Fortinet FG110C Multiple Default Gateways Issue

We've configured an FG110C in Interface Mode (not Switch Mode). We had to do this because we have 4 internet providers - one is a T1, 3 are DSL that we want to load balance with.

The T1 and the DSL's are used for completely different things. We use the T1 for inbound email/webmail and also for specific clients. The DSL's are used for generic web surfing.

Up until this point we have had to use 2 Juniper SSG5's to make this work.

The problem is that we have a flat network -  10.1.1.0/16 - and each of the SSG's had an internal IP of 10.1.1.1 and 10.1.1.2.  So, for the systems that needed to be on the T1 we set them with a GW address of 10.1.1.1 and the rest of the company their GW is 10.1.1.2.

When I try to mimic this config on the FG110C, I cannot assign two interfaces on the same subnet.  

So, I have 2 questions:

1) Is it possible using the CLI to do this using commands that can't be done from the web interface?

2) When I converted from Switch Mode to Interface Mode, it gave me 8 independent ports (plus the WAN1 & WAN2).  Is there a way to create two sets of interface ports, say Port1-4 and Port5-8?

Thanks!
LVL 5
netbonesAsked:
Who is Participating?
 
chakkoCommented:
Is that drawing a concept or actual working config?
You can't have the interfaces (2 of them) on the same network, unless there is some trick, but I don't know of any.

Page 94 states that the IP's on the interfaces have to be on different subnets

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=Fortigate-AdminGuide-40-MR2pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=26765763&stateId=0%200%2026763879


In my configs where I have 1 LAN network, I set all computers to have Gateway of 10.1.1.1
Then I do the routing inside of the Fortigate.  You could use multi-wan with Load balancing but that will distribute traffic over both WAN links (WAN1 and WAN2), you can setup weights to distribute unevenly.

If you want to isolate WAN1 (the T1 line for example) for some computers and WAN2 (ADSL lines) then I would use the Policy Routes.  You if you leave the default value for the protocols and other info, and just set the source and destination gateway then it will route ALL traffic out to your desired gateway.  It will not differentiate the traffic if you leave the settings at the default, it will allow you to target Users (by their IP) to use a specific gateway.

I would try something like this.  I have not tried that, normally I leave the fortigates in Switch mode.

WAN1 -- T1 line
WAN2 -- ADSL-1 line
Port 1 -- ADSL-2 line   (different subnet)
Port 2 -- ADSL-3 line   (different subnet)

then use a combination of the Static routes (with weights to load balance the ADSL lines, look at  the ECMP section in the manual link above) and Policy routes to target computers to force them out the WAN1 gateway




0
 
chakkoCommented:
To force some users out of a different ISP link I use the Policy Routes (Dynamic Routes) - the second tab on the Routes page.
You can set the Source IP (or range) of the LAN computers and route them out of a Specific gateway.
Leave the Protocol and other settings as default, setup the Source Range IPs and the gateway settings.  The order of the entries on that Policy Routes page makes a difference, so adjust the rule order if needed.

I don't think your Fortigate will be able to handle 4 WAN internet links, that model is too small.  You may be able to use a DMZ port port though, I have not tried that but it may work.

Something like this
WAN1 - T1  (make this your default static route)
WAN2 - ADSL  -  make a new subnet for the ADSL line or use the PPPoE setting so that it gets a public IP
DMZ - SSG5 with the other 2 ADSL connected to it - put this on another subnet



0
 
chakkoCommented:

Maybe this will help

Fortigate 10.1.1.1 LAN/Internal
WAN1 - T1 IP
WAN2 - PPPoE (public IP from ADSL)
DMZ - 10.2.1.1   SSG5 LAN interface 10.2.1.2   and then the 2 ADSL lines connected to the SSG5

To route out via DMZ in the Policy route, select the DMZ interface and Gateway IP 10.2.1.2

Make required Firewall Policy rules for outbound traffic.

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
netbonesAuthor Commented:
The problem is that we actually have 3 DSL lines that we are load balancing on, and that is used by general web browsing group.  That means I have 3 separate ports going to 3 different ISP connections, and on top of that another separate T1 ISP.  

Policy routing won't work because we are not differentiating traffic, we are specifically targeting certain users for the T1 for all their traffic.

I would think there would be a way for me to have two internal interfaces be on the same subnet, it simplifies how you deal with multiple default gateways.
fg80cconfig.jpg
0
 
netbonesAuthor Commented:
Sorry the graphic didn't upload correctly. From PORT1/10.1.1.2 it is going into the same switch as PORT2/10.1.1.1, for some reason the line doesn't show.
0
 
xananduCommented:
get rid of the 2nd internal interface on the same subnet (unless you need the physical bandwidth)
put 2 ip's on the same interface.

config system interface
edit port1
set ip 10.1.1.1/16
set secondary-IP enable
config secondaryip
edit 0 #edit 0 always creates a new entry in the table
set ip 10.1.1.2/16
set allowaccess https ssh ping
next
end
next
end

this will set your port 1 interface to 10.1.1.1 and 10.1.1.2 with both ip's being of a /16 network

because you are using a fortigate 110C, you cannot trunk your lines. If you ABSOLUTELY NEED! 2 ports for the bandwidth (because they are both 10/100 ports) you can put them both on the same subnet, but be CAREFUL doing this, you are messing with your management interfaces, so if you bork it you need local access to the device to reset what is borked.

>config system settings
>set allow-subnet-overlap enable

you can always merge 2 ports into a zone, and use that zone in your firewall policies, but your ports have to be pretty much undefined and not referenced in anything (firewall policies, dhcp servers, interface) in order to add them to a zone. but once you do this, the zone is treated like an interface of its own.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.