Fortinet FG110C Multiple Default Gateways Issue
We've configured an FG110C in Interface Mode (not Switch Mode). We had to do this because we have 4 internet providers - one is a T1, 3 are DSL that we want to load balance with.
The T1 and the DSL's are used for completely different things. We use the T1 for inbound email/webmail and also for specific clients. The DSL's are used for generic web surfing.
Up until this point we have had to use 2 Juniper SSG5's to make this work.
The problem is that we have a flat network - 10.1.1.0/16 - and each of the SSG's had an internal IP of 10.1.1.1 and 10.1.1.2. So, for the systems that needed to be on the T1 we set them with a GW address of 10.1.1.1 and the rest of the company their GW is 10.1.1.2.
When I try to mimic this config on the FG110C, I cannot assign two interfaces on the same subnet.
So, I have 2 questions:
1) Is it possible using the CLI to do this using commands that can't be done from the web interface?
2) When I converted from Switch Mode to Interface Mode, it gave me 8 independent ports (plus the WAN1 & WAN2). Is there a way to create two sets of interface ports, say Port1-4 and Port5-8?
Thanks!
The T1 and the DSL's are used for completely different things. We use the T1 for inbound email/webmail and also for specific clients. The DSL's are used for generic web surfing.
Up until this point we have had to use 2 Juniper SSG5's to make this work.
The problem is that we have a flat network - 10.1.1.0/16 - and each of the SSG's had an internal IP of 10.1.1.1 and 10.1.1.2. So, for the systems that needed to be on the T1 we set them with a GW address of 10.1.1.1 and the rest of the company their GW is 10.1.1.2.
When I try to mimic this config on the FG110C, I cannot assign two interfaces on the same subnet.
So, I have 2 questions:
1) Is it possible using the CLI to do this using commands that can't be done from the web interface?
2) When I converted from Switch Mode to Interface Mode, it gave me 8 independent ports (plus the WAN1 & WAN2). Is there a way to create two sets of interface ports, say Port1-4 and Port5-8?
Thanks!
Maybe this will help
Fortigate 10.1.1.1 LAN/Internal
WAN1 - T1 IP
WAN2 - PPPoE (public IP from ADSL)
DMZ - 10.2.1.1 SSG5 LAN interface 10.2.1.2 and then the 2 ADSL lines connected to the SSG5
To route out via DMZ in the Policy route, select the DMZ interface and Gateway IP 10.2.1.2
Make required Firewall Policy rules for outbound traffic.
ASKER
The problem is that we actually have 3 DSL lines that we are load balancing on, and that is used by general web browsing group. That means I have 3 separate ports going to 3 different ISP connections, and on top of that another separate T1 ISP.
Policy routing won't work because we are not differentiating traffic, we are specifically targeting certain users for the T1 for all their traffic.
I would think there would be a way for me to have two internal interfaces be on the same subnet, it simplifies how you deal with multiple default gateways.
fg80cconfig.jpg
Policy routing won't work because we are not differentiating traffic, we are specifically targeting certain users for the T1 for all their traffic.
I would think there would be a way for me to have two internal interfaces be on the same subnet, it simplifies how you deal with multiple default gateways.
fg80cconfig.jpg
ASKER
Sorry the graphic didn't upload correctly. From PORT1/10.1.1.2 it is going into the same switch as PORT2/10.1.1.1, for some reason the line doesn't show.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
get rid of the 2nd internal interface on the same subnet (unless you need the physical bandwidth)
put 2 ip's on the same interface.
config system interface
edit port1
set ip 10.1.1.1/16
set secondary-IP enable
config secondaryip
edit 0 #edit 0 always creates a new entry in the table
set ip 10.1.1.2/16
set allowaccess https ssh ping
next
end
next
end
this will set your port 1 interface to 10.1.1.1 and 10.1.1.2 with both ip's being of a /16 network
because you are using a fortigate 110C, you cannot trunk your lines. If you ABSOLUTELY NEED! 2 ports for the bandwidth (because they are both 10/100 ports) you can put them both on the same subnet, but be CAREFUL doing this, you are messing with your management interfaces, so if you bork it you need local access to the device to reset what is borked.
>config system settings
>set allow-subnet-overlap enable
you can always merge 2 ports into a zone, and use that zone in your firewall policies, but your ports have to be pretty much undefined and not referenced in anything (firewall policies, dhcp servers, interface) in order to add them to a zone. but once you do this, the zone is treated like an interface of its own.
put 2 ip's on the same interface.
config system interface
edit port1
set ip 10.1.1.1/16
set secondary-IP enable
config secondaryip
edit 0 #edit 0 always creates a new entry in the table
set ip 10.1.1.2/16
set allowaccess https ssh ping
next
end
next
end
this will set your port 1 interface to 10.1.1.1 and 10.1.1.2 with both ip's being of a /16 network
because you are using a fortigate 110C, you cannot trunk your lines. If you ABSOLUTELY NEED! 2 ports for the bandwidth (because they are both 10/100 ports) you can put them both on the same subnet, but be CAREFUL doing this, you are messing with your management interfaces, so if you bork it you need local access to the device to reset what is borked.
>config system settings
>set allow-subnet-overlap enable
you can always merge 2 ports into a zone, and use that zone in your firewall policies, but your ports have to be pretty much undefined and not referenced in anything (firewall policies, dhcp servers, interface) in order to add them to a zone. but once you do this, the zone is treated like an interface of its own.
You can set the Source IP (or range) of the LAN computers and route them out of a Specific gateway.
Leave the Protocol and other settings as default, setup the Source Range IPs and the gateway settings. The order of the entries on that Policy Routes page makes a difference, so adjust the rule order if needed.
I don't think your Fortigate will be able to handle 4 WAN internet links, that model is too small. You may be able to use a DMZ port port though, I have not tried that but it may work.
Something like this
WAN1 - T1 (make this your default static route)
WAN2 - ADSL - make a new subnet for the ADSL line or use the PPPoE setting so that it gets a public IP
DMZ - SSG5 with the other 2 ADSL connected to it - put this on another subnet