I would recommend a little different setup than nustream.  

Pues, creo que mi recomendación es un poco diferente, pero no entendí todo de su explanación.

Though for your situation you do want two static default routes, both default static routes should have the same distance, but one (say WAN1) should have a smaller number for priority (lower value = higher priority) than the other.  This will mean that both routes stay in the routing table but without some other intervention everything will go through the higher priority route.

Then, create one or more policy routes that can be based off incoming interface, protocol, subnet, etc. to route the subnets, interfaces, or devices you want to the WAN2 interface.  Don't specify a gateway address (use 0.0.0.0)  and the policy route will then cause all these to use the second, WAN2, default static route.

Note that this solution, as is, will let all your traffic use WAN2 if WAN1 is down.

You can create some problems with this if you  aren't careful and allow communications to come in through WAN1 that are responded to through WAN2.  Once you narrow down your scenario and what solution you would like to use you might want to post it here to see if anybody else can point out possible problems before you go live with it.

Besides the base documentation (http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_Advanced_...) here are some other articles about this I found useful

(note that ECMP and other details have changed somewhat in 5.4):

http://kb.fortinet.com/kb/viewContent.do?externalId=FD32103

http://docs.fortinet.com/uploaded/files/1709/Multi-path_Routing_Basics.pdf

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36462

http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30907

http://kb.fortinet.com/kb/documentLink.do?externalID=FD31844

tanr wrote:

You can create some problems with this if you  aren't careful and allow communications to come in through WAN1 that are responded to through WAN2.  Once you narrow down your scenario and what solution you would like to use you might want to post it here to see if anybody else can point out possible problems before you go live with it.

Let me explain a bit more in case I wasn't clear.

WAN1 has a static/public IP - I VPNs setup using this interface

WAN2 doesn't (DCHP)

Normally everything goes through WAN1. If WAN1 goes down evething goes through WAN2.

What I want is to allow some specific devices on the network to ALWAYS use WAN2 (lets say everything goes through WAN1, but the device with the IP 10.0.0.150 will always go through WAN2). I read on a post from 2015 that it should be possible via a Policy Route ...

https wrote:

Create a policy based route by clicking on System > Router > Policy Route > Create New>   Source Interface - Internal; Source Address :Test PC IP Destination Address - ANY(0.0.0.0/0.0.0.0); Outgoing Interface: Wan2; Gateway: 0.0.0.0;

The problem is that in that part where it says Source Address :Test PC IP if I type the IP of the device (10.0.0.50) I get this error Invalid IP range. So it doesn't save the changes. If I type 10.0.0.150/255.255.255.0 it accepts the changes, but when I look a the routing table instead of having 10.0.0.150/255.255.255.0 on the source address I get this 10.0.0.0/255.255.255.0. So I assume that would mean the Policy Route will apply to the whole Subnet instead of a specific device.

Any ideas?

You can have a policy route work with a source address that is a single IP, you just need to specify the appropriate subnet.

For your case, just set src 10.0.0.150/255.255.255.255.

I just did a quick test of this to make sure, and confirmed that the policy route correctly routes only the single IP I specify out the different wan port, leaving all the rest of the IPs in my 255.255.255.0 subnet going out the default wan port.  I've got static IPs, but it should work the same.

tanr wrote:

You can have a policy route work with a source address that is a single IP, you just need to specify the appropriate subnet.

 

For your case, just set src 10.0.0.150/255.255.255.255.

 

I just did a quick test of this to make sure, and confirmed that the policy route correctly routes only the single IP I specify out the different wan port, leaving all the rest of the IPs in my 255.255.255.0 subnet going out the default wan port.  I've got static IPs, but it should work the same.

Besides the Policy Route did you have to do anything else?

I created the Policy Route, but I don't think its working because some devices are going through WAN2 when I haven't specified it on the Policy Route.

Interfaces

Right now I have the WAN1 interface (static IP) with the default distance (I guess 10 because when its static you cant see it) and the WAN2 interface (DHCP) with a distance of 20.

Static Routes

On the static routes I have 1 for WAN1 and 1 for WAN2 with the destination IP/Mask of 0.0.0.0/0.0.0.0 ... On this part should both interfaces have the same Distance and Priority?

Are you running 5.4.x or something else?  This is a little different between versions.

I'm not sure what you mean by having a distance set on the actual interface.  Do you mean what you see in the routing table?  I'm assuming you are using static routing, not dynamic?

Regarding the static routes, you don't want them to both have the same distance and same priority or they will be considered ECMP (Equal Cost Multi Path) routes and the FortiGate will use both, balancing their use.  

What I believe you need for your default static routes is to specify the same distance for the default routes to WAN1 and WAN2, but different priorities, say priority 8 for WAN1 and priority 12 for WAN2. This will keep them both in the routing table, but always use the one with priority set to a lower value (which means higher priority).  

The route with lower priority (bigger value) will normally only be used if the interface for the higher priority route goes down. Determining when interfaces have gone down is a whole different discussion.

With your static routes set up this way (same distance but different priorities) you can then create a policy route which will force your specific source IPs to use the lower-priority route.  The policy routing happens before static routing.  Note that policy routes are examined sequentially, so if you have multiple ones, make sure your more specific ones are listed first.

It would be helpful if you ran the following CLI commands after setting up the static and policy routes as discussed to verify their output matches what you expect.  

    get router info routing-table all

    diag ip route list

    show router policy

You could post the output of those commands here but I'd recommend obfuscating the IPs before posting.

As an example, what I see with my own setup for the routing-table includes

S*      0.0.0.0/0 [10/0] via IP.11.IP.11, port1, [8/0]

                  [10/0] via IP.22.IP.22, port2, [12/0]

Showing that I have two default routes, both with distance of 10, but with port1 having a priority of 8 and port2 having a priority of 12, so normally port1 would be used.

My diag ip route list is kind of long, but in it you'll find:

tab=254 vf=0 scope=0 type=1 proto=11 prio=8 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=IP.11.IP.11 dev=7(port1)

tab=254 vf=0 scope=0 type=1 proto=11 prio=12 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=IP.22.IP.22 dev=8(port2)

My show router policy includes the rule that routes an interface and subnet to port2:

config router policy

    edit 1

        set input-device "intf-obfusc"

        set src "IP.LOCAL.IP/255.255.255.0"

        set output-device "port2"

    next

tanr wrote:

Are you running 5.4.x or something else?  This is a little different between versions.

5.2.4 (but I could update the firmware if its better/easier to deal with this sort of scenario).

tanr wrote:

I'm not sure what you mean by having a distance set on the actual interface.  Do you mean what you see in the routing table?  I'm assuming you are using static routing, not dynamic?

Originally (before my last post) WAN1 had a static IP, but WAN2 had a dynamic IP. ISP from WAN2 doesn't give static IPs and its modem/router doesn't allow to be set to bridge mode. So yes, on WAN 2 at that point I was able to set a distance on the interface. I changed it to Manual and set a DMZ from the modem/router to WAN2 on the Forti. Now its working.

Thanks for all your feedback. It helped out a lot. I have worked with Forti a lot, but mostly with single WAN connections (or dual WAN, but only for redundancy). and doing a lot of VPNs. This is the first time I had to deal with this specific type of dual WAN setup. Thanks!

I would upgrade your firmware anyways. Some pretty significant security holes get resolved if I'm not mistaken between 5.2.4 and 5.2.10 (please please please follow the upgrade path appropriately)