Policy not directing web traffic to WAN2

_Rob · ‎01-19-2018

There's a good chance that I'm going about this the wrong way, but it feels like I'm close to the solution.

I have a 60D running FortiOS 5.4. WAN1 is connected to my modem router and WAN2 is connected to a VPN router, which is connected to the Modem Router.

Both interfaces are configured identically other than the IP Address.

There's then two IPV4 policies

[ul]

Policy ID #1, Seq #2 is a catch all for all internal traffic to go to WAN1.

Policy ID #9, Seq #1 has anything incoming from internal with the source of a named address to go out on WAN2[/ul]

However, the named address is still going out on WAN1, although I can access the VPN router connected to WAN2. If I change Policy ID #9 to deny and WAN1 then internet access is denied to that box.

What have I missed?

dmcquade · ‎01-19-2018

Did you try creating a policy route for the named source? Here you can define the incoming interface, source, outgoing interface, destination and various protocol options. This should do the trick.

HTH

d

_Rob · ‎01-20-2018

I've created a policy route with:

Protocol: Any

Incoming Interface: internal

Source addres/mask: 192.168.3.23/255.255.255.255

Destination address/mask: 0.0.0.0/0.0.0.0

Action: Forward Tradffic

Outgoing interface: Wan2

Gateway address: 0.0.0.0

Still going through WAN1 :\

dmcquade · ‎01-22-2018

Policy routes take precedence over static. You should have a static default route set and use a policy route where necessary. Looks like you are missing the gateway. Set this to the WAN2 interface next hop (ISP router address).

HTH

d

ede_pfau · ‎01-20-2018

As @dmcquade already posted this is a routing issue.

Routing comes first, and then policies further delimit the allowed traffic.

A regular static route only looks at the destination address to decide to which interface traffic is routed to. If you want to base the routing decision on different criteria, such as the source address, then you need to use a Policy Route.

There are some differences between regular routes and PRs. PRs do not show up in the Routing monitor, and are not deleted if the target interface goes down. Apart from that, a PR is the perfect tool for your goal.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

_Rob · ‎01-20-2018

Thanks Ede.

So the Fortigate evaluates routing before policies? Therefore are you saying I should remove my static routes and create two policy routes? One to direct traffic from the named address to WAN2, and a second with a lower priority for all traffic to go out on WAN1.

I'd like the ability to add and remove devices from going out on WAN2. Is there a way with PR to assign a group, or will I need to move devices to a different subnet to achieve this?

_Rob · ‎01-20-2018

Thanks for your help Ede and D - It's working now, but I'd like more dynamic control if possible.

Things we learnt:

[ul]

Static Routes are evaluated before Policy Routes

IPv4 policy is processed later[/ul]

So what I now have is:

[ul]

Both interfaces to WAN1 and WAN2 set up identically

No static routes

Two policy routes. Seq 1 for the named IP address to WAN2. Seq2 for source 0.0.0.0 to WAN1

IPv4 Policy set to allow all internal traffic to WAN1. I think this may be redundant but removing it seemed to stop all traffic getting out on WAN1.[/ul]

What I'd really like is to have a policy route where I can easily add or remove additional devices to the WAN2 group. IPv4 Policy looks the most likely candidate to allow me to do that unless I shuffle devices between subnets for the first policy route.

emnoc · ‎01-20-2018

Static Routes are evaluated before Policy Routes

I believe that's wrong, PBR and most specific are always evaluated 1st.

Ken

PCNSE

NSE

StrongSwan