Hot!2 WAN interfaces, both active for different protocols and no load balancing

Page: 12 > Showing page 1 of 2
Author
Raudi
Bronze Member
  • Total Posts : 34
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/01 14:01:53
  • Status: offline
2018/04/01 14:39:33 (permalink)
0

2 WAN interfaces, both active for different protocols and no load balancing

Hello,
 
i want to replace a LANCOM 1781EF+ with a FG100D and have now a routing problem, i don't find how co configure the FG that i have the same features.
 
I have 2 cable business WAN lines, where i got a fixed public IPv4 via DHCP.
 
I want to use the WAN2 outgoing only for VPN connections and VoIP traffic. The WAN1 should be used for normal internet access. Both public IP addresses are used for publish internal services.
 
How can i configure 2 WAN interfaces and split the traffic?
 
Outgoing:
Internet Access including Client IPSec VPN's -> WAN1
IPSec VPN's and VoIP -> WAN2
 
Published services - incoming:
TCP 80,443 -> WAN1
TCP 21,25,53,443 -> WAN2
 
Is this possible?
 
I tryed already with policy routes, but every time when i try a new configuration, something else didn't work. 
 
At the moment all is working, but outgoing client internet access is using both WAN interfaces.
 
Regards
Stefan
 
#1

21 Replies Related Threads

    Sudarsan Babu
    Bronze Member
    • Total Posts : 34
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/04/24 03:18:50
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/01 21:17:25 (permalink)
    0
    Dear Stefan,
     
    can you share below command result. 
     
    get router info routing-table all 
     &
    get router info routing-table static 
     
     
     
     
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 970
    • Scores: 56
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/01 22:58:39 (permalink)
    0
    I assume you have two parallel default route going toward both WAN1 GW and WAN2 GW set by DHCP. For outgoing, you just need to set the internet policy pointing to WAN1 only (LAN -> WAN1), then no internet outgoing should go toward the WAN2. If it goes WAN2, you must have a policy allowing it.
    Those VPNs should have interface specified in the config either WAN1 or WAN2 for outgoing. For incoming, you don't have much control but both have different IPs and the other ends should have proper peer IP configured so I wouldn't worry. You wouldn't need any policy routes.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 970
    • Scores: 56
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/01 23:00:02 (permalink)
    0
    Of course those VPNs need policies too.
    #4
    fixerrorspdy
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/02 00:42:58
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 00:50:24 (permalink)
    0
    My problem is that when i using the chrome browser various errors or issues appears which cause hindrance to the working. Last day when i was surfing the internet an error of ERR_SPDY_PROTOCOL appears. It shows This webpage is not available message. I tried to solve it but unable to solve it.What should i do? Should i have to visit Err Spdy Protocol Error not responding to the help
    #5
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 00:59:24 (permalink)
    0
    Hi,
     
    here is te output of the both commands:
     
    FG-HOME # get router info routing-table all
     
    Routing table for VRF=0
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
    O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default


    S* 0.0.0.0/0 [5/0] via 90.xxx.4.170, wan2
                       [5/0] via 90.xxx.6.130, wan1, [5/0]
    S 10.1.1.0/24 [10/0] is directly connected, VPN-WORK
    C 90.xxx.4.168/30 is directly connected, wan2
    C 90.xxx.6.128/30 is directly connected, wan1
    S 192.168.4.0/23 [10/0] is directly connected, VPN-WORK
    S 192.168.24.0/24 [10/0] is directly connected, VPN-SITE2
    S 192.168.88.0/24 [10/0] via 192.168.99.1, lan
    S 192.168.96.0/24 [10/0] is directly connected, VPN-SITE1
    S 192.168.97.0/24 [10/0] via 192.168.99.1, lan
    C 192.168.99.0/24 is directly connected, lan
    S 192.168.168.0/24 [10/0] via 192.168.99.1, lan
     
