Fortinet black logo

Cookbook

Dual internet connections

Copy Link
Copy Doc ID 5ede200c-a21f-11eb-b70b-00505692583a:360563
Download PDF

Dual internet connections

Dual internet connections, also referred to as dual WAN or redundant internet connections, refers to using two FortiGate interfaces to connect to the Internet. This is generally accomplished with SD-WAN, but this legacy solution provides the means to configure dual WAN without using SD-WAN. You can use dual internet connections in several ways:

  • Link redundancy: If one interface goes down, the second interface automatically becomes the main connection.
  • Load sharing: This ensures better throughput.
  • Use a combination of link redundancy and load sharing.

This section describes the following dual internet connection scenarios:

Scenario 1: Link redundancy and no load-sharing

Link redundancy ensures that if your Internet access is no longer available through a certain port, the FortiGate uses an alternate port to connect to the Internet.

In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For this configuration to function correctly, you must configure the following settings:

  • Link health monitor: To determine when the primary interface (WAN1) is down and when the connection returns.
  • Routing: Configure a default route for each interface.
  • Security policies: Configure security policies to allow traffic through each interface to the internal network.

Link health monitor

Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the device interface connectivity by probing a gateway or server at regular intervals to ensure it is online and working. When the server is not accessible, that interface is marked as down.

Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller interval value and smaller number of lost pings results in faster detection, but creates more traffic on your network.

The link health monitor supports both IPv4 and IPv6, and various other protocols including ping, tcp-echo, udp-echo, http, and twamp.

To add a link health monitor (IPv4) using the CLI:

config system link-monitor

edit <link-monitor-name>

set addr-mode ipv4

set srcintf <interface-name>

set server <server-IP-address>

set protocol {ping tcp-echo udp-echo http twamp}

set gateway-ip <gateway-IP-address>

set interval <seconds>

set failtime <retry-attempts>

set recoverytime <number-of-successful-responses>

set status enable

next

end

Option

Description

set update-cascade-interface {enable | disable}

This option is used in conjunction with fail-detect and fail-alert options in interface settings to cascade the link failure down to another interface. See the Bring other interfaces down when link monitor fails KB article for details.

set update-static-route {enable | disable}

When the link fails, all static routes associated with the interface will be removed.

Routing

You must configure a default route for each interface and indicate your preferred route as follows:

  • Specify different distances for the two routes. The lower of the two distance values is declared active and placed in the routing table
  • OR

  • Specify the same distance for the two routes, but give a higher priority to the route you prefer by defining a lower value. Both routes will be added to the routing table, but the route with a higher priority will be chosen as the best route

In the following example, we will use the first method to configure different distances for the two routes. You might not be able to connect to the backup WAN interface because the FortiGate does not route traffic out of the backup interface. The FortiGate performs a reverse path look-up to prevent spoofed traffic. If an entry cannot be found in the routing table that sends the return traffic out through the same interface, the incoming traffic is dropped.

To configure the routing of the two interfaces using the GUI:
  1. Go to Network > Static Routes, and click Create New.
  2. Enter the following information:

    Destination

    For an IPv4 route, enter a subnet of 0.0.0.0/0.0.0.0.

    For an IPv6 route, enter a subnet of ::/0.

    Interface

    Select the primary connection. For example, wan1.

    Gateway Address

    Enter the gateway address.

    Administrative Distance

    Leave as the default of 10.

  3. Click OK.
  4. Repeat the above steps to set Interface to wan2 and Administrative Distance to 20.
To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan1

set gateway <gateway_address>

set distance 10

next

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan2

set gateway <gateway_address>

set distance 20

next

end

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect to users.

Scenario 2: Load-sharing and no link redundancy

Load sharing may be accomplished in a few of the following ways of the many possible ways:

  • By defining a preferred route with a lower distance, and specifying policy routes to route certain traffic to the secondary interface.
  • By defining routes with same distance values but different priorities, and specifying policy routes to route certain traffic to the secondary interface.
  • By defining routes with same distance values and priorities, and use equal-cost multi-path (ECMP) routing to equally distribute traffic between the WAN interfaces.

In our example, we will use the first option for our configuration. In this scenario, because link redundancy is not required, you do not have to configure a link monitor.

Note

Traffic behaviour without a link monitor is as follows:

  • If the remote gateway is down but the primary WAN interface of a FortiGate is still up, the FortiGate will continue to route traffic to the primary WAN. This results in traffic interruptions.
  • If the primary WAN interface of a FortiGate is down due to physical link issues, the FortiGate will remove routes to it and the secondary WAN routes will become active. Traffic will failover to the secondary WAN.

Routing

Configure routing as you did in Scenario 1: Link redundancy and no load-sharing above.

Policy routes

By configuring policy routes, you can redirect specific traffic to the secondary WAN interface. This works in this case because policy routes are checked before static routes. Therefore, even though the static route for the secondary WAN is not in the routing table, traffic can still be routed using the policy route.

In this example, we will create a policy route to route traffic from one address group to the secondary WAN interface.

