Hot!Fortigate FG60D two WAN routing issue

Author
DanieZ
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/03 01:10:39
  • Status: offline
2018/09/03 01:31:00 (permalink)
0

Fortigate FG60D two WAN routing issue

God day.
 
Need help in configuring my fortigate with 2 WAN ports
One network through port wan1 have office internet and mail server with VIPs
second network through port WAN2 have wifi guest network
The problem is that from WAN2 it is impossible go to WAN1 mail server OWA page.
WAN`s taken from one internet provider with different IP and have different distance, internet to WAN2 set up through Routing policy.
 
Can anyone help?
#1

14 Replies Related Threads

    Abed ALR
    Bronze Member
    • Total Posts : 24
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/05/11 07:20:42
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/03 05:40:43 (permalink)
    0
    Let me see if I understood your question :
    You're saying that Guest users are not able to surf to OWA page ?
    OWA page uis behind the WAN1 interface with VIP configured.
    Guest users are surfing the inernet through WAN2.
     
    Correct me if I understood your question  incorrectly !
     
    - Why should the guest user go outside to internet and then ge back to you FGT device and search for the VIP to OWA page ?
     
    You can just create DNS database with static resolve to the internal IP and assign the DNS database to the WAN2 interface:
     
    for example:
     
    FW (dns-server) # show
    config system dns-server
        edit "WAN2"
        next
    end


    FW # config system dns-database
    FW (dns-database) # show
    config system dns-database
        edit "OWA"
            set domain "yourdomain.com"
            set authoritative disable
                config dns-entry
                    edit 1
                        set hostname "owa"
                        set ip 172.16.1.12
                    next
                end
    #2
    DanieZ
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/03 01:10:39
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/03 07:16:47 (permalink)
    0
    Thanks for the answer.
    Yes, in general, you understood correctly.

    The question why users from the guest network access - many users use corporate mail on smartphones, and at the moment it does not work on the guest wifi.

    If I can clarify, for that moment no access to Fortinet portal, Exchange OWA and Exchange and Exchange ActiveSync from WAN 2 to WAN 1. 
    LAN 1 192.168.0.1 go outside to WAN1 1.1.1.1
    LAN 2 192.168.5.1 go outside to WAN2 1.1.5.1
    post edited by DanieZ - 2018/09/03 07:38:21
    #3
    Ashu
    Gold Member
    • Total Posts : 141
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Muscat,Oman
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/03 10:12:23 (permalink)
    0
    Hi,
     
    You need U turn policy from guest to LAN with destination mail VIP .This will work .
     
    Regds,
     
    Ashik
    #4
    DanieZ
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/03 01:10:39
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/04 00:10:31 (permalink)
    0
    ashik
    Hi,
     
    You need U turn policy from guest to LAN with destination mail VIP .This will work .
     
    Regds,
     
    Ashik




    Hi, thanks for the answer.
    Can you explain more or write an example?
    I tried to set up access by route policy from guest LAN to WAN1 and up access by ipv4 policy from guest LAN to office LAN without results.
    #5
    Ashu
    Gold Member
    • Total Posts : 141
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Muscat,Oman
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/04 06:40:57 (permalink)
    0
    Hi 
     
    Suppose you have eg : OWA-VIP  like 85.245.45.45 -192.168.10.1 
     
    Create a policy  - guest to Lan and in the destination field select OWA-VIP.
     
    No NAT enabled .This will work .
     
    Regds,
     
    Ashik
     
     
    #6
    DanieZ
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/03 01:10:39
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/04 08:07:10 (permalink)
    0
    Hi
     
    There is a problem, OWA-VIP attached to WAN1 and in the option destination that you offer it is impossible to specify VIP.
    #7
    Ashu
    Gold Member
    • Total Posts : 141
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Muscat,Oman
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/04 09:27:53 (permalink)
    0
    Hi,
     
    VIP should not be attached to any interface .So you can reconfigure the VIP to do to create U turn rule .
     