    FG-HOME # get router info routing-table static
     
    Routing table for VRF=0
    S* 0.0.0.0/0 [5/0] via 90.xxx.4.170, wan2
                       [5/0] via 90.xxx.6.130, wan1, [5/0]
    S 10.1.1.0/24 [10/0] is directly connected, VPN-WORK
    S 192.168.4.0/23 [10/0] is directly connected, VPN-WORK
    S 192.168.24.0/24 [10/0] is directly connected, VPN-SITE2
    S 192.168.88.0/24 [10/0] via 192.168.99.1, lan
    S 192.168.96.0/24 [10/0] is directly connected, VPN-SITE1
    S 192.168.97.0/24 [10/0] via 192.168.99.1, lan
    S 192.168.168.0/24 [10/0] via 192.168.99.1, lan
     
    There is one default route entry with 2 interfaces, so the traffic will be distributed to both interfaces, some client uses wan1 and a other client uses wan2.
     
    When i set policy routes for internet to wan1 i got many problems. I must set policy routes for all data that goes through a vpn. I must create a policy route that the VPN tunnel is using wan2. I must make a very complex building of policy routes. That can't be the only soloution...
     
    I created a policy route from lan1 to internet wan1 for destination 443. After that client outgoing internet uses wan1, but i can't reach 443 destinations in a VPN destination and the published 443 service isn't accessible from internal. from extern i havn't testet.
     
    I also created already static routes for the routes to wan1 and wan2, in the advanced options i set different values for priority but this have no effect. When i modify the distance only one is working...
     
    Thanks for helping.
     
    Regards
    Stefan
    #6
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 01:11:04 (permalink)
    0
    o.k. i think i'm a step further.
     
    I get from my provider every time the same IP via DHCP, so the route will be automatically set, even when i create a manual default route the settings inside that manual routes have no effect.
     
    So i switched from DHCP to manual with the IP infos from DHCP, then the manual route is working and it seems that the priority value has a effect...
     
     
    #7
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 01:52:40 (permalink)
    0
    And to route VoIP to WAN2 i made policy routes with 5060 UDP and TCP to WAN2 and a additional with the destination of remote network through a VPN so i can use a VPN for VoIP also.
     
     
    #8
    ede_pfau
    Expert Member
    • Total Posts : 5591
    • Scores: 376
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 05:18:07 (permalink)
    0
    If you set the distance for the DHCP inserted route higher than that of your intended default route the latter will have precedence. For PPPoE and DHCP (which both - can - insert an ISP provided default route) these settings are available in the CLI only.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #9
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 06:01:26 (permalink)
    0
    Yes with the distance i can't work, when i set the distance for the WAN2 higher even the VPN's will not connect through WAN2...
     
    Which values via CLI must i modify when i have 2 DHCP WAN interfaces and will give one of them a higher priority?
     
    So the same result i got here, but i switched to manual and created a manual default route with different prioitys and same distance.
    #10
    Toshi Esumi
    Expert Member
    • Total Posts : 970
    • Scores: 56
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 08:49:55 (permalink)
    0
    What do you mean by "high priority"? Do you want to use WAN2 for internet as long as it's UP and not to use WAN1? Or load-balance based on the usage? But you said "no load balancing" in the subject.
    For VPN, the other sides have to connect to either WAN1 IP or WAN2 IP specifically. You can't switch it on this FG side.
    #11
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 10:24:14 (permalink)
    0
    For a route i can set 2 different values:
     
    Distance
    Priority
     
    In an interface i have only the distance.
     
    When the route was created automatically via DHCP the settings of a manuel route have no effect.
    When i modify the distance in the interface the interface with the higher value don't work. 
     
    When i change the interface from DHCP to maual and enter the same ip addresses i got via DHCP before i can use the the priority value in the manual route.
     
    When i use this priority value all traffic will be routet to the interface with the lower value but VPN on the interface with the higher value is still working.
     
    So my question is.
     
