FortiGate 60 with two PPPoE connections

I have a Fortigate 60 firewall.  Both WAN ports are connected to the same DSL modem via an ethernet switch.  Each WAN port is configured to use different PPPoE user/names and passwords and, when logged in, each WAN port is assigned a different static IP.  We use NAT/port forwarding to machines on our LAN.

What I would like to get set up is a system where all traffic on our network goes out through WAN1, except for traffic to/from one web server on our network, which I would like to go through WAN2.  I'm doing this because there is already a web server on our network accessible through WAN1 and I need the second to also be accessible from the web.

Everything works fine when WAN1 is PPPoE logged in, but as soon as WAN2 is PPPoE conencted, no traffic seems to flow in or out of our network via either WAN interface; everything is blocked.  If I disconnect WAN2, everything goes back to normal.

Can someone please let me know what I might be doing wrong here?
I_play_with_DNAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yuriskCommented:
There are few issues to be addressed:
1) Default Gateway - when connected by PPPOE FG dynamically installs route
0.0.0.0 through the connected interface. So if, after being connected by 2 dialers
you will go to Router -> Monitor you'll see there 2 default routes to 0.0.0.0 and this
blocks the traffic as FG doesnt know which one to use.
2) TO fix above you will need to chnage Distance  in NEtwork- Interface ->WAN2
Put distance of say 10. This will prevent anyone using WAN2 by default

3) To pass web traffic from server  through WAN2 only  implement Policy Routing. Go to Router-> Static->Policy  Route -> Create New , in the Parameters put the following:

Protocol   0
Incoming Interface :  <interface where the web server is>
Source address / mask: <IP of the web server in LAN>
Destination address / mask: 0.0.0.0/0.0.0.0
Destination Ports:  1   65535
Outgoing interface:   wan2
Gateway Address: < Best to put next hop for the WAN2 link if known,if not known 0.0.0.0 >

4) To route all incoming web server traffic through WAN2, create Virtual IP
with IP of the PPPOE WAN2 and interface/IP of webserver in parameters. Also create rule
incoming from outside port 80 , destination Virtual IP just created
0
I_play_with_DNAAuthor Commented:
@yurisk

Thanks for the reply.  I will try this Friday evening, because I can't muck with the firewall during business hours.

0
I_play_with_DNAAuthor Commented:
@yurisk

Ok, I've tried out what you suggested.  Here are the results:

1 & 2)  I changed the distance on the WAN2 interface to 10 as you said.  Once I did this, it stopped the extra route from being entered in the routing table and solved my problem of traffic blockage when both WAN ports are connected.

3 & 4)  I implemented a Policy Route and Virtual IP/Firewall Policy as you suggested.  After I did this, I wanted to check to see if all traffic from the new web server was going out through WAN2, so I opened a web browser and went to www.whatismyip.com, but the site reported the IP of WAN1, not WAN2.  Am I wrong in thinking that if all traffic to/from the web server is going out through WAN2, that the web site should have reported the IP of WAN2?

I've included screen shots of the policy route and virtual IP/firewall policy below so you can see what I have configured.  Ideally what I would like to happen is this:

All traffic from web server that is destined for machines NOT on our LAN goes out through WAN2.  All incoming traffic destined for web server comes in through WAN2.  I don't want web server to be able to communicate through WAN1 at all, either inbound or outbound.  Internal IP of the web server is 192.168.1.16


policy-route.jpg
virtual-IP.jpg
Firewall-policy.jpg
0
yuriskCommented:
If it doesnt install default route through WAN2 at all after increasing the Distance,
then return the Distance parameter of the WAN2 to the default route so that both
default routes are installed again , check in ROuter->Monitor.
Then in Policy Route change subnet mask to that  of 32 bits: 192.168.1.16/255.255.255.255.
I think that would be enough - if not, create another  Route Policy thta lists whole LAN
adn throws it to the WAN1 interface.

VIrtual IP is right, and the check you do - entering whatismyip is the one to prove that it is working.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Broadband

From novice to tech pro — start learning today.