Community discussions

 
dhvu1990
just joined
Topic Author
Posts: 7
Joined: Fri Jan 04, 2019 6:03 am

Force IP (Fortigate) to use specific wan (Mikrotik)

Fri Jul 19, 2019 10:53 am

I have a network topo as follow:
Image
I want Computer 01 go outside throught ISP 02:
- On Fortigate: I set policy to force IP Computer 01 (192.168.1.5/24) go outside throught Wan 1 Fortigate (192.168.0.2/24). It's OK.
- But on Mikrotik, I don't know how to config that IP force to outside throught ISP 02 ???
Please help me. Thank you.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Fri Jul 19, 2019 12:49 pm

Hey

I hope you don't perform natting on fortigate?

If not you can route-mark (table:chain -> mangle:prerouting) all packets from "computer 01" ip's with mark for WAN02.
 
dhvu1990
just joined
Topic Author
Posts: 7
Joined: Fri Jan 04, 2019 6:03 am

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Fri Jul 19, 2019 1:04 pm

Thank for your reply.
If not you can route-mark (table:chain -> mangle:prerouting) all packets from "computer 01" ip's with mark for WAN02.
Can you explain more? Thank you.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Fri Jul 19, 2019 2:09 pm

To do PCC you need to do mangling, and assign route-marks to packets (part of some connection) to always send them some particular route.
To force packets from an ip some route, you have to "hard-code" the routing-mark assignment to the one of wan2.

in this case, something like:
# all packets from comp01, not for internal network need to go over wan2
/ip firewall