Can not ping between local VLAN after setup Policy Route

longtran_cntt · ‎11-19-2020

Hi all,

I have 3 WANs, 2 local network VLANs (LAN-Office, LAN-Server (server1, server2)).

I've already configured like below:

[ul]

WAN1, WAN2, and WAN3 are connecting to the internet successfully.

WAN1 is for VLAN-Office. WAN2 is for server1. WAN3 is for server2.

Policy Routes:[ul]

The office is going out to the internet through the interface WAN1.

The server1 is going out to the internet through the interface WAN2.

The server2 is going out to the internet through the interface WAN3.

Firewall Policy (IPv4 Policy) to allow the LAN-Office to access the LAN-SERVER) [/ul][/ul]

The issue is:

[ul]

Scenario 1: If I put all the LANs into 1 interface only (for example WAN1), and disable 2 other WANS interfaces => the LAN-Office and LAN-Factory can ping the LAN-Server (server1 & server2).

Scenario 2: If I separated the LAN-Office into WAN1, server1 into WAN2, server2 into WAN3 and apply the Policy Route => the LAN-Office can not ping the LAN-Server (server1 & server2).[/ul]

Please note that in both scenarios, I always keep enabling the Firewall Policy (IPv4 Policy) that allow LAN-Office to access LAN-Server (server1 & server2).

How can I fix the issue of pinging between LAN-Office and LAN-Server in the scenario2?

Thank you.

If I disable those port of WAN2 and WAN3 (red box), only enable WAN1 (green box) And also disable the Policy Route here (red box)

And keep the Firewall Policy as the image, the LAN-Office can ping the LAN-Server (server1 & server2).

If I re-enable the policy that disabled in the images above, then the LAN-Office can not ping the LAN-Server (server1 & server2)

My target is: LAN-Office is on WAN1, LAN-Server (server1 is on WAN2, server2 is on WAN3), and the LAN-Office can ping the LAN-Server (server1 and server2).

Toshi_Esumi · ‎11-20-2020

I can't tell for sure since I almost never use policy routes, other than SD-WAN. But the first policy route LAN-Office -> WAN1 for all (0/0) must be taking away traffce to server interfaces. To test it, just disable only that policy route to see if you can ping the server.

Then if that's the case set the priority number on the default route toward WAN2 and WAN3 lower so that WAN1 has the lowest number (default=0) so that LAN-Office traffic takes that default route and remove the first policy route.

Policy routes are sticky. Regardless the interface is up or down, they're always evaluated before looking up the routing table. Then if the destination is "all" 0/0, it would take all traffic away. I think SD-WAN's rules (=policy routes) works a little differently thus always works better for most situations.

SmokeyMountian_Tech · ‎11-20-2020

Do you have Static routes set with the same Distance for each WAN connection?

Make sure your primary WAN connection has the lowest priority EG, 0 and then your other wan connections are 1 or higher.

You'll then want to enable advanced routing under the Settings / Features.

Then program Policy routes to specify server1 as the source and forward traffic to proper WAN port. Make sure you use the gateway IP for the WAN connection that your using.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46603

If you need to set up any incoming traffic you can setup VIP's (Virtual IP's)