I_play_with_DNA
asked on
FortiGate 60 with two PPPoE connections
I have a Fortigate 60 firewall. Both WAN ports are connected to the same DSL modem via an ethernet switch. Each WAN port is configured to use different PPPoE user/names and passwords and, when logged in, each WAN port is assigned a different static IP. We use NAT/port forwarding to machines on our LAN.
What I would like to get set up is a system where all traffic on our network goes out through WAN1, except for traffic to/from one web server on our network, which I would like to go through WAN2. I'm doing this because there is already a web server on our network accessible through WAN1 and I need the second to also be accessible from the web.
Everything works fine when WAN1 is PPPoE logged in, but as soon as WAN2 is PPPoE conencted, no traffic seems to flow in or out of our network via either WAN interface; everything is blocked. If I disconnect WAN2, everything goes back to normal.
Can someone please let me know what I might be doing wrong here?
What I would like to get set up is a system where all traffic on our network goes out through WAN1, except for traffic to/from one web server on our network, which I would like to go through WAN2. I'm doing this because there is already a web server on our network accessible through WAN1 and I need the second to also be accessible from the web.
Everything works fine when WAN1 is PPPoE logged in, but as soon as WAN2 is PPPoE conencted, no traffic seems to flow in or out of our network via either WAN interface; everything is blocked. If I disconnect WAN2, everything goes back to normal.
Can someone please let me know what I might be doing wrong here?
ASKER
@yurisk
Thanks for the reply. I will try this Friday evening, because I can't muck with the firewall during business hours.
Thanks for the reply. I will try this Friday evening, because I can't muck with the firewall during business hours.
ASKER
@yurisk
Ok, I've tried out what you suggested. Here are the results:
1 & 2) I changed the distance on the WAN2 interface to 10 as you said. Once I did this, it stopped the extra route from being entered in the routing table and solved my problem of traffic blockage when both WAN ports are connected.
3 & 4) I implemented a Policy Route and Virtual IP/Firewall Policy as you suggested. After I did this, I wanted to check to see if all traffic from the new web server was going out through WAN2, so I opened a web browser and went to www.whatismyip.com, but the site reported the IP of WAN1, not WAN2. Am I wrong in thinking that if all traffic to/from the web server is going out through WAN2, that the web site should have reported the IP of WAN2?
I've included screen shots of the policy route and virtual IP/firewall policy below so you can see what I have configured. Ideally what I would like to happen is this:
All traffic from web server that is destined for machines NOT on our LAN goes out through WAN2. All incoming traffic destined for web server comes in through WAN2. I don't want web server to be able to communicate through WAN1 at all, either inbound or outbound. Internal IP of the web server is 192.168.1.16
policy-route.jpg
virtual-IP.jpg
Firewall-policy.jpg
Ok, I've tried out what you suggested. Here are the results:
1 & 2) I changed the distance on the WAN2 interface to 10 as you said. Once I did this, it stopped the extra route from being entered in the routing table and solved my problem of traffic blockage when both WAN ports are connected.
3 & 4) I implemented a Policy Route and Virtual IP/Firewall Policy as you suggested. After I did this, I wanted to check to see if all traffic from the new web server was going out through WAN2, so I opened a web browser and went to www.whatismyip.com, but the site reported the IP of WAN1, not WAN2. Am I wrong in thinking that if all traffic to/from the web server is going out through WAN2, that the web site should have reported the IP of WAN2?
I've included screen shots of the policy route and virtual IP/firewall policy below so you can see what I have configured. Ideally what I would like to happen is this:
All traffic from web server that is destined for machines NOT on our LAN goes out through WAN2. All incoming traffic destined for web server comes in through WAN2. I don't want web server to be able to communicate through WAN1 at all, either inbound or outbound. Internal IP of the web server is 192.168.1.16
policy-route.jpg
virtual-IP.jpg
Firewall-policy.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1) Default Gateway - when connected by PPPOE FG dynamically installs route
0.0.0.0 through the connected interface. So if, after being connected by 2 dialers
you will go to Router -> Monitor you'll see there 2 default routes to 0.0.0.0 and this
blocks the traffic as FG doesnt know which one to use.
2) TO fix above you will need to chnage Distance in NEtwork- Interface ->WAN2
Put distance of say 10. This will prevent anyone using WAN2 by default
3) To pass web traffic from server through WAN2 only implement Policy Routing. Go to Router-> Static->Policy Route -> Create New , in the Parameters put the following:
Protocol 0
Incoming Interface : <interface where the web server is>
Source address / mask: <IP of the web server in LAN>
Destination address / mask: 0.0.0.0/0.0.0.0
Destination Ports: 1 65535
Outgoing interface: wan2
Gateway Address: < Best to put next hop for the WAN2 link if known,if not known 0.0.0.0 >
4) To route all incoming web server traffic through WAN2, create Virtual IP
with IP of the PPPOE WAN2 and interface/IP of webserver in parameters. Also create rule
incoming from outside port 80 , destination Virtual IP just created