Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mustafa_chittalwala
New Contributor

Fortigate 300D - 2 WAN link to setup for 2 different networks

Experts,

 

I am new to Fortinet World. So I need your HELP.

 

We have 2 Wan connections 1 for Staff and 1 for student. So I want 2 connection going through firewall (Not load balancing). and then Student network which is on Vlan1 should go out on Internet through WAN1 and same with Staff network access internet on WAN2.

 

Is it possible to achieve above scenario with Fortigate 300D ? if yes then someone can help me with in detail or guide me to correct direction via Video or reading material.

 

Thanks in advance. 

 

Regards

Mustafa

 

4 REPLIES 4
sw2090
Honored Contributor

Well Traffic from a net can only go wer your policy allows it to go ;)

So just on the FGT create an internet policy with NAT for the staff vlan/network via WAN1 and one for the student vlan/network via WAN2 :)

And you need of course to have default routes for both wans but if they do pppoe without static setup you don't need to care for this. Its set automatically when your wans come up in this case.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Paul_S

Setting up the interfaces and policy should be fairly straight forward. I think routing will be your biggest challenge. I would use a policy route to resolve that.

 

*Create two new interfaces on your LAN: System > Interfaces*

LAN

--> VLAN1 [students]

--> VLAN2 [staff]

 

*Policy > IPv4*

[Students] --> [WAN1]: Allow, with desired UTM features. NAT: yes

[Staff] --> [WAN2]: Allow, with desired UTM features. NAT: yes

 

*Routing > Policy Routes*

Src Int [Students] to 0.0.0.0/0 > Use WAN1, with GW x.x.x.x

Src Int [Staff] to 0.0.0.0/0 > Use WAN2, with GW x.x.x.x

 

You may need to use some policy routes in addition to those two if you have some non-internet policies for other network destination. action would be "stop policy routing".

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
ede_pfau
Esteemed Contributor III

As there can only be ONE default route per system / per FGT / per VDOM, and you need 2 of these for 2 WANs, the only way to do this is to apply a Policy route for one of them.

 

For the students, set up a default route pointing to WAN1. Done.

 

For the staff, create a policy route pointing to WAN2. A PR allows to decide which way to go not only by the destination address like an ordinary route, but by matching source address, source port and other fields. In your case, the PR would match the staff's subnet and redirect traffic away from the default route, out to WAN2.

 

Of course, you will need policies to finally allow the traffic. Both internet facing policies need to have NAT enabled.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
mustafa_chittalwala

Paul,

 

In addition to this. I want to setup Vlan.

 

Vlan 100 - Staff - 192.168.3.x 255 255 255 0

Vlan 200 - Student 192.168.4.x 255.255.254.0

Vlan 300 - Wifi-Access point 192.168.10.x 255.255.255.0

 

All my APs should get Vlan300 Ip which can communicate with other 2 vlans. My Aps will publish 2 SSID. If I connect to Staff SSid then I get Vlan100 Ip and do the routing as below and same as Student.

 

Note: I don't want any talking between staff and student Vlan.

 

*Policy > IPv4* [Students] --> [WAN1]: Allow, with desired UTM features. NAT: yes [Staff] --> [WAN2]: Allow, with desired UTM features. NAT: yes   *Routing > Policy Routes* Src Int [Students] to 0.0.0.0/0 > Use WAN1, with GW x.x.x.x Src Int [Staff] to 0.0.0.0/0 > Use WAN2, with GW x.x.x.x

 

Cam you pleas help to achieve above.

 

Thanks in Advance.

 

Mustafa

 

Labels
Top Kudoed Authors