- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How configure more than two ISPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How configure more than two ISPs
Hi, I have two FG 100D configured inside an active/pasive cluster (HA). I have two ISP configured and I´m making load balancing throught static routing, therefore I have two default static routes with the same metric and priority. I have also configured keepaplive at both lines to make that FG remove this routes if there is any problem witch each ISP. This configuration is working properly several months ago. Now, my customer wants to add another two ISPs. I've extracted two ports from FG LAN Switch to connect the new ISPs, I have added another two static routes (same metric and priority), Iv'e configured the keepalive and I've added this ports to the policies. Right now I have an issue, all sessions (except 2 or 3) are using the old two ISPs (even If i make al full reboot of both FGs to restart all sessions), if I put out of service one of the old ISPs, all session bascul to the other old ISP and no to the new two ISPs....... What is wrong in my configuration? The new lines are operative throght FG, because when I make a Policy routing and force that a network go out to internet throught new lines there isn't any problem and users have internet. Thank you!!!
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the new default routes should have the same distance and priority. did you set the same value for administrative distance in your new default routes? because you didn't refer to the distance in your post.
and type the below command in CLI to see the routing table
get router info routing-table all
do you see your new default routes under the 0.0.0.0 destination network?
sorry for my poor English :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your help. Yes, all static routes have the same administrative distance and same priority, I've checked the phisical interfaces and also have the same administrative distance.
I have the four ISPs connected and failover is working fine, If I disconnect two ISPs (1 and 2) all sessions are balanced to the other two ISPs (3 and 4). It is strange, if I make a query to the routing table FG only has two 0.0.0.0/0 static routes (ISPs 1 and 2) but I have four configured (1,2,3 and 4).... All sessions are balanced between ISPs 1 and 2, If I disconnect one of this (1 for example), all sessions bascul to the other one (2), I only get sessions over ISPs 3 and 4 when I disconnect the ISPs 1 and 2........ Then, routing table erases ISPs 1 and 2 routes and adds ISPs 3 and 4 routes......
I have not found the way to make the load balancing between four ISPs throught static routing. Could you help me please?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
run the below command:
get router info routing table database
do you see the static route of ISP 3 & 4 as a inactive route?
what kind of internet connections do you have??
what is the framware version
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alhashem wrote:Hi, thank you four your help, you can find below several commands refered to static-routing configuration: get router info routing-table database S 0.0.0.0/0 [10/0] via 10.10.0.1, WAN3 [10/0] via 10.10.1.1, WAN4 [10/0] via 192.168.1.1, WAN2 inactive [10/0] via 192.168.1.1, WAN1 inactive S *> 0.0.0.0/0 [5/0] via 192.168.1.1, ppp1 *> [5/0] via 192.168.1.1, ppp2 Fortinet (static) # show edit 2 set gateway 192.168.1.1 set device "WAN2" next edit 5 set gateway 192.168.1.1 set device "WAN1" next edit 4 set gateway 10.10.0.1 set device "WAN3" next edit 6 set gateway 10.10.1.1 set device "WAN4" next end Fortinet (static) # get 2 seq-num : 2 dst : 0.0.0.0 0.0.0.0 gateway : 192.168.1.1 distance : 10 weight : 0 priority : 0 device : WAN2 comment : blackhole : disable dynamic-gateway : disable virtual-wan-link : disable Fortinet-B (static) # get 5 seq-num : 5 dst : 0.0.0.0 0.0.0.0 gateway : 192.168.1.1 distance : 10 weight : 0 priority : 0 device : WAN1 comment : blackhole : disable dynamic-gateway : disable virtual-wan-link : disable Fortinet-B (static) # get 4 seq-num : 4 dst : 0.0.0.0 0.0.0.0 gateway : 10.10.0.1 distance : 10 weight : 0 priority : 0 device : WAN3 comment : blackhole : disable dynamic-gateway : disable virtual-wan-link : disable Fortinet-B (static) # get 6 seq-num : 6 dst : 0.0.0.0 0.0.0.0 gateway : 10.10.1.1 distance : 10 weight : 0 priority : 0 device : WAN4 comment : blackhole : disable dynamic-gateway : disable virtual-wan-link : disablerun the below command:
get router info routing table database
do you see the static route of ISP 3 & 4 as a inactive route?
what kind of internet connections do you have??
what is the framware version
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With this configuration, right now I have:
WAN1-> 798 sessions -> 183.51kb/s WAN2-> 548 sessions -> 614.4kb/s WAN3-> 2 sessions -> 36b/s WAN4-> 115 sessions -> 167b/s
I look forward your response alhashem; thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're getting lower distance default routes over PPPoE from old ISPs [5/0] against all your static default routes [10/0]. I suggest you "set defaultgw disable" on wan1 and wan2, which would stop pulling the [5/0] default routes. Then you have to correct your default static routes with "set dyamic-gateway enable" instead of specifying GW IP statically. It would be pulled via PPPoE and you would see like below instead in routing database:
S *> 0.0.0.0/0 [10/0] via 192.168.1.1, ppp1
S *> 0.0.0.0/0 [10/0] via 192.168.1.1, ppp2
I thought having the same gw IP on both wan1 and wan2 would cause some problems but it seemed to be ok because you said that part had been working fine.
Below is my home primary INET (vlan) interface config (masked some info), which gets IP and GW over PPPoE. I have a secondary INET interface in addition to it. So doing the same thing to use static default routes I configured.
config system interface edit "mainINET" set vdom "root" set mode pppoe set allowaccess ping set role wan set username "xxxxxxxxxxxxx" set password ENC <ENCRYPTED_PASSWORD> set defaultgw disable <-- set interface "wan1" set vlanid xxx next end config router static edit 8 set device "mainINET" set dynamic-gateway enable <-- next end
fg50e # get router info routing-t database | grep 0.0.0.0 S *> 0.0.0.0/0 [10/0] via xxx.xxx.xxx.xxx, ppp1 <-- notice the interface is not "mainINET" but "ppp1"
Related Posts
- FortiClient 7.2.4 installer with deployed EMS... 102 Views
- About Restoring the FortiClient Backup Configuration... 124 Views
- can not config anti-repay in fortigate... 169 Views
- Multiple phase 2 selectors needed for... 179 Views
- Site to Site VPN to 2... 194 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.