Hot!Routing and Dual WAN

Author
ITGuy87765
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/09 21:52:13
  • Status: offline
2019/11/06 19:17:16 (permalink)
0

Routing and Dual WAN

Hi All,
I've recently hooked up second internet connection with the intention of testing routing all our offsite backup traffic to it. I've gone round in circles for a couple of days and had some input from a local Fortigate Engineer but yet to have success. The only way I've had any result is specifying an entire subnet which isn't what I'm after.
 
This person seems to have had the exact same issue: https://forum.fortinet.com/tm.aspx?m=149904
 
I would like to specify 1 address from within a subnet and have specific traffic from that server routed through the second WAN connection. Surely there's a way?
 
Edit ** I should mention this is on a par of 60E's in HA running v6.0.5 build0268 (GA) **
 
Thanks in advance
 
 
 
 
 
post edited by ITGuy87765 - 2019/11/07 12:48:23
#1

9 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1747
    • Scores: 143
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Routing and Dual WAN 2019/11/07 14:32:27 (permalink)
    0
    I thought I replied to this post already but somehow doesn't show up.
    The thread you're referring to was for FQDN destination over WAN LLB setup. WAN LLB is now SD-WAN. Are you trying to specify one FQDN destination to go through the added circuit? Then you just need to create an FQDN address object and use it in an SD-WAN rule to use only the circuit.
    #2
    ITGuy87765
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/09 21:52:13
    • Status: offline
    Re: Routing and Dual WAN 2019/11/07 14:48:37 (permalink)
    0
    Hey, thanks for the reply.
     
    Yes, I'm trying to specify one FQDN destination to go through the new circuit. I think the thing I'm missing here is SD-WAN, I was hoping to avoid using it as I would have to redefine a portion of my couple hundred policies already in place. More work than I would like for a testing project. PBR routing looked like such a simple solution but I guess that is not the case.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1747
    • Scores: 143
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Routing and Dual WAN 2019/11/07 15:09:32 (permalink)
    0
    PBR is a static route with conditions. FQDN is not allowed (I guess it's because NOT static) in static routes.
    Although I haven't tried myself but as long as you set the same default routes to both wan interfaces, then set the first policy for the FQDN dst to the second wan, and the second policy for "all" destinations to the original interface, I think it would work as you intend. 
    Try it to see if it works. If not, you can always to go SD-WAN.
    #4
    ShawnZA
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Status: offline
    Re: Routing and Dual WAN 2019/11/07 20:49:18 (permalink)
    0
    Going SD-WAN would be the best option but that means re-configuring the WAN interfaces from scratch.
     
    You can use PBR, just use the IP instead of the FQDN. If it has multiple IP's for the FQDN just add them all as the destination.
     
    Remember once you start using PBR you have to add routes for everything in there. Create a default policy route out on the bottom for all traffic to your prefered interface, and add policy routes above it for everything else you want to point out over the other interface
    #5
    sw2090
    Gold Member
    • Total Posts : 468
    • Scores: 23
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Routing and Dual WAN 2019/11/08 02:34:11 (permalink)
    0
    @ShawnZA: no you do not have to reconfigure your WAN interfaces when you switch to SD-WAN. You just need to add them to sdwan. This requires that you remove or change the referring internet policies before.
     
    To the original topic: I think you could also handle this with two default routes for the two wans and an expliciit policy that allows traffic outgoing (egress) to that FQDN only via the second wan.This has to come before the other internet policies then to be able to match first.
    #6
    ShawnZA
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Status: offline
    Re: Routing and Dual WAN 2019/11/08 04:07:42 (permalink)
    0
    You can't just add configured interfaces to SD-WAN. So as I said, re-configure meaning remove all rules from the existing WAN interface. If the interface is specified in any policy, object etc all needs to be undone. So there are many config changes that need to happen if you want to move your current WAN interfaces to a SD-WAN scenario..... the only thing that you don't have to change is the IP address....
     
     
    #7
    sw2090
    Gold Member
    • Total Posts : 468
    • Scores: 23
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Routing and Dual WAN 2019/11/08 04:54:53 (permalink)
    0
    yeah that's what I meant. That is all references to the interface need to be changed or removed (except ipsec tunnels). You could enable sdwan and then change the policies that use the wan interfaces to sdwan and then move the wan into sdwan.
    just your words ("reconfigure interface") to me was a bit misundertandably.
    #8
    ITGuy87765
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/09 21:52:13
    • Status: offline
    Re: Routing and Dual WAN 2019/11/10 11:11:17 (permalink)
    0
    I've just had a quick go at specifying the dest IP's but it hasn't worked but this may be due to one connection being via IP and the other PPPoE with a static gateway. Pretty sure I can see what I'm bumping up against now and it does look like it is achiveable without SD-WAN. Will continue on and report back.
     
    "remove all rules from the existing WAN interface" Afterhours work I don't really need right now 
    #9
    ITGuy87765
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/09 21:52:13
    • Status: offline
    Re: Routing and Dual WAN 2019/11/10 16:12:10 (permalink)
    0
    We managed to get this working. The route to the 2nd connection's gateway was missing from the route table, the Static Route needed to be set to "Dynamic Gateway". After that we have succesfully applied a policy route using a source IP to destination FQDN. I will also test a source via FQDN and report back.
     
    Thanks for the help, kicked us in the right direction.
     
     
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5