    Regds,
     
    Ashik
    #8
    DanieZ
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/03 01:10:39
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/12 07:18:08 (permalink)
    0
    Hi
    For now, without result.
    I created a rule from guest lan int. to office lan int. source all and destination OWA-VIP
    Still can`t connect to owa from guest network to OWA
    #9
    DanieZ
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/03 01:10:39
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/12 07:20:14 (permalink)
    0
    Hi
    For now, without result.
    I created a rule from guest lan int. to office lan int. source all and destination OWA-VIP
    Still can`t connect to owa from guest network to OWA
    #10
    Ashu
    Gold Member
    • Total Posts : 141
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Muscat,Oman
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/12 12:35:25 (permalink)
    0
    Hi ,
     
    I have similar design . Explain with Eg:
     
                                    ( Lan) interface Port 1 : 172.16.1.1/24
      ( Guest_Network_Subnet )Interface: Port2 : 10.10.10.1/24
                           WAN1 :100.100.100.1/24
    OWA Server Ip :172.16.1.10/24 GW :172.16.1.1
    OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)
     
    Now Policy :
     
    Create a Destination NAT Policy for OWA from internet  : 
    Incoming interface : WAN1
    Sourse Sunet :All
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    NAT "Disbaled"
     
     
    Create a  PolicyGuest to access OWA from Guest Network:
    Incoming interface : Port2
    Sourse Subnet :Guest-Network_Subnet
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    Nat :Disabled 
     
    Hope this is clear.You just need U turn policy from guest network .
     
    Regds
     
    Ashik
     
    #11
    DanieZ
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/03 01:10:39
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/13 01:31:17 (permalink)
    0
    ashik
    Hi ,
     
    I have similar design . Explain with Eg:
     
                                    ( Lan) interface Port 1 : 172.16.1.1/24
      ( Guest_Network_Subnet )Interface: Port2 : 10.10.10.1/24
                           WAN1 :100.100.100.1/24
    OWA Server Ip :172.16.1.10/24 GW :172.16.1.1
    OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)
     
    Now Policy :
     
    Create a Destination NAT Policy for OWA from internet  : 
    Incoming interface : WAN1
    Sourse Sunet :All
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    NAT "Disbaled"
     
     
    Create a  PolicyGuest to access OWA from Guest Network:
    Incoming interface : Port2
    Sourse Subnet :Guest-Network_Subnet
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    Nat :Disabled 
     
    Hope this is clear.You just need U turn policy from guest network .
     
    Regds
     
    Ashik
     


    Hi
    I have a difference from your configuration, guest lan using physical WAN2 with another subnet.
    According to your example, something like the following :
     
    ( Lan) interface Port 1 : 172.16.1.1/24
    ( Guest_Lan )Interface: Port2 : 10.10.10.1/24
                           WAN1 :100.100.100.1/29
                           WAN2 :100.200.200.1/29
    OWA Server Ip :172.16.1.10/24 GW :172.16.1.1
    OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)
     
    Static routes:
                           WAN1 :100.100.100.1/29 distance 10
                           WAN2 :100.200.200.1/29 distance 20
    Routing policy
    (guest lan) routed from Port2: 10.10.10.1/24 to WAN2 :  100.200.200.1/29
     
    Ipv4 Policy :
     
    Create a Destination NAT Policy for OWA from internet  : 
    Incoming interface : WAN1
    Sourse Sunet :All
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    NAT "Disbaled"
     
    The decision that was proposed a really worked with only WAN1 for both subnets, but in my configuration I need something else.
    #12
    Ashu
    Gold Member
    • Total Posts : 141
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Muscat,Oman
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/13 02:14:52 (permalink)
    0
    Hi ,
     
    You don't have to worry about WAN2 , coz traffic is internally routing between guest and lan network .Yes , may be you have policy route 0.0.0.0/0  from guest network  to reach WAN2 , this may affect your traffic to reach to LAN .
     
    Just create a another policy route on top of 0,0.0.0/0 to LAN or Sever network and select stop policy route option .
    Finally u need below policy only 
     
    Create a  PolicyGuest to access OWA from Guest Network:
    Incoming interface : Port2
    Sourse Subnet :Guest-Network_Subnet
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    Nat :Disabled 
     
    Hope you understood  the configuration . 
     
