We help IT Professionals succeed at work.

Dual WAN on a Fortigate 60

Greg_Stewart
Greg_Stewart asked
on
I have an older Fortigate 60 running 3.0 firmware. I would like to configure it to route all end user internet traffic (web surfing, videos, etc.) through WAN2...leaving WAN 1 to handle the traffic of our servers, IPSEC tunnels, etc.). Currently all external traffic goes through WAN1.

I connected WAN2 to a cable modem (after verifing it was working). I then created IP Ranges for the different computer classes in our office (Servers and Workstations). I then changed my original policy on Internal -> WAN1 to only include the Servers IP Range and created a new Internal -> WAN2 policy that allows all traffic from the Workstations IP Range to ALL. I then added a Static Route (10) for the WAN2 default gateway. After making these changes only the Servers could reach the internet. The workstations couldn't.

Any ideas what is wrong? Am I going about this the wrong way?
Comment
Watch Question

Commented:
U will need to do HIDE NAT for the workstation IP ranges. NAT the Workstation IP range to the WAN2 public IP.
I couldn't really figure out how to do that (HIDE NAT)...but I did finally get it to work. I think the problem was that when I was making changes that I *though* would work...I had to restart the Fortigate or bring the WAN 2 interfact down and back up for the Fortigate to actually take the change. In short...here is how I accomplished the goal of directing end user web traffic through WAN2 while using WAN1 for everything else:

1) Enabled WAN2 with appropriate settings.
2) Added static route to WAN2 default gateway...setting priority higher number (thus lower priority) than WAN1 default gateway.
3) Added firewall policy to allow traffic from internal interface to WAN2 interface...with NAT.
4) Added the following Policy Route: Protocol:6 / Incoming Interface: Internal / Source: 0.0.0.0/0.0.0.0 / Destination: 0.0.0.0/0.0.0.0 / Ports: 80 to 80 / Type of Service 00 and 00 / Outgoing Int: wan2 / Gateway Address: the actual DG of WAN2. Note that the help that I was seeing from Fortigate on this topic seemed pretty inaccurate. For example it said all zeros as the source or destination disabled the feature.
5) Repeated for port 443.
6) Brought WAN2 down, then back up (this seemed to be key...but i may be wrong!).

To test I tried a tracert...and that went through WAN1 (I guess b/c not to port 80 or 443). I then went to www.speedtest.net since that shows my from IP address (i guess many sites do), and it reflected that I was coming from my WAN2 ISP. I'm sure there are more elegant ways to test...but it is way too technical for me!