 0 set priority 1 next end
FortiGate installing default route automatically with AD value 5 can be seen on Interface itself as follow.
config system interface edit "wan2" set vdom "root" set vrf 0 set fortilink disable set mode dhcp set distance 5 < ------ Default AD value is 5 set priority 1 end
Note: |
| Solution |
Follow the below steps to overcome the issue:
One can smoothly add the new DHCP wan connection without having the network go down. Change the AD value of the primary default route to anything less than 5, which will make sure that even if a new route is added it has no effect on primary default route.
config router static edit 1 set gateway 10.9.15.254 set distance 4 < ---- Ad value set < 5 set device "wan1" next end
get router info routing-table database
S *> 0.0.0.0/0 [4/0] via 10.9.15.254, wan1 < ----- active default route S 0.0.0.0/0 [5/0] via 192.168.25.1, wan2 < ------ non active default route C *> 10.9.0.0/20 is directly connected, wan1 C *> 169.254.1.0/24 is directly connected, fortilink C *> 192.168.25.0/24 is directly connected, wan2
Change the priority of the new DHCP route to 10 or anything higher than 0. For dhcp-based wan priority can only be changed using CLI.
config system interface edit "wan2" set vdom "root" set mode dhcp set priority 10 < --- Set priority more than 0 set allowaccess ping fgfm set type physical set role wan set snmp-index 2 next end
get router info routing-table database
S 0.0.0.0/0 [5/0] via 192.168.25.1, wan2, [10/0] < -- non active route with priority 10 S *> 0.0.0.0/0 [4/0] via 10.9.15.254, wan1 C *> 10.9.0.0/20 is directly connected, wan1 C *> 169.254.1.0/24 is directly connected, fortilink C *> 192.168.25.0/24 is directly connected, wan2
Change the AD value of the primary route to 5 to ensure both routes are active in the routing table as primary and secondary as expected.
config router static edit 1 set gateway 10.9.15.254 set distance 5 < ---- Ad value set as 5 set device "wan1" next end
get router info routing-table all
S* 0.0.0.0/0 [5/0] via 10.9.15.254, wan1 < ---- active primary default route [5/0] via 192.168.25.1, wan2, [10/0] < ---- active secondary default route C 10.9.0.0/20 is directly connected, wan1 C 169.254.1.0/24 is directly connected, fortilink C 192.168.25.0/24 is directly connected, wan2
The user can set up a link monitor as follows. This will ensure the failover occurs properly if one of the networks goes down.
config system link-monitor edit "wan1" set srcintf "wan1" set server "8.8.8.8" next edit "wan2" set srcintf "wan2" set server "8.8.8.8" next end
Related articles: Technical Tip: How to configure a FortiGate interface to use DHCPTechnical Tip: Redundant Internet connection without load-balancing |