    Regds,
     
    Ashik
    #13
    Fullmoon
    Platinum Member
    • Total Posts : 797
    • Scores: 7
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/13 03:51:51 (permalink)
    0
    DanieZ
    ashik
                                    ( Lan) interface Port 1 : 172.16.1.1/24
      ( Guest_Network_Subnet )Interface: Port2 : 10.10.10.1/24
                           WAN1 :100.100.100.1/24
    OWA Server Ip :172.16.1.10/24 GW :172.16.1.1
    OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)
     
    Now Policy :
     
    Create a Destination NAT Policy for OWA from internet  : 
    Incoming interface : WAN1
    Sourse Sunet :All
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    NAT "Disbaled"
     
     
    Create a  PolicyGuest to access OWA from Guest Network:
    Incoming interface : Port2
    Sourse Subnet :Guest-Network_Subnet
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    Nat :Disabled 
     
    Hope this is clear.You just need U turn policy from guest network .
     
    Regds
     
    Ashik
     


    Hi
    I have a difference from your configuration, guest lan using physical WAN2 with another subnet.
    According to your example, something like the following :
     
    ( Lan) interface Port 1 : 172.16.1.1/24
    ( Guest_Lan )Interface: Port2 : 10.10.10.1/24
                           WAN1 :100.100.100.1/29
                           WAN2 :100.200.200.1/29
    OWA Server Ip :172.16.1.10/24 GW :172.16.1.1
    OWA-VIP : External IP :100.100.100.10 --Internal:172.16.1.10 (OWA Server Real IP)
     
    Static routes:
                           WAN1 :100.100.100.1/29 distance 10
                           WAN2 :100.200.200.1/29 distance 20
    Routing policy
    (guest lan) routed from Port2: 10.10.10.1/24 to WAN2 :  100.200.200.1/29
     
    Ipv4 Policy :
     
    Create a Destination NAT Policy for OWA from internet  : 
    Incoming interface : WAN1
    Sourse Sunet :All
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    NAT "Disbaled"
     

     
    We often called this one as hair pinning. Kindly try this approach.
    Static routes:
                           WAN1 :100.100.100.1/29 distance 10
                           WAN2 :100.200.200.1/29 distance 10
     
    Policy Route (often called as PBR)
    Policy 1 
    input-device : "port2"
    src : "10.10.1.0/255.255.255.0"
    dst : "100.100.100.10/255.255.255.255" "172.16.1.10/255.255.255.255"
    action : deny 
    status : enable 
     
    Policy 2
    input-device : "port2"
    src : "10.10.1.0/255.255.255.0"
    action : permit
    protocol : 0
    gateway : 0.0.0.0
    output-device : WAN2
     
    DNAT Rule
    Incoming interface : WAN1
    Source Subnet :All
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    NAT "Disbaled"
     
    post edited by Fullmoon - 2018/09/13 03:56:02

    Fortigate Newbie
    #14
    DanieZ
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/03 01:10:39
    • Status: offline
    Re: Fortigate FG60D two WAN routing issue 2018/09/13 05:29:35 (permalink)
    0
    ashik
    Hi ,
     
    You don't have to worry about WAN2 , coz traffic is internally routing between guest and lan network .Yes , may be you have policy route 0.0.0.0/0  from guest network  to reach WAN2 , this may affect your traffic to reach to LAN .
     
    Just create a another policy route on top of 0,0.0.0/0 to LAN or Sever network and select stop policy route option .
    Finally u need below policy only 
     
    Create a  PolicyGuest to access OWA from Guest Network:
    Incoming interface : Port2
    Sourse Subnet :Guest-Network_Subnet
    Destination Interface :Port1(LAN)
    Destination Subnet :OWA-VIP
    Set Service :All
    Set action :Allow 
    Nat :Disabled 
     
    Hope you understood  the configuration . 
     
    Regds,
     
    Ashik




    Bingo!!!!
    Ashik - thanks for the help! everything is works
     
    The main problem was in understanding that traffic in my case would go locally
    #15
    Jump to:
    © 2018 APG vNext Commercial Version 5.5