Dual ISP Foritgate 110c

Dear experts,

So here it is. I have a Fortigate 110c with two WAN interfaces. The Fortigate is currectly configured for one ISP. Now we want to connect a second ISP to this machine.

The connection from my ISP is a glasfiber connection. My Cisco router is connected to the glassfiber an from there a PPPoE connection has been setup. If i connect my laptop to the router and give i a static IP, i can browse the internet without any problems.

Now i connect the Cisco router to my Fortigate and i connected it to the WAN 2 interface. On this interface i created a new VLAN interface with VLAN ID 1, as was set on the Cisco router.

Now the problem is i cant ping new connection.



I hope anyone can help
msprenAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Jakob DigranesConnect With a Mentor Senior ConsultantCommented:
How are routing set up on the Fortigate?
you most likely have a default route already going through WAN1 - (0.0.0.0/0.0.0.0 -> WAN1s IP)
You need to add an additional route that sends traffice through WAN 2 - but with a lower priority - so that it will use that one if WAN 1 doesn't respond.

Or you could create a source based routing, saying that traffic FROM one VLAN/Interface/port will be sent to WAN2.
You can also direct some traffic to WAN2 if you want to - creating a static route; 192.168.1.0/255.255.255.0 - WAN2s IP ---

A bit depending on how you want to handle DUAL ISPs ---
0
 
msprenAuthor Commented:
i created a default route to WAN 2 with priority 20 where the WAN 1 route has priority 10. But when i do this i get complaints from my users that they no longer can browse on the internet.

What most concerns me is that from the outside i can not ping the WAN 2 interface. I think this is where my problems start, but i am not sure.
0
 
Jakob DigranesSenior ConsultantCommented:
Delete VLAN 1 interface on WAN 2 - VLAN1 is default - so if you set no VLAN this is what they'll use.

Where's the PPPoE set up? On the cisco?
What IPs do the Cisco and WAN 2 interface have? make sure you've activated PING on WAN2 interface.

You also need to confuigrue policies allowing internet traffic from Internal to WAN2 as well
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
msprenAuthor Commented:
PPPoE is set up on my Cisco 891 router. Both the Cisco and WAN 2 on my Fortigate have no IP address. See my Cisco config in the attachment.

PING is enabled on WAN 2. See config of WAN 2 in the attachment.
cfgrouter.txt
cfgfirewall.jpg
0
 
Jakob DigranesSenior ConsultantCommented:
can yoyu please add routes you've added to WAN2 interface?
YOu need some kind of gateway to be able to send traffic to the router
0
 
msprenAuthor Commented:
I tried a static route and a policy route. See the attachments.
cfgroute.jpg
cfgpolicyroute.jpg
0
 
Jakob DigranesSenior ConsultantCommented:
i guess you need to delete the policy route - that makes no sense the way it is

I'd do the following:

- Since the Cisco is plain passhtrough, you don't need to worry about that, sorry for not picking up on that earlier.
- Delete VLAN 1 and put the IP-address directly on WAN2
- Create a firewall policy allowing any any traffic from internal to WAN2
- create static route, 0.0.0.0/0.0.0.0 WAN2 - priority 100

For diagnostic - try traceroute from either firewall or PC.
From firewall - start CLI session in dashboard
enter
exec traceroute 8.8.8.8
0
 
myramuCommented:
Make sure that you are able to ping Router first from firewall (exe ping x.x.x.x) if this works then configure routing as mentioned above.

Also refer http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=100137

Good Luck!
0
 
Jakob DigranesSenior ConsultantCommented:
router is in bridge mode i think, from ciscos config file
0
 
msprenAuthor Commented:
well i tried the above and from the cli i can ping to anywhere, but i cant ping to the WAN 2 interface.
0
 
Jakob DigranesSenior ConsultantCommented:
traceroute then ?
0
 
msprenAuthor Commented:
traceroute goes trough the old gateway
0
 
Jakob DigranesSenior ConsultantCommented:
Look at routing monitor - is WAN2 interface listed there? can you post fortigate config ?
0
 
msprenAuthor Commented:
what part do you wanna see?
0
 
Jakob DigranesSenior ConsultantCommented:
interfaces
routing
and policies
0
 
msprenAuthor Commented:
This is a config of my interfaces. routing and policies are being looked up
cfginterfaces.txt
0
 
msprenAuthor Commented:
i dont get the router an policies out of the config. for some reason it doesnt show in the cli. But i found somthing. i think the problem starts on the router. we can go from the the inside out but not from the outside in. so if i add this to the interfaces on my router is should be working in theory.

interface vlan 1
ip access-group 99 out

access-list 99 permit any
access-list 100 permit ip any any
0
 
Jakob DigranesSenior ConsultantCommented:
OK ---
can you ping KPN gateway through WAN 2 now?
did you try to create static routing for the KPN gateway IP (or KPN DNS servers) via WAN2 and then do ping?
0
 
msprenAuthor Commented:
Yes i can ping the KPN gateway from WAN 2. I also creates a static route with a priority of 100. The ping still works then.
0
 
Jakob DigranesSenior ConsultantCommented:
okay --- so then you have access to internet via WAN 2
what firewall policy have you created for internal - WAN2?
0
 
msprenAuthor Commented:
This worked great
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.