- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 100D 2 WAN/Lan routing problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 100D 2 WAN/Lan routing problem
I have a Fortigate 100D. There are 2 ISP connections 1 for each WAN port. My primary lan goes out on the WAN1 port, standard setup. Works fine. I tried to create a second network using the DMZ port to go out the WAN2 port on the second ISP. It is a completely isolated network, that will host my guest WIFI and my own connections for setting up and updating equipment so my downloads don't swamp our main line.
Lan 10.186.0.0/16 out on WAN1 4.4.4.2
Static Route out 0.0.0.0 on GW 4.4.4.1
DMZ 192,168.88.0/24 out on WAN2 5.5.5.2
Static Route out 0.0.0.0 on GW 5.5.5.1
The FW rules are in place, I can wire it up and turn on the route but it doesn't work. If I disable the route for WAN1 temporarily the DMZ out on WAN2 works but of course that breaks LAN to WAN1 out. Had no issues getting this to work on the Juniper FW we had before, but for the life of me I can't get this one going. I have seen several people on the boards asking about similar issues, nothing exactly like mine, but no answers that work.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two options:
1. create two vdoms and put wan1 and primary LAN into vdom1, and put wan2 and DMZ in vdom2. They can have individual default route since they're separate routers/FWs.
2. use policy routes (PBR) to specify the source interface to choose either wan1 or wan2. You still need to have two default routes to both wan1 and wan2. distance/priority wouldn't matter if no other traffic exist other than from primary LAN and from DMZ.
I prefer 1 because of simplicity and security to separate guest network from corp one (PCI-DSS audit proof), but I already know some disagree since there are multiple posts almost same as yours and I commented the same.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got a reminder to never do this stuff during working hours. Thought creating the new second VDOM would not be an issue. Turns out it killed our ability to connect to sites with SSL. I had to delete it not long after I created it though I have no idea as to why it did this. Any thoughts?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which wan interface and IP is the SSL VPN built on? Once you split it into two vdoms both at two different router/FW so if you get in one side via the vpn, you can get to the other side unless you set up a vdom link and routes over it.
This is not a minor change. Unless your 100% sure what would happen, don't make changes outside of a maintenance window.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not an SSL VPN in the picture, we were unable to visit SSL websites for some reason after creating the second VDOM. There were no ports or any set up of any kind in the second VDOM, the first default VDOM still seemed to be set up the same as before, but we were getting errors from the firewall when we tried to access an HTTPS:// website. I rushed to change it back and did not get a capture of the error unfortunately. I have not had time to experiment with it further.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again, the second vdom you created is a completely new router/FW basically not sharing anything with the root (original/default vdom), like policies, address objects, routes, and so on. You have to duplicate whatever you created before if they need to be there as well and used with the traffic through it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just use a policy route to direct traffic from the DMZ subnet to WAN2. That's what it's there for.
And, RTFM (F like in 'Fine') before doing anything else. A FGT is not a Juniper. I know Junipers can have an internal routing table and an external one. That's Juniper's speciality. A regular router only supports one default route.
IMHO a VDOM for this purpose is sheer overkill. You will be dancing between VDOMs all the time, looking where a resource is located. Of course, might be different for an old geek :)
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the default route applies to the entire appliance. You will either have to attempt using some policy routes which I've found to only be semi-reliable or create a VDOM for your guest network. This creates a virtual "second" appliance that runs on the same hardware as the physical appliance. I've linked the Fortinet doc below because it does a much better job explaining than I can. Your current setup will become the "root" vdom and you can name the new vdom to whatever you like such as "guest" and manage them separately, including a separate default route. You will need to remove any references to your wan2 interface and then "move" it in the config to your new vdom if you take this route.
Hope that helps.
Not sure which codebranch you are on, but this link is the 5.4.4 version for VDOM. So far as I know not much has changed: https://docs.fortinet.com/d/fortigate-virtual-domains-5
Related Posts
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 90 Views
- BGP modify the mask of a... 81 Views
- Fortigate 60d boot device failing 106 Views
- Forward traffic from Fortigate not showing... 107 Views
- FortiClient Azure SSO VPN issues 64 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.