To configure a policy route from the GUI:
  1. Go to Network > Policy Routes, and click Create New.
  2. Enter the following information:

    Incoming interface

    Define the source of the traffic. For example, internal.

    Source Address

    If we prefer to route traffic only from a group of addresses, define an address or address group, and add here.

    Destination Address

    Because we want to route all traffic from the address group here, we do not specify a destination address.

    Protocol

    Specify any protocol.

    Action

    Forward traffic.

    Outgoing interface

    Select the secondary WAN as the outbound interface. For example, wan2.

    Gateway address

    Input the gateway address for your secondary WAN.

    Because its default route has a higher distance value and is not added to the routing table, the gateway address must be added here.

  3. Click OK.
To configure a policy route from the CLI:

config router policy

edit 1

set input-device "internal"

set srcaddr "Laptops"

set gateway <gateway_address>

set output-device "wan2"

next

end

Security policies

Your security policies should allow all traffic from internal to WAN1. Because link redundancy is not needed, you do not need to duplicate all WAN1 policies to WAN2. You will only need to define policies used in your policy route.

Scenario 3: Link redundancy and load-sharing

In this scenario, both the links are available to distribute Internet traffic with the primary WAN being preferred more. Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. The configuration is a combination of both the link redundancy and the load-sharing scenarios. The main difference is that the configured routes have equal distance values, with the route with a higher priority being preferred more. This ensures both routes are active in the routing table, but the route with a higher priority will be the best route.

Link health monitor

Link monitor must be configured for both the primary and the secondary WAN interfaces. This ensures that if the primary or the secondary WAN fails, the corresponding route is removed from the routing table and traffic re-routed to the other WAN interface.

For configuration details, see sample configurations in Scenario 1: Link redundancy and no load-sharing.

Routing

Both WAN interfaces must have default routes with the same distance. However, preference is given to the primary WAN by giving it a higher priority.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan1

set gateway <gateway_address>

set distance 10

set priority 0

next

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan2

set gateway <gateway_address>

set distance 10

set priority 10

next

end

Policy routes

The policy routes configuration is very similar to that of the policy routes in Scenario 2: Load-sharing and no link redundancy, except that the gateway address should not be specified. When a policy route is matched and the gateway address is not specified, the FortiGate looks at the routing table to obtain the gateway. In case the secondary WAN fails, traffic may hit the policy route. Because there is no gateway specified and the route to the secondary WAN is removed by the link monitor, the policy route will by bypassed and traffic will continue through the primary WAN. This ensures that the policy route is not active when the link is down.

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it was with WAN1. This ensures that failover occurs with minimal effect to users.

Dual internet connections

Dual internet connections, also referred to as dual WAN or redundant internet connections, refers to using two FortiGate interfaces to connect to the Internet. This is generally accomplished with SD-WAN, but this legacy solution provides the means to configure dual WAN without using SD-WAN. You can use dual internet connections in several ways:

  • Link redundancy: If one interface goes down, the second interface automatically becomes the main connection.
  • Load sharing: This ensures better throughput.
  • Use a combination of link redundancy and load sharing.

This section describes the following dual internet connection scenarios:

Scenario 1: Link redundancy and no load-sharing

Link redundancy ensures that if your Internet access is no longer available through a certain port, the FortiGate uses an alternate port to connect to the Internet.

In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For this configuration to function correctly, you must configure the following settings:

  • Link health monitor: To determine when the primary interface (WAN1) is down and when the connection returns.
  • Routing: Configure a default route for each interface.
  • Security policies: Configure security policies to allow traffic through each interface to the internal network.

Link health monitor

Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the device interface connectivity by probing a gateway or server at regular intervals to ensure it is online and working. When the server is not accessible, that interface is marked as down.

Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller interval value and smaller number of lost pings results in faster detection, but creates more traffic on your network.

The link health monitor supports both IPv4 and IPv6, and various other protocols including ping, tcp-echo, udp-echo, http, and twamp.

To add a link health monitor (IPv4) using the CLI:

config system link-monitor

edit <link-monitor-name>

set addr-mode ipv4

set srcintf <interface-name>

set server <server-IP-address>

set protocol {ping tcp-echo udp-echo http twamp}

set gateway-ip <gateway-IP-address>

set interval <seconds>

set failtime <retry-attempts>

set recoverytime <number-of-successful-responses>

set status enable

next

end

Option

Description

set update-cascade-interface {enable | disable}

This option is used in conjunction with fail-detect and fail-alert options in interface settings to cascade the link failure down to another interface. See the Bring other interfaces down when link monitor fails KB article for details.

set update-static-route {enable | disable}

When the link fails, all static routes associated with the interface will be removed.

Routing

You must configure a default route for each interface and indicate your preferred route as follows:

  • Specify different distances for the two routes. The lower of the two distance values is declared active and placed in the routing table
  • OR

  • Specify the same distance for the two routes, but give a higher priority to the route you prefer by defining a lower value. Both routes will be added to the routing table, but the route with a higher priority will be chosen as the best route

In the following example, we will use the first method to configure different distances for the two routes. You might not be able to connect to the backup WAN interface because the FortiGate does not route traffic out of the backup interface. The FortiGate performs a reverse path look-up to prevent spoofed traffic. If an entry cannot be found in the routing table that sends the return traffic out through the same interface, the incoming traffic is dropped.

