Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VSI
New Contributor

Route Guest traffic out WAN2 & still have failover for WAN1

Hello,

 

I have a client with 2 WAN connections. They would like to use WAN2 as a "failover only" for WAN1 (i.e., no load balancing).

They would also like to route Guest VLAN traffic out WAN2 only.

 

I have searched the KB articles and the forum, and I am still a bit confused as to how to properly implement this scenario.

I believe I need to do the following:

[ul]
  • Set wan1 and wan2 static routes with same distance and priority
  • Configure link health monitor/dead gateway detection for wan1
  • Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)
  • Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)
  • Create policy-based route for Guest VLAN  to go out wan2
  • Modify default LAN firewall policy to allow traffic (except guest VLAN) out wan1 and wan2 interface
  • Modify Guest VLAN firewall policy to allow traffic out wan2[/ul]

    Is this the correct way to implement the scenario I described above? Am I missing anything?

     

    Thank you so much for your time.

    -Jon

  • 3 Solutions
    gschmitt
    Valued Contributor

    VSI wrote:

    [ul]
  • Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)
  • Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]

  • Skip these two steps :)

    Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route

    View solution in original post

    gschmitt
    Valued Contributor

    VSI wrote:

    "source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.

     

    No, it shouldn't. Policy Routes only affect the selected Source Interfaces and since it's a Guest VLAN your normal internal LAN shouldn't be affected.

    View solution in original post

    Allwyn_Mascarenhas

    gschmitt wrote:

    VSI wrote:

    [ul]
  • Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)
  • Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]

  • Skip these two steps :)

    Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route

    The doc says  : The route with the lowest value in the priority field is considered the best route. It is also the primary route.

     

    So the default route priority which is wan1 here should be less.

    View solution in original post

    8 REPLIES 8
    gschmitt
    Valued Contributor

    VSI wrote:

    [ul]
  • Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)
  • Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]

  • Skip these two steps :)

    Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route

    VSI
    New Contributor

    Thanks for the reply!

     

    As I understand policy routes they are applied before static and connected routes. So, if we have a route with destination 0.0.0.0/0.0.0.0 it will route all traffic using this policy route. When I enter the policy route using  "source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.

     

    This would not achieve the desired result, so my thought was to specify policy routes for all other internal LAN traffic to go out WAN1, and put these policies at the top of the order list.

     

    Does this make sense or am I still wrong?

    This post might explain it better: https://forum.fortinet.com/tm.aspx?m=112840

     

    Thanks again for your reply and assistance!

    gschmitt
    Valued Contributor

    VSI wrote:

    "source: Guest VLAN, destination:0.0.0.0/0.0.0.0, interface: WAN2" this will route all traffic, including our internal LAN traffic, out WAN2.

     

    No, it shouldn't. Policy Routes only affect the selected Source Interfaces and since it's a Guest VLAN your normal internal LAN shouldn't be affected.

    VSI
    New Contributor

    Ok, we will skip those steps and test it out, thanks again.

     

    I'll post our results, good or bad :)

    Allwyn_Mascarenhas

    gschmitt wrote:

    VSI wrote:

    [ul]
  • Create policy-based route for internal LAN (except guest) to go out wan1 (must be first so traffic flows out wan1 first, unless down)
  • Create policy-based route for internal LAN (except guest) to go out wan2 (this is backup route if wan1 fails)[/ul]

  • Skip these two steps :)

    Unless otherwise specified with policy routes they will use the static routes, instead increase the priority of the default route

    The doc says  : The route with the lowest value in the priority field is considered the best route. It is also the primary route.

     

    So the default route priority which is wan1 here should be less.

    gschmitt

    allwynmasc wrote:

     

    The doc says  : The route with the lowest value in the priority field is considered the best route. It is also the primary route.

     

    So the default route priority which is wan1 here should be less.

    Correct, by increasing the priority I meant lowering the number.

    Damn this quirky language

    Allwyn_Mascarenhas

    gschmitt wrote:

    allwynmasc wrote:

     

    The doc says  : The route with the lowest value in the priority field is considered the best route. It is also the primary route.

     

    So the default route priority which is wan1 here should be less.

    Correct, by increasing the priority I meant lowering the number.

    Damn this quirky language

    haha right . .

    VSI

    Update: this is working properly after skipping the steps identified by gschmitt. Thanks for the assistance!