    Is there a way to configure that priority, when the interface is still on DHCP?
    #12
    Toshi Esumi
    Expert Member
    • Total Posts : 970
    • Scores: 56
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 10:53:11 (permalink)
    0
    DHCP injest only default route (default GW). Nothing else. Only interface distance influences the DHCP-injected default route. My question from the beginning is why you want to set higher precedence on one default route over another while you just want to split the purposes statically.
    #13
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 11:00:17 (permalink)
    0
    Because i must redirect the outgoing traffic to a specific interface without disabling the other interface for VPN or getting problems with the traffing through the VPN tunnel.
     
    Or how should i configure, all clients should use WAN1 and VPN tunnels should use WAN2? And traffic shuld also be routet through the VPN tunnel...
     
    (Sorry in english, perhaps it is not easy to explain.)
     
     
    #14
    Toshi Esumi
    Expert Member
    • Total Posts : 970
    • Scores: 56
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 11:08:23 (permalink)
    0
    To redirect/manupulate any VPN toward a specific outgoing port, you need to have a specific route (/32) for the peers to specific port WAN1 or WAN2. Then when you change the outgoing route, you need to change the peer IP on the remote side if it's static site-to-site VPNs. Default route's precedence wouldn't help anything for that purpose.
    #15
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 11:48:14 (permalink)
    0
    But it is working:
     
    S* 0.0.0.0/0 [5/0] via 90.xxx.6.130, wan1, [5/0]
                       [5/0] via 90.xxx.4.170, wan2, [10/0]
     
    All traffic from clients is going through WAN1 and WAN2 will only used for VPN and for VoIP which i redirected via a policy route.
     
    The only thing i'm thinking about is, what happens when i don't get the IP via DHCP, what will my provider do when he don't get DHCP requests?
     
    I have 3 VPN's, one has a fixed IP the other 2 are dynamic.
    #16
    Toshi Esumi
    Expert Member
    • Total Posts : 970
    • Scores: 56
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 12:26:44 (permalink)
    0
    You didn't mention those were dialup vpns. Yes, if that's the case, as long as you use FG's "priority" on the static default routes, internally initiated internet traffic goes through the higher "priority" interface, in your example wan2, while all dialup vpn accesses are returned through the interface the request came in, just like when you didn't set any priority. However, in vpn configuration (if IPSec) you need to specify the interface in phase1-interface config. So when you want to move around VPNs between wan1 and wan2 you need to change that config (phase1-interface need to be separated enough to manupulate, otherwise all go to one direction). I think  it requires all related sessions cleared at that time. In other words, it's almost unmanageable.
    If it's SSL VPNs, you can set interface "any" in the vpn settings so that you don't have to change the interface config. Only client side need to change the server IP to connect to.
     
    In any case I assumed above or something different, you need to provide more specific information about your VPNs to let anybody help you.
    #17
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 12:40:39 (permalink)
    0
    A higher value is a higher cost, so the traffic goes through WAN1 with the lower value.
     
    So all is fine. I thought that this are site-to-site vpn's is clear, because they are listed in the routing table above.
     
    So there is no way to get the same result (i have now with the manual IP configuration) when i have DHCP enabled?
     
    #18
    Toshi Esumi
    Expert Member
    • Total Posts : 970
    • Scores: 56
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 13:02:42 (permalink)
    0
    Sorry, the higher the number, the lower the priority. So wan1.
    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_Advanced_Static/Routing_Concepts.htm#Adding
     
    You can set priority only on static routes.
     
    #19
    Raudi
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/01 14:01:53
    • Status: offline
    Re: 2 WAN interfaces, both active for different protocols and no load balancing 2018/04/02 13:08:49 (permalink)
    0
    O.k., last question, can i disable the creation of routes when i get the IP via DHCP? So that i use DHCP and have a active static route?
     
    O.k. makes not realy sense, because normaly DHCP means that i get different IP's, so i want to use a route with the current ip i got.
     
    But in this case i get every time the same IP... So perhaps...
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2018 APG vNext Commercial Version 5.5