To configure the routing of the two interfaces using the GUI:
  1. Go to Network > Static Routes, and click Create New.
  2. Enter the following information:

    Destination

    For an IPv4 route, enter a subnet of 0.0.0.0/0.0.0.0.

    For an IPv6 route, enter a subnet of ::/0.

    Interface

    Select the primary connection. For example, wan1.

    Gateway Address

    Enter the gateway address.

    Administrative Distance

    Leave as the default of 10.

  3. Click OK.
  4. Repeat the above steps to set Interface to wan2 and Administrative Distance to 20.
To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan1

set gateway <gateway_address>

set distance 10

next

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan2

set gateway <gateway_address>

set distance 20

next

end

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect to users.

Scenario 2: Load-sharing and no link redundancy

Load sharing may be accomplished in a few of the following ways of the many possible ways:

  • By defining a preferred route with a lower distance, and specifying policy routes to route certain traffic to the secondary interface.
  • By defining routes with same distance values but different priorities, and specifying policy routes to route certain traffic to the secondary interface.
  • By defining routes with same distance values and priorities, and use equal-cost multi-path (ECMP) routing to equally distribute traffic between the WAN interfaces.

In our example, we will use the first option for our configuration. In this scenario, because link redundancy is not required, you do not have to configure a link monitor.

Note

Traffic behaviour without a link monitor is as follows:

  • If the remote gateway is down but the primary WAN interface of a FortiGate is still up, the FortiGate will continue to route traffic to the primary WAN. This results in traffic interruptions.
  • If the primary WAN interface of a FortiGate is down due to physical link issues, the FortiGate will remove routes to it and the secondary WAN routes will become active. Traffic will failover to the secondary WAN.

Routing

Configure routing as you did in Scenario 1: Link redundancy and no load-sharing above.

Policy routes

By configuring policy routes, you can redirect specific traffic to the secondary WAN interface. This works in this case because policy routes are checked before static routes. Therefore, even though the static route for the secondary WAN is not in the routing table, traffic can still be routed using the policy route.

In this example, we will create a policy route to route traffic from one address group to the secondary WAN interface.

To configure a policy route from the GUI:
  1. Go to Network > Policy Routes, and click Create New.
  2. Enter the following information:

    Incoming interface

    Define the source of the traffic. For example, internal.

    Source Address

    If we prefer to route traffic only from a group of addresses, define an address or address group, and add here.

    Destination Address

    Because we want to route all traffic from the address group here, we do not specify a destination address.

    Protocol

    Specify any protocol.

    Action

    Forward traffic.

    Outgoing interface

    Select the secondary WAN as the outbound interface. For example, wan2.

    Gateway address

    Input the gateway address for your secondary WAN.

    Because its default route has a higher distance value and is not added to the routing table, the gateway address must be added here.

  3. Click OK.
To configure a policy route from the CLI:

config router policy

edit 1

set input-device "internal"

set srcaddr "Laptops"

set gateway <gateway_address>

set output-device "wan2"

next

end

Security policies

Your security policies should allow all traffic from internal to WAN1. Because link redundancy is not needed, you do not need to duplicate all WAN1 policies to WAN2. You will only need to define policies used in your policy route.

Scenario 3: Link redundancy and load-sharing

In this scenario, both the links are available to distribute Internet traffic with the primary WAN being preferred more. Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. The configuration is a combination of both the link redundancy and the load-sharing scenarios. The main difference is that the configured routes have equal distance values, with the route with a higher priority being preferred more. This ensures both routes are active in the routing table, but the route with a higher priority will be the best route.

Link health monitor

Link monitor must be configured for both the primary and the secondary WAN interfaces. This ensures that if the primary or the secondary WAN fails, the corresponding route is removed from the routing table and traffic re-routed to the other WAN interface.

For configuration details, see sample configurations in Scenario 1: Link redundancy and no load-sharing.

Routing

Both WAN interfaces must have default routes with the same distance. However, preference is given to the primary WAN by giving it a higher priority.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan1

set gateway <gateway_address>

set distance 10

set priority 0

next

edit 0

set dst 0.0.0.0 0.0.0.0

set device wan2

set gateway <gateway_address>

set distance 10

set priority 10

next

end

Policy routes

The policy routes configuration is very similar to that of the policy routes in Scenario 2: Load-sharing and no link redundancy, except that the gateway address should not be specified. When a policy route is matched and the gateway address is not specified, the FortiGate looks at the routing table to obtain the gateway. In case the secondary WAN fails, traffic may hit the policy route. Because there is no gateway specified and the route to the secondary WAN is removed by the link monitor, the policy route will by bypassed and traffic will continue through the primary WAN. This ensures that the policy route is not active when the link is down.

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it was with WAN1. This ensures that failover occurs with minimal effect to users.