FortiGate 60 with two PPPoE connections

Posted on 2008-11-13
Medium Priority
Last Modified: 2013-12-14
I have a Fortigate 60 firewall.  Both WAN ports are connected to the same DSL modem via an ethernet switch.  Each WAN port is configured to use different PPPoE user/names and passwords and, when logged in, each WAN port is assigned a different static IP.  We use NAT/port forwarding to machines on our LAN.

What I would like to get set up is a system where all traffic on our network goes out through WAN1, except for traffic to/from one web server on our network, which I would like to go through WAN2.  I'm doing this because there is already a web server on our network accessible through WAN1 and I need the second to also be accessible from the web.

Everything works fine when WAN1 is PPPoE logged in, but as soon as WAN2 is PPPoE conencted, no traffic seems to flow in or out of our network via either WAN interface; everything is blocked.  If I disconnect WAN2, everything goes back to normal.

Can someone please let me know what I might be doing wrong here?
Question by:I_play_with_DNA
  • 2
  • 2

Expert Comment

ID: 22957798
There are few issues to be addressed:
1) Default Gateway - when connected by PPPOE FG dynamically installs route through the connected interface. So if, after being connected by 2 dialers
you will go to Router -> Monitor you'll see there 2 default routes to and this
blocks the traffic as FG doesnt know which one to use.
2) TO fix above you will need to chnage Distance  in NEtwork- Interface ->WAN2
Put distance of say 10. This will prevent anyone using WAN2 by default

3) To pass web traffic from server  through WAN2 only  implement Policy Routing. Go to Router-> Static->Policy  Route -> Create New , in the Parameters put the following:

Protocol   0
Incoming Interface :  <interface where the web server is>
Source address / mask: <IP of the web server in LAN>
Destination address / mask:
Destination Ports:  1   65535
Outgoing interface:   wan2
Gateway Address: < Best to put next hop for the WAN2 link if known,if not known >

4) To route all incoming web server traffic through WAN2, create Virtual IP
with IP of the PPPOE WAN2 and interface/IP of webserver in parameters. Also create rule
incoming from outside port 80 , destination Virtual IP just created

Author Comment

ID: 22958145

Thanks for the reply.  I will try this Friday evening, because I can't muck with the firewall during business hours.


Author Comment

ID: 22964289

Ok, I've tried out what you suggested.  Here are the results:

1 & 2)  I changed the distance on the WAN2 interface to 10 as you said.  Once I did this, it stopped the extra route from being entered in the routing table and solved my problem of traffic blockage when both WAN ports are connected.

3 & 4)  I implemented a Policy Route and Virtual IP/Firewall Policy as you suggested.  After I did this, I wanted to check to see if all traffic from the new web server was going out through WAN2, so I opened a web browser and went to www.whatismyip.com, but the site reported the IP of WAN1, not WAN2.  Am I wrong in thinking that if all traffic to/from the web server is going out through WAN2, that the web site should have reported the IP of WAN2?

I've included screen shots of the policy route and virtual IP/firewall policy below so you can see what I have configured.  Ideally what I would like to happen is this:

All traffic from web server that is destined for machines NOT on our LAN goes out through WAN2.  All incoming traffic destined for web server comes in through WAN2.  I don't want web server to be able to communicate through WAN1 at all, either inbound or outbound.  Internal IP of the web server is


Accepted Solution

yurisk earned 2000 total points
ID: 22966211
If it doesnt install default route through WAN2 at all after increasing the Distance,
then return the Distance parameter of the WAN2 to the default route so that both
default routes are installed again , check in ROuter->Monitor.
Then in Policy Route change subnet mask to that  of 32 bits:
I think that would be enough - if not, create another  Route Policy thta lists whole LAN
adn throws it to the WAN1 interface.

VIrtual IP is right, and the check you do - entering whatismyip is the one to prove that it is working.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your organization moving toward a cloud and mobile-first environment? In this transition, your IT department will encounter many challenges, such as navigating how to: Deploy new applications and services to a growing team Accommodate employee…
Suggested Courses

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question