Recently one of our customers configured a FG60D with two ADSL WAN links (both on the same provider, going to the same default gateway). They wanted all internet traffic to go out through WAN1 and all RDP and VPN traffic to go out through WAN2.
The problem was when they created the policy based route (PBR) for all outbound internet via WAN1, it also sent the traffic destined for the VPN through the same interface and thus failed.
Firstly a quick network diagram below. WAN1 is configured as internal3 on the FortiGate and WAN2 is internal6. The local subnet (192.168.1.0) needs to reach the remote subnet (192.168.2.0) through the VPN going out of WAN2. They also need all their RDP traffic to go out of this link. For the rest of the network traffic they want it out of WAN12.
Without any PBR the VPN works fine. All users on the 192.168.1.x network can ping 192.168.2.x and vice versa.
They then add the RDP PBR to route all TCP3389 traffic out of WAN2. Again this works fine (id #1 below).
As soon as they create their catch all for internal traffic to the internet (id #2 below) then the VPN fails as it sends all traffic destined for the remote site (192.168.2.0) out through WAN1.
The way I got around this was to create a PBR for traffic destined to the remote site, and have the outgoing interface reference the VPN interface (with no gateway configured). This was in addition to the static route configured for the VPN.
Finally you need to move this new PBR (#3) to be above the catch all PBR (#2).
The problem was when they created the policy based route (PBR) for all outbound internet via WAN1, it also sent the traffic destined for the VPN through the same interface and thus failed.
Firstly a quick network diagram below. WAN1 is configured as internal3 on the FortiGate and WAN2 is internal6. The local subnet (192.168.1.0) needs to reach the remote subnet (192.168.2.0) through the VPN going out of WAN2. They also need all their RDP traffic to go out of this link. For the rest of the network traffic they want it out of WAN12.
Without any PBR the VPN works fine. All users on the 192.168.1.x network can ping 192.168.2.x and vice versa.
They then add the RDP PBR to route all TCP3389 traffic out of WAN2. Again this works fine (id #1 below).
As soon as they create their catch all for internal traffic to the internet (id #2 below) then the VPN fails as it sends all traffic destined for the remote site (192.168.2.0) out through WAN1.
Finally you need to move this new PBR (#3) to be above the catch all PBR (#2).
Now all RDP and VPN traffic is properly routed out of WAN2 (internal6), and the rest of the user internet traffic is getting routed out of WAN1 (internal3).
3 comments:
Really nice article! You just gained yourself another subscriber to your rss feed! :)
i needed the same. i want to use wan1 for internet and wan2 for vpn only..if you could some more detail..please
i am planning site to site vpn on fortigate 100 D, i have static ips.. so i want to keep separate internet and vpn traffic.. please suggest solution and topology guide.
Post a Comment