FortiGate 60 with two PPPoE connections

Posted on 2008-11-13
Last Modified: 2013-12-14
I have a Fortigate 60 firewall.  Both WAN ports are connected to the same DSL modem via an ethernet switch.  Each WAN port is configured to use different PPPoE user/names and passwords and, when logged in, each WAN port is assigned a different static IP.  We use NAT/port forwarding to machines on our LAN.

What I would like to get set up is a system where all traffic on our network goes out through WAN1, except for traffic to/from one web server on our network, which I would like to go through WAN2.  I'm doing this because there is already a web server on our network accessible through WAN1 and I need the second to also be accessible from the web.

Everything works fine when WAN1 is PPPoE logged in, but as soon as WAN2 is PPPoE conencted, no traffic seems to flow in or out of our network via either WAN interface; everything is blocked.  If I disconnect WAN2, everything goes back to normal.

Can someone please let me know what I might be doing wrong here?
Question by:I_play_with_DNA
    LVL 4

    Expert Comment

    There are few issues to be addressed:
    1) Default Gateway - when connected by PPPOE FG dynamically installs route through the connected interface. So if, after being connected by 2 dialers
    you will go to Router -> Monitor you'll see there 2 default routes to and this
    blocks the traffic as FG doesnt know which one to use.
    2) TO fix above you will need to chnage Distance  in NEtwork- Interface ->WAN2
    Put distance of say 10. This will prevent anyone using WAN2 by default

    3) To pass web traffic from server  through WAN2 only  implement Policy Routing. Go to Router-> Static->Policy  Route -> Create New , in the Parameters put the following:

    Protocol   0
    Incoming Interface :  <interface where the web server is>
    Source address / mask: <IP of the web server in LAN>
    Destination address / mask:
    Destination Ports:  1   65535
    Outgoing interface:   wan2
    Gateway Address: < Best to put next hop for the WAN2 link if known,if not known >

    4) To route all incoming web server traffic through WAN2, create Virtual IP
    with IP of the PPPOE WAN2 and interface/IP of webserver in parameters. Also create rule
    incoming from outside port 80 , destination Virtual IP just created

    Author Comment


    Thanks for the reply.  I will try this Friday evening, because I can't muck with the firewall during business hours.


    Author Comment


    Ok, I've tried out what you suggested.  Here are the results:

    1 & 2)  I changed the distance on the WAN2 interface to 10 as you said.  Once I did this, it stopped the extra route from being entered in the routing table and solved my problem of traffic blockage when both WAN ports are connected.

    3 & 4)  I implemented a Policy Route and Virtual IP/Firewall Policy as you suggested.  After I did this, I wanted to check to see if all traffic from the new web server was going out through WAN2, so I opened a web browser and went to, but the site reported the IP of WAN1, not WAN2.  Am I wrong in thinking that if all traffic to/from the web server is going out through WAN2, that the web site should have reported the IP of WAN2?

    I've included screen shots of the policy route and virtual IP/firewall policy below so you can see what I have configured.  Ideally what I would like to happen is this:

    All traffic from web server that is destined for machines NOT on our LAN goes out through WAN2.  All incoming traffic destined for web server comes in through WAN2.  I don't want web server to be able to communicate through WAN1 at all, either inbound or outbound.  Internal IP of the web server is

    LVL 4

    Accepted Solution

    If it doesnt install default route through WAN2 at all after increasing the Distance,
    then return the Distance parameter of the WAN2 to the default route so that both
    default routes are installed again , check in ROuter->Monitor.
    Then in Policy Route change subnet mask to that  of 32 bits:
    I think that would be enough - if not, create another  Route Policy thta lists whole LAN
    adn throws it to the WAN1 interface.

    VIrtual IP is right, and the check you do - entering whatismyip is the one to prove that it is working.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now