Force IP (Fortigate) to use specific wan (Mikrotik)

dhvu1990 · July 19, 2019, 7:53am

I have a network topo as follow:

I want Computer 01 go outside throught ISP 02:

On Fortigate: I set policy to force IP Computer 01 (192.168.1.5/24) go outside throught Wan 1 Fortigate (192.168.0.2/24). It’s OK.
But on Mikrotik, I don’t know how to config that IP force to outside throught ISP 02 ???
Please help me. Thank you.

sebastia · July 19, 2019, 9:49am

Hey

I hope you don’t perform natting on fortigate?

If not you can route-mark (table:chain → mangle:prerouting) all packets from “computer 01” ip’s with mark for WAN02.

dhvu1990 · July 19, 2019, 10:04am

Thank for your reply.

If not you can route-mark (table:chain → mangle:prerouting) all packets from “computer 01” ip’s with mark for WAN02.

Can you explain more? Thank you.

sebastia · July 19, 2019, 11:09am

To do PCC you need to do mangling, and assign route-marks to packets (part of some connection) to always send them some particular route.
To force packets from an ip some route, you have to “hard-code” the routing-mark assignment to the one of wan2.

in this case, something like:

# all packets from comp01, not for internal network need to go over wan2
/ip firewall mangle add action=mark-outing chain=prerouting src-address=192.168.1.5 dst-address-type=!local new-routing-mark=<wan2 mark> ...

Note: the above rule needs to be executed before the usual PCC mangle logic

dhvu1990 · July 20, 2019, 3:30am

It not working

sebastia · July 20, 2019, 8:57am

“/export hide-sensitive” would help

ingdaka · July 20, 2019, 7:24pm

I work in mikrotik! I think he is using nat on fortigate! Because he is on dual wan (or sd-wan)!

dhvu1990 · July 21, 2019, 1:06am

This is my config on Mikrotik

/interface bridge
add comment=LAN name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1-7Mbps speed=100Mbps
set [ find default-name=ether2 ] comment=WAN2-3Mbps speed=100Mbps
set [ find default-name=ether3 ] comment=bridge1-LAN speed=100Mbps
set [ find default-name=ether4 ] comment=bridge1-LAN speed=100Mbps
/interface bridge port
add bridge=bridge1-LAN hw=no interface=ether3
add bridge=bridge1-LAN hw=no interface=ether4
/ip address
add address=10.1.1.2/30 interface=ether1 network=10.1.1.0
add address=10.2.2.2/30 interface=ether2 network=10.2.2.0
add address=192.168.0.1/24 interface=bridge1-LAN network=192.168.0.0
/ip firewall address-list
add address=192.168.1.5 list=goSpecialWAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether1 new-connection-mark=mark01 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether2 new-connection-mark=mark02 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark disabled=yes in-interface=ether1 new-connection-mark=mark01 passthrough=no
add action=mark-connection chain=input connection-mark=no-mark disabled=yes in-interface=ether2 new-connection-mark=mark02 passthrough=no
add action=mark-routing chain=output connection-mark=mark01 disabled=yes new-routing-mark=route01 out-interface=ether1 passthrough=no
add action=mark-routing chain=output connection-mark=mark02 disabled=yes new-routing-mark=route02 out-interface=ether2 passthrough=no
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=bridge1-LANadd action=mark-routing chain=prerouting dst-address-type=!local in-interface=bridge1-LAN new-routing-mark=go_WAN2 passthrough=no src-address-list=goSpecialWAN
add action=accept chain=prerouting dst-address=10.1.1.0/30 in-interface=bridge1-LAN
add action=accept chain=prerouting dst-address=10.2.2.0/30 in-interface=bridge1-LAN
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=mark01 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=mark02 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=mark01 in-interface=bridge1-LAN new-routing-mark=route01 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=mark02 in-interface=bridge1-LAN new-routing-mark=route02 passthrough=yes
add action=mark-routing chain=output connection-mark=mark01 new-routing-mark=route01 passthrough=yes
add action=mark-routing chain=output connection-mark=mark02 new-routing-mark=route02 passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=go_WAN1 passthrough=yes src-address-list=goWAN2
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=mark01 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=mark02 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=5 gateway=10.1.1.1 routing-mark=route01
add check-gateway=ping distance=5 gateway=10.2.2.1 routing-mark=route02
add distance=1 gateway=10.1.1.1 routing-mark=go_WAN2
add distance=1 gateway=10.2.2.2 routing-mark=go_WAN1
add check-gateway=ping distance=5 gateway=10.1.1.1
add check-gateway=ping distance=10 gateway=10.2.2.1

sebastia · July 21, 2019, 12:16pm

Under “/ip route” I don’t see any entries for “192.168.1.0/24”, which would corroborate the fact that’s not a routed network, and most likely natted.

Can you disable natting for that link in fortigate?

heidari · May 4, 2020, 6:42am

Hi everyone
I have the same problem, could you find any solution?
My Network Schematic is same as yours, the only difference is, I don’t use PCC for load balancing.
My mikrotik routerboard is 1100AHX2 and Fortigate is 201E in the Nat/Router mode.
Are you have any solution for my problem?