- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- webserver in dmz, outgoing connection to wan1 not...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
webserver in dmz, outgoing connection to wan1 not working, via wan2 working okay?
Dear fellows,
I hope you can help me with the following setup. I want to give my webserver (connected to dmz) access to the internet via wan1 and wan2.
The webserver must have internet access through wan1 and wan2, in case wan1 dies for some reason.
Internet requests to the webserver are okay, I can access the webserver from the outside via wan1 and wan2.
But when want to browse on my webserver, I only have an outgoing connection throught wan2 and not wan1.
My setup:
2x Fortigate 60 (master/slave cluster)
dmz -- 192.168.10.254 / 255.255.255.0
--> webserver in dmz -- 192.168.10.6, default gateway 192.168.10.254
internal -- 192.168.0.220 / 255.255.255.0
wan1 (cable) -- 213.125.xxx.xxx / 255.255.255.248 (seperate ISP router and ISP modem)
wan2 (ADSL) -- 213.201.xxx.xxx / 255.255.255.248 (integrated modem/router)
Static Route:
IP 0.0.0.0 mask 0.0.0.0 gateway 213.125.xxx.xxx device wan1
IP 0.0.0.0 mask 0.0.0.0 gateway 213.201.xxx.xxx device wan2
Policy Route:
Incoming internal Outgoing dmz Source 192.168.0.0 / 255.255.255.0 Destination 192.168.10.0 / 255.255.255.0 (LAN to dmz webserver)
Incoming internal Outgoing wan1 Source 192.168.0.0 / 255.255.255.0 Destination 0.0.0.0 / 0.0.0.0 (LAN to wan1)
Incoming internal Outgoing wan2 Source 192.168.0.0 / 255.255.255.0 Destination 0.0.0.0 / 0.0.0.0 (LAN to wan2)
Firewall Policy
dmz -> internal
source (webserver 192.168.10.6) destination all schedule always service any action accept (webserver to lan, NAT enabled, works okay)
dmz -> wan1
source (webserver 192.168.10.6) destination all schedule always service any action accept (webserver to wan1, DOESN' T WORK, NAT enabled, tried also to disable NAT)
dmz -> wan2
source (webserver 192.168.10.6) destination all schedule always service any action accept (webserver to wan2, works okay)
internal -> dmz (works okay)
internal -> wan1 (works okay)
internal -> wan2 (works okay)
wan1 -> dmz (HTTP, HTTPS, FTP works okay)
wan2 -> dmz (HTTP, HTTPS, FTP works okay)
So, everything works, except the connection from my webserver inside dmz to the internet via wan1 (cable). If I disable dmz -> wan2 I have no more internet connection.
I can ping the cable modem (wan1) from within my webserver by the way.....
The only difference I can see is the difference in hardware (cable = separate Juniper router with modem, ADSL = combined modem/router).
Or maybe my problem lies in the IP range that my dmz has?
One more thing: when I browse from my webserver via wan2 to wan1 (there' s anther webserver active on 192.168.10.2) I cannot access it.
Thank you very much for having a look at my problem.
Regards,
Peter
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
configure the static routes with equal " Distance" but different " priorities"
remove the policy routes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
internal -> dmz we need for getting files from our webserver from within our lan, is there a better way?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
The priority configuration is a CLI based command.
login as: rpatters rpatters@192.168.200.1' s password: Fortigate-1 $ config router static Fortigate-1 $ edit 12 Fortigate-1 (12) $ set priority ? <integer> please input integer value Fortigate-1 (12) $The default priority is 10. Lower number has a higher priority. Valid values are from 0 (zero) to 4294967295.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) You mentioned a FGT60C
The Screenshot is from a FGT60 (without letter)
Did you recently buy them as new?
the FGT60 is running a very old firmware version where the priority setting is only available by CLI:
config router static
edit 1
set priority 10
next
edit 2
set priority 20
next
end
after
config router static
enter " edit ?" to see the possible rule IDs.
or issue the " show" command
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m sorry, indeed it' s FortiGate 60, not 60C. And yes, they are quit old :-)
Firmware Version Fortigate-60 3.00-b0572(MR5 Patch 4)
dmz -> internal is disabled by default, I should have mentioned that, sorry. It' s only for testing, I understand the risks. Thank you for warning me though!
internal -> dmz is needed and causes no harm I guess.
[ul]
I changed the webserver to 192.168.10.5 and indeed it' s using wan1 now.
I' m confused though, why is this depending on the last number of the IP address being odd/even? Is that only for dmz?
With this IP address x.10.5, does it switch to wan2 when wan1 is down?
If it' s switching automatically when wan1 is down, do I still need the priority setting?
Can I use the distance setting so that it acts as a priority setting?
Can you explain why I should get rid of the Policy Routes?
Is it possible to install a more recent firmware on these old firewalls?
[/ul]
Thanks a million guys.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I changed the webserver to 192.168.10.5 and indeed it' s using wan1 now. I' m confused though, why is this depending on the last number of the IP address being odd/even? Is that only for dmz?answered by ede_pfau
With this IP address x.10.5, does it switch to wan2 when wan1 is down?should: currently when the port is physicaly down, it will switch. you have a cli option " ping-server" that indicates a port " down" when a host behind that interface cannot be reached anymore.
If it' s switching automatically when wan1 is down, do I still need the priority setting?depends on your needs. you need the priory when you want to have all traffic over wan1 and only failover to wan2 when needed. without priority it does balance the requests over the two ports. (refer to ede_pfaus explaination)
Can I use the distance setting so that it acts as a priority setting?no
Can you explain why I should get rid of the Policy Routes?because you override the static routes with it. for your setup proper static routes are sufficient.
Is it possible to install a more recent firmware on these old firewalls?most recent seems to be OS3, MR7, patch 10 from 2. Nov 2010. but i have doubts that you have a valid support contract to download the firmware. a renewal of the support contract is not possible anymore. your current firmware has been released in Dec 2007
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmz->wan1 should work if wan2 is down (disconnected)
dmz->wan1 should also work if server IP is .10.5 (odd); then dmz->wan2 should NOT work
Do as Maik posted to get the routing correct.
BTW, delete policy dmz->internal, it defeats the whole reason for a DMZ!
(edited: dammit.i keep mixing up left and right hand as well.)
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: ede_pfau BTW, delete policy internal->dmz, it defeats the whole reason for a DMZ!I see no issue with this. The other way around does pose a huge security risk... Upon further inspection, I see the policy is indeed DMZ->internal. Big difference. That one HAS GOT TO GO... Think about it this way: Someone compromises your web server and gains access. They then have the ability to surf and destroy anything on your LAN. With this policy, you permit it. The purpose of a DMZ is to place anything out there that you are willing to lose. If those devices get hacked or compromised in any way, you rebuild them and move on. They should not be able to leave that zone at all... My DMZ devices have limited Internet access as well. You don' t want someone to hack your web server, place a mail server on it and spray SPAM all over the Internet with your IP space on it, do you? Things to think about.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I will only answer the " odd IP" question as I' ve brought it up (at a pinch right now).
You configured 2 equal default routes. The FGT will do load balancing then, distributing the traffic evenly onto both WAN lines. It uses a source IP address hash for this. With only 2 routes, one is assigned the odd source addresses and one the even ones.
I predicted this only to see that indeed equal cost multiple routes are in effect.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Connecting Two SIP Trunks with Different... 272 Views
- Fortigate 80E Policy not being recognized 428 Views
- Connecting one FortiSandBox directly to two... 190 Views
- Can't connect to LAN when VPN... 438 Views
- Firewalls ports required for FortiManager... 389 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.