Dual internet connections
Dual internet connections, also referred to as dual WAN or redundant internet connections, refers to using two FortiGate interfaces to connect to the Internet. This is generally accomplished with SD-WAN, but this legacy solution provides the means to configure dual WAN without using SD-WAN. You can use dual internet connections in several ways:
- Link redundancy: If one interface goes down, the second interface automatically becomes the main connection.
- Load sharing: This ensures better throughput.
- Use a combination of link redundancy and load sharing.
This section describes the following dual internet connection scenarios:
- Scenario 1: Link redundancy and no load-sharing
- Scenario 2: Load-sharing and no link redundancy
- Scenario 3: Link redundancy and load-sharing
Scenario 1: Link redundancy and no load-sharing
Link redundancy ensures that if your Internet access is no longer available through a certain port, the FortiGate uses an alternate port to connect to the Internet.
In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For this configuration to function correctly, you must configure the following settings:
- Link health monitor: To determine when the primary interface (WAN1) is down and when the connection returns.
- Routing: Configure a default route for each interface.
- Security policies: Configure security policies to allow traffic through each interface to the internal network.
Link health monitor
Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the device interface connectivity by probing a gateway or server at regular intervals to ensure it is online and working. When the server is not accessible, that interface is marked as down.
Set the interval
(how often to send a ping) and failtime
(how many lost pings are considered a failure). A smaller interval value and smaller number of lost pings results in faster detection, but creates more traffic on your network.
The link health monitor supports both IPv4 and IPv6, and various other protocols including ping, tcp-echo, udp-echo, http, and twamp.
To add a link health monitor (IPv4) using the CLI:
config system link-monitor edit <link-monitor-name> set addr-mode ipv4 set srcintf <interface-name> set server <server-IP-address> set protocol {ping tcp-echo udp-echo http twamp} set gateway-ip <gateway-IP-address> set interval <seconds> set failtime <retry-attempts> set recoverytime <number-of-successful-responses> set status enable next end
Option |
Description |
---|---|
set update-cascade-interface {enable | disable} |
This option is used in conjunction with fail-detect and fail-alert options in interface settings to cascade the link failure down to another interface. See the Bring other interfaces down when link monitor fails KB article for details. |
set update-static-route {enable | disable} |
When the link fails, all static routes associated with the interface will be removed. |
Routing
You must configure a default route for each interface and indicate your preferred route as follows:
-
Specify different distances for the two routes. The lower of the two distance values is declared active and placed in the routing table.
-
Specify the same distance for the two routes, but give a higher priority to the route you prefer by defining a lower value. Both routes will be added to the routing table, but the route with a higher priority will be chosen as the best route
Or
In the following example, we will use the first method to configure different distances for the two routes. You might not be able to connect to the backup WAN interface because the FortiGate does not route traffic out of the backup interface. The FortiGate performs a reverse path look-up to prevent spoofed traffic. If an entry cannot be found in the routing table that sends the return traffic out through the same interface, the incoming traffic is dropped.
To configure the routing of the two interfaces using the GUI:
-
Go to Network > Static Routes, and click Create New.
-
Enter the following information:
Destination
For an IPv4 route, enter a subnet of
0.0.0.0/0.0.0.0
.For an IPv6 route, enter a subnet of
::/0
.Interface
Select the primary connection. For example,
wan1
.Gateway Address
Enter the gateway address.
Administrative Distance
Leave as the default of
10
. -
Click OK.
-
Repeat the above steps to set Interface to
wan2
and Administrative Distance to20
.
To configure the routing of the two interfaces using the CLI:
config router {static | static6} edit 1 set dst 0.0.0.0 0.0.0.0 set device wan1 set gateway <gateway_address> set distance 10 next edit 2 set dst 0.0.0.0 0.0.0.0 set device wan2 set gateway <gateway_address> set distance 20 next end
Security policies
When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect to users.
Scenario 2: Load-sharing and no link redundancy
Load sharing may be accomplished in a few of the following ways of the many possible ways:
- By defining a preferred route with a lower distance, and specifying policy routes to route certain traffic to the secondary interface.
- By defining routes with same distance values but different priorities, and specifying policy routes to route certain traffic to the secondary interface.
- By defining routes with same distance values and priorities, and use equal-cost multi-path (ECMP) routing to equally distribute traffic between the WAN interfaces.
In our example, we will use the first option for our configuration. In this scenario, because link redundancy is not required, you do not have to configure a link monitor.
Traffic behaviour without a link monitor is as follows:
|
Routing
Configure routing as you did in Scenario 1: Link redundancy and no load-sharing above.
Policy routes
By configuring policy routes, you can redirect specific traffic to the secondary WAN interface. This works in this case because policy routes are checked before static routes. Therefore, even though the static route for the secondary WAN is not in the routing table, traffic can still be routed using the policy route.
In this example, we will create a policy route to route traffic from one address group to the secondary WAN interface.
To configure a policy route from the GUI:
-
Go to Network > Policy Routes, and click Create New.
-
Enter the following information:
Incoming interface
Define the source of the traffic. For example,
internal
.Source Address
If we prefer to route traffic only from a group of addresses, define an address or address group, and add here.
Destination Address
Because we want to route all traffic from the address group here, we do not specify a destination address.
Protocol
Specify any protocol.
Action
Forward traffic.
Outgoing interface
Select the secondary WAN as the outbound interface. For example,
wan2
.Gateway address
Input the gateway address for your secondary WAN.
Because its default route has a higher distance value and is not added to the routing table, the gateway address must be added here.
-
Click OK.
To configure a policy route from the CLI:
config router policy edit 1 set input-device "internal" set srcaddr "Laptops" set gateway <gateway_address> set output-device "wan2" next end
Security policies
Your security policies should allow all traffic from internal
to WAN1. Because link redundancy is not needed, you do not need to duplicate all WAN1 policies to WAN2. You will only need to define policies used in your policy route.
Scenario 3: Link redundancy and load-sharing
In this scenario, both the links are available to distribute Internet traffic with the primary WAN being preferred more. Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. The configuration is a combination of both the link redundancy and the load-sharing scenarios. The main difference is that the configured routes have equal distance values, with the route with a higher priority being preferred more. This ensures both routes are active in the routing table, but the route with a higher priority will be the best route.
Link health monitor
Link monitor must be configured for both the primary and the secondary WAN interfaces. This ensures that if the primary or the secondary WAN fails, the corresponding route is removed from the routing table and traffic re-routed to the other WAN interface.
For configuration details, see sample configurations in Scenario 1: Link redundancy and no load-sharing.
Routing
Both WAN interfaces must have default routes with the same distance. However, preference is given to the primary WAN by giving it a higher priority.
To configure the routing of the two interfaces using the CLI:
config router {static | static6} edit 1 set dst 0.0.0.0 0.0.0.0 set device wan1 set gateway <gateway_address> set distance 10 set priority 0 next edit 2 set dst 0.0.0.0 0.0.0.0 set device wan2 set gateway <gateway_address> set distance 10 set priority 10 next end
Policy routes
The policy routes configuration is very similar to that of the policy routes in Scenario 2: Load-sharing and no link redundancy, except that the gateway address should not be specified. When a policy route is matched and the gateway address is not specified, the FortiGate looks at the routing table to obtain the gateway. In case the secondary WAN fails, traffic may hit the policy route. Because there is no gateway specified and the route to the secondary WAN is removed by the link monitor, the policy route will by bypassed and traffic will continue through the primary WAN. This ensures that the policy route is not active when the link is down.
Security policies
When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic is allowed to pass through WAN2, as it was with WAN1. This ensures that failover occurs with minimal effect to users.