Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
npereira
New Contributor

Question on default route

Hi all,

 

i have a firewall that has internet on port1 and also is used as a VPN user dialup using that same port. All works fine.

 

I have installed a new router on port 10.

 

so now I want the users inside the firewall to get their internet from port 10 instead of port 1, so I changed the default 0.0.0.0/0 static route to be port 10 with the IP of the router attached. Now the users are getting their internet from port 10, all is good? Not really...

 

now all the user vpn dialup are failing. they are not connecting when dialing up to port 1 even though the internet is still attached.

 

What I am thinking and correct me if im' wrong, but looks like the userdialup is calling into port 1, but since the user is dialing up from an unknown subnet, the firewall uses the default route to respond back to the user, hence is sending the return traffic via the other router (now the new default route) and since it has no clue of this transaction, the packets are dropped on the router and the client fails to connect.

 

is my statement above correct? If not, please correct me.

 

If it is correct, then how can I fix this, without having to move the publIC used for dialup vpn to the other router and doing a 1to1 nat via the router?  Can i not have best of both worlds?  Internet from port 10 and userdialup for public port 1? 

 

Thanks for the help.

Regards, NSE4

 

Regards, NSE4
5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

If you ran "flow debug", you would see errors and dropped packets due to "asymmetric route". The dialup vpn traffic comes in at port1 and tries going out through port10 based on your 0/0 route, which is not allowed by default.

Instead, what you can do is to set two default routes but different "priority" numbers. When you create the default route toward port 10, you didn't specified priority so it got '0'. You can configure another default route but higher priority number, like '10'. The higher the number is, the lower the priority is.

Then when internal users/devices generate traffic (sessions) toward the internet, it follows priority 0 default route. But return packets for the dialup vpn would go back to where the session was initiated from, which is port1 as long as the low priority (10) default route exist. The routing table would look like below. This is from one of our 1500D's vdom, which is doing exactly what you want to do.

 

xxx-fg1 (vdom-name1) # get router info routing-t all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        * - candidate default S*      0.0.0.0/0 [10/0] via 69.170.170.146, vlanxxxx-to-MPLS, [0/50]    <- priority 0, another FW is in this direction                            [10/0] via 69.170.165.98, vlan-on-vdomlink-to-INET, [10/50]        <- priority 10, VPNs come from this interface <snip>

emnoc
Esteemed Contributor III

I highly doubt that would work. Your understanding of priority is not correct. Your low priority  10 route will never be present in the active RIB and would only be activated if the 1st default is marked down , or interface goes down etc......

 

OP, can you  use the virtual-wan setup and just have two  WANs in a "virtual-wan" ? here your setup will work and with the added, you have 2 active uplinks

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Ashik_Sheik

Same distance and same priority better use load balancing methods like SDWAN for wan forwarding  traffic .

 

Same distance and different priority -Routing information will be on RIB but traffic try to route through low priority interface .

 

You need to configure policy base route to push the traffic through Higher priority .

 

Different distance - and same priority - Only Low distance route will be on Routing table and higher route will be inactive .

 

For redundancy purpose :

 

Check the active routing table :

 

#get router info routing-table all 

 

To check the inactive route 

 

#get router info routing-table database 

 

Regds,

 

Ashik

Ashu 

 

Ashu
Toshi_Esumi
Esteemed Contributor III

As I showed of the routing table, both default routes are in the routing table and working as intended for last at least 8 years. It was originally suggested by TAC and we've been using it since then.

emnoc
Esteemed Contributor III

Will maybe your right but I trust fortios and priority  low always equal  best route, maybe  in your case the when traffic hit the interface with the higher priority it  returns the traffic via the  same interface 

 

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_Advanced_...

 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors