- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Trouble with dual wan setup
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trouble with dual wan setup
This is what I'm trying to set up on an Fortigate 60F with firmware version 7.41:
Wan1 - multiple static IPs
subnet 192.168.2.0/24 on vlan switch internal on internal 1 port
Administrative Distance: 10 via static route
various inbound and outbound policies.
this contains public facing servers, domain infrastructure and other servers with static ips mostly for inbound.
various inbound and outbound policies.
This part is working fine.
What I've set up on wan 2
Wan2 - DHCP
Subnet 192.168.3.0/24 on vlan switch internal1 on internal2 port
Distance 10 via wan2 interface
inbound policy block all ports
outbound policy allow all ports (for now, will lock down once things are working)
This would be PCs, phones and other devices for internet access, with addresses assigned by domain dhcp service.
What's happening (while playing around with various settings) is that either wan2 isn't working for internet, or the internet on both interfaces is completely hosed.
Also required, bidirectional access between vlan switches, which I haven't tried to set up yet.
What am I doing wrong?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you configured like below already?
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/144044/policy-routes
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Xaak
What is you intention ,do you want the dual WAN setup for redundancy ?
If Yes , than you need to change the administrative distance on WAN2 "Distance 10 via wan2 interface", because currently both WANs are configured with value 10. (the lower the value the higher the priority)
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I want each wan port to have it's own vlan switch and subnet that can access it.
Servers use wan1 and pcs and other devices use wan2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your descriptions of set up is troubling me. You have to separate wan side and LAN side when you describe them, unless you configured policy routes to bind LAN1 subnet to use WAN1, and LAN2 subnet to use WAN2.
For WAN side, WAN1's IP is configured statically out of multiple available IPs on the circuit, while WAN2 pulls an IP from your ISP via DHCP. This part is clear.
For LAN side, by default the FG60F has "internal" VLAN switch interface configured and it includes all internal1 - 5 physical interfaces as members. And all VLAN subinterfaces you configure on "internal" would be spread/shared with those all internal1 - 5 interfaces (or ports, you might call them). So unless you remove "internal2" interface from the "internal" vlan switch, you can't (or can but not effective) configure an IP like 192.168.2.1/24 on internal2 interface.
Is this what you configured, or different?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vlan switch internal has only Internal1 (port 1 as I called it). Vlan switch internal1 has only internal2 (port 2 as I called it). The remaining internal interfaces are currently unmapped.
Created on 11-30-2023 05:22 PM Edited on 11-30-2023 05:27 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you can use the same name "internal1" for a new VLAN switch interface while internal1 physical interface still exists as a member of internal vlan interface.
Or maybe allowed, but it's confusing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And you looks like intending to bind LAN1 to wan1 and LAN2 to wan2. Then you have to have two policy routes.
Make sure two default routes exist in routing-table in CLI "get router info routing-table all" for both wan1 and 2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The second wan is dhcp. From what I understand it automatically creates the route.
Created on 11-30-2023 07:33 PM Edited on 11-30-2023 07:36 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You still need to make sure it doesn't override the wan1 default route or isn't orverriden by it. It's just a simple CLI command to see it. It should show like below. It's at the top of the output. My case is SD-WAN with two static default routes and with different weight(20 and 1).
fg40f-utm (root) # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
[1/0] via y.y.y.y, a, [1/1]
---<snip>----
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet_Gateway # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via xx.xx.xxx.xx, wan1, [1/0]
[10/0] via xx.xxx.xxx.x, wan2, [1/0]
C xx.xx.xxx.xx/xx is directly connected, wan1
C xx.xxx.xxx.x/xx is directly connected, wan2
C xxx.xxx.x.x/xx is directly connected, IPSEC Remote
C 192.168.2.0/24 is directly connected, internal
C 192.168.3.0/24 is directly connected, Internal wan2
Related Posts
- Help setting up internet access for... 170 Views
- No internet connection on the machine... 558 Views
- FortiMail Cloud and Office 365 guidance... 471 Views
- 2 x Fortigate 100F, active/active with... 191 Views
- SDWAN CRISS-CROSS TUNNEL SETUP 309 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.