Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aagrafi
Contributor II

Two default routes and SD-WAN

Hello,

 

I have two WAN interfaces in SD-WAN and a third WAN interface alone. I want to have two default routes, one over SD-WAN with distance 20 and one over the third interface with distance 10. The FortiGate does not allow me to do so, with a message: "You cannot have duplicated routes  on SD-WAN and non SD-WAN interfaces.".

 

Now, I remember that in the past, in the same FG but in different FortiOS version, I could do that. Now me FG is running 6.0.8. Has something change? Besides, I don't understand why shouldn't FortiOS allow me the option to have two default routes with different distance, no matter if I use SD-WAN or not.

 

Thanks

4 REPLIES 4
Jamie
New Contributor

Hi,

 

The reason is because the system handles policy routes taking precedence over the static routes. In this case policy routes meaning SD-WAN rules. What Fortinet wants us to do is have 1 default route to SD-WAN zone and then use the rules to route the traffic. For better or worse.

 

Your answer is somewhere in here...

https://docs.fortinet.com/document/fortigate/6.2.3/technical-tip-multiple-default-routes-where-sdwan...

 

I've been in a couple situations as yours and what I do is add the 3rd WAN interface into the SD-WAN zone.

boneyard
Valued Contributor

Fortinet also allows to to default routes to the different interfaces that are part of sd-wan (and then no default route to the sd-wan interface itself).

Jirka1

Yes, I had to set this on our devices on the advice of the TAC - if the DR is set to SD-WAN, self-originated traffic (DNS, FortiGuard etc.) does not work. Although everywhere in KB it is stated that DR should be set to SD-WAN only - it's a mess :\

boneyard
Valued Contributor

i had the opposite reaction from support when i shared my setup they told me to configure the default route to the sd-wan interface. i got quite annoyed about that.

 

there are two ways and that should be clearly documented and supported.

 

as for the self-originated traffic issues i feel your pain, regular customer calls about FortiGuard traffic failing causing a manual config change until the regular interface is fine again.

 

6.4 is solving the only one SD-WAN interface issue, i hope the self-originated traffic is soon to follow, then finally SD-WAN is very usuable.

 

 

Labels
Top Kudoed Authors