Hot!VIPs with multiple WANs or external IPs

Author
Cruz2019
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/20 13:59:23
  • Status: offline
2020/12/17 08:51:37 (permalink)
0

VIPs with multiple WANs or external IPs

Hello all the community,
I hope you can help me or guide me in what I intend to do or if it is possible to do it with my Fortigate 300E or if I need any additional software or hardware, my situation is the following:
Create a VIP to publish a web server
name: "MY WEB SERVER"
WAN interface 1
Type Static NAT
External IP address / range 187.210.xx.xxx
Mapped IP address / range 172.16.xx.xx
That way it works perfectly, all external requests are made through WAN 1, the problem that I have very frequently is that it falls constantly, I already have another ISP "WAN 2" what I intend is to add my WAN 2 to this same web server to that when my WAN 1 fails "MY WEB SERVER" stays online by WAN 2 until WAN 1 is re-established.
 
And if this is not possible with my fortigate, what options do I have to achieve more availability in external connections to my web server?
Thank you
#1

3 Replies Related Threads

    lobstercreed
    Platinum Member
    • Total Posts : 393
    • Scores: 45
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: VIPs with multiple WANs or external IPs 2020/12/19 04:40:07 (permalink)
    0
    You haven't told us whether you own your own IP address space?  Assuming you don't, that's going to be the main challenge you have to figure out.   You can set up another VIP for WAN 2 just fine and point it to the same internal IP but if you have a web server at web.xyz.com and it resolves (DNS) to 187.210.xx.xxx for an internet user, how are they going to suddenly go to the IP address of your secondary WAN? 
     
    You could try round-robin DNS or some other more robust ways to do that (not something I have experience with, but I know it can be done with the right DNS infrastructure).  There's still no way it will be seamless for a given user who was connected via WAN 1 when it went down unless you own your own address space and can advertise via BGP.
    #2
    Cruz2019
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/20 13:59:23
    • Status: offline
    Re: VIPs with multiple WANs or external IPs 2021/02/26 12:54:43 (permalink)
    0
    I have a group of public addresses that my SIP gives me, both from WAN 1 and WAN2,
    the main objective is to have something similar to SDWAN but for incoming connections to my web server.
    It had occurred to me to create 2 VIPs with the same internal IP address, only change the external IP address to that of my second ISP,
    but I don't know if the failover really works and that my web server is always available unless my 2 ISPs fall off.
    #3
    emnoc
    Expert Member
    • Total Posts : 6055
    • Scores: 404
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: VIPs with multiple WANs or external IPs 2021/02/26 13:16:49 (permalink)
    0
    RR DNS and or F5-GTM or similar is what you want &  if you need a transparent failover. You could build some auto-event script that could disable the VIP and remove the DNS-FQDN but that has nothing todo with fortios per-se.
     
    If you do a script you could push out changes to dns db.zone file and even remove the vip from a vipgroup if you so desire
     
    e.g
     
    config firewall vipgrp
    edit "web-server_groupo128"
    set uuid f27ca5f6-7875-51eb-74a4-63cc50cf6169
    set comments "web-ops IT core"
    set member VIP1290 VIP1892 
    end
     
    Our dns-server has a RR-DNS FQDN to VIP1290 and VIP1892 external-ip. So if our monitor find problems with  ISP2, we send a call to our dns-server API and deleted that ip_address from the A record.  We have various triggers like high latency and packet-lost that we use to determine if dns updates are sent to extract and delete a A record entry.
     
    example with low ttls of 15secs
     
    www.example.com.        15   IN      A       192.0.2.1    #( isp1 wan1 VIP1290 public-address )
                                        15    IN     A       192.0.2.22  #( isp2 wan2  VIP1892 public-address )
     
    So if pings to  isp2 are bad , we delete that entry from our db.zone file.
     
    We haven't gotten around to removing a vip from a vipgrp via the fortios API,  but that could be done also as optional and if you want to do maintenance for example.
     
    I believe other DNS supplier like godaddy also has the means to do the same thing with sending dns-updates via an API call. We went the above route since the price for a F5-GTM was a little outside of the budget. BTW a F5-GTM does all of the same internally from application health check.
     
    just my 2cts opinion
     
    Now that I think about it, if your hosting the zone fortigate you might be able to do the same thing and remove|add the A record in via API calls.....I might look into that if I get bored
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5