Link to home
Start Free TrialLog in
Avatar of mspren

asked on

Dual ISP Foritgate 110c

Dear experts,

So here it is. I have a Fortigate 110c with two WAN interfaces. The Fortigate is currectly configured for one ISP. Now we want to connect a second ISP to this machine.

The connection from my ISP is a glasfiber connection. My Cisco router is connected to the glassfiber an from there a PPPoE connection has been setup. If i connect my laptop to the router and give i a static IP, i can browse the internet without any problems.

Now i connect the Cisco router to my Fortigate and i connected it to the WAN 2 interface. On this interface i created a new VLAN interface with VLAN ID 1, as was set on the Cisco router.

Now the problem is i cant ping new connection.

I hope anyone can help
Avatar of Jakob Digranes
Jakob Digranes
Flag of Norway image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mspren


i created a default route to WAN 2 with priority 20 where the WAN 1 route has priority 10. But when i do this i get complaints from my users that they no longer can browse on the internet.

What most concerns me is that from the outside i can not ping the WAN 2 interface. I think this is where my problems start, but i am not sure.
Delete VLAN 1 interface on WAN 2 - VLAN1 is default - so if you set no VLAN this is what they'll use.

Where's the PPPoE set up? On the cisco?
What IPs do the Cisco and WAN 2 interface have? make sure you've activated PING on WAN2 interface.

You also need to confuigrue policies allowing internet traffic from Internal to WAN2 as well
Avatar of mspren


PPPoE is set up on my Cisco 891 router. Both the Cisco and WAN 2 on my Fortigate have no IP address. See my Cisco config in the attachment.

PING is enabled on WAN 2. See config of WAN 2 in the attachment.
can yoyu please add routes you've added to WAN2 interface?
YOu need some kind of gateway to be able to send traffic to the router
Avatar of mspren


I tried a static route and a policy route. See the attachments.
i guess you need to delete the policy route - that makes no sense the way it is

I'd do the following:

- Since the Cisco is plain passhtrough, you don't need to worry about that, sorry for not picking up on that earlier.
- Delete VLAN 1 and put the IP-address directly on WAN2
- Create a firewall policy allowing any any traffic from internal to WAN2
- create static route, WAN2 - priority 100

For diagnostic - try traceroute from either firewall or PC.
From firewall - start CLI session in dashboard
exec traceroute
Make sure that you are able to ping Router first from firewall (exe ping x.x.x.x) if this works then configure routing as mentioned above.

Also refer

Good Luck!
router is in bridge mode i think, from ciscos config file
Avatar of mspren


well i tried the above and from the cli i can ping to anywhere, but i cant ping to the WAN 2 interface.
traceroute then ?
Avatar of mspren


traceroute goes trough the old gateway
Look at routing monitor - is WAN2 interface listed there? can you post fortigate config ?
Avatar of mspren


what part do you wanna see?
and policies
Avatar of mspren


This is a config of my interfaces. routing and policies are being looked up
Avatar of mspren


i dont get the router an policies out of the config. for some reason it doesnt show in the cli. But i found somthing. i think the problem starts on the router. we can go from the the inside out but not from the outside in. so if i add this to the interfaces on my router is should be working in theory.

interface vlan 1
ip access-group 99 out

access-list 99 permit any
access-list 100 permit ip any any
OK ---
can you ping KPN gateway through WAN 2 now?
did you try to create static routing for the KPN gateway IP (or KPN DNS servers) via WAN2 and then do ping?
Avatar of mspren


Yes i can ping the KPN gateway from WAN 2. I also creates a static route with a priority of 100. The ping still works then.
okay --- so then you have access to internet via WAN 2
what firewall policy have you created for internal - WAN2?
Avatar of mspren


This worked great