Fortinet FG110C Multiple Default Gateways Issue

We've configured an FG110C in Interface Mode (not Switch Mode). We had to do this because we have 4 internet providers - one is a T1, 3 are DSL that we want to load balance with.

The T1 and the DSL's are used for completely different things. We use the T1 for inbound email/webmail and also for specific clients. The DSL's are used for generic web surfing.

Up until this point we have had to use 2 Juniper SSG5's to make this work.

The problem is that we have a flat network -  10.1.1.0/16 - and each of the SSG's had an internal IP of 10.1.1.1 and 10.1.1.2.  So, for the systems that needed to be on the T1 we set them with a GW address of 10.1.1.1 and the rest of the company their GW is 10.1.1.2.

When I try to mimic this config on the FG110C, I cannot assign two interfaces on the same subnet.  

So, I have 2 questions:

1) Is it possible using the CLI to do this using commands that can't be done from the web interface?

2) When I converted from Switch Mode to Interface Mode, it gave me 8 independent ports (plus the WAN1 & WAN2).  Is there a way to create two sets of interface ports, say Port1-4 and Port5-8?

Thanks!
LVL 5
netbonesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chakkoCommented:
To force some users out of a different ISP link I use the Policy Routes (Dynamic Routes) - the second tab on the Routes page.
You can set the Source IP (or range) of the LAN computers and route them out of a Specific gateway.
Leave the Protocol and other settings as default, setup the Source Range IPs and the gateway settings.  The order of the entries on that Policy Routes page makes a difference, so adjust the rule order if needed.

I don't think your Fortigate will be able to handle 4 WAN internet links, that model is too small.  You may be able to use a DMZ port port though, I have not tried that but it may work.

Something like this
WAN1 - T1  (make this your default static route)
WAN2 - ADSL  -  make a new subnet for the ADSL line or use the PPPoE setting so that it gets a public IP
DMZ - SSG5 with the other 2 ADSL connected to it - put this on another subnet



0
chakkoCommented:

Maybe this will help

Fortigate 10.1.1.1 LAN/Internal
WAN1 - T1 IP
WAN2 - PPPoE (public IP from ADSL)
DMZ - 10.2.1.1   SSG5 LAN interface 10.2.1.2   and then the 2 ADSL lines connected to the SSG5

To route out via DMZ in the Policy route, select the DMZ interface and Gateway IP 10.2.1.2

Make required Firewall Policy rules for outbound traffic.

0
netbonesAuthor Commented:
The problem is that we actually have 3 DSL lines that we are load balancing on, and that is used by general web browsing group.  That means I have 3 separate ports going to 3 different ISP connections, and on top of that another separate T1 ISP.  

Policy routing won't work because we are not differentiating traffic, we are specifically targeting certain users for the T1 for all their traffic.

I would think there would be a way for me to have two internal interfaces be on the same subnet, it simplifies how you deal with multiple default gateways.
fg80cconfig.jpg
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

netbonesAuthor Commented:
Sorry the graphic didn't upload correctly. From PORT1/10.1.1.2 it is going into the same switch as PORT2/10.1.1.1, for some reason the line doesn't show.
0
chakkoCommented:
Is that drawing a concept or actual working config?
You can't have the interfaces (2 of them) on the same network, unless there is some trick, but I don't know of any.

Page 94 states that the IP's on the interfaces have to be on different subnets

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=Fortigate-AdminGuide-40-MR2pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=26765763&stateId=0%200%2026763879


In my configs where I have 1 LAN network, I set all computers to have Gateway of 10.1.1.1
Then I do the routing inside of the Fortigate.  You could use multi-wan with Load balancing but that will distribute traffic over both WAN links (WAN1 and WAN2), you can setup weights to distribute unevenly.

If you want to isolate WAN1 (the T1 line for example) for some computers and WAN2 (ADSL lines) then I would use the Policy Routes.  You if you leave the default value for the protocols and other info, and just set the source and destination gateway then it will route ALL traffic out to your desired gateway.  It will not differentiate the traffic if you leave the settings at the default, it will allow you to target Users (by their IP) to use a specific gateway.

I would try something like this.  I have not tried that, normally I leave the fortigates in Switch mode.

WAN1 -- T1 line
WAN2 -- ADSL-1 line
Port 1 -- ADSL-2 line   (different subnet)
Port 2 -- ADSL-3 line   (different subnet)

then use a combination of the Static routes (with weights to load balance the ADSL lines, look at  the ECMP section in the manual link above) and Policy routes to target computers to force them out the WAN1 gateway




0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xananduCommented:
get rid of the 2nd internal interface on the same subnet (unless you need the physical bandwidth)
put 2 ip's on the same interface.

config system interface
edit port1
set ip 10.1.1.1/16
set secondary-IP enable
config secondaryip
edit 0 #edit 0 always creates a new entry in the table
set ip 10.1.1.2/16
set allowaccess https ssh ping
next
end
next
end

this will set your port 1 interface to 10.1.1.1 and 10.1.1.2 with both ip's being of a /16 network

because you are using a fortigate 110C, you cannot trunk your lines. If you ABSOLUTELY NEED! 2 ports for the bandwidth (because they are both 10/100 ports) you can put them both on the same subnet, but be CAREFUL doing this, you are messing with your management interfaces, so if you bork it you need local access to the device to reset what is borked.

>config system settings
>set allow-subnet-overlap enable

you can always merge 2 ports into a zone, and use that zone in your firewall policies, but your ports have to be pretty much undefined and not referenced in anything (firewall policies, dhcp servers, interface) in order to add them to a zone. but once you do this, the zone is treated like an interface of its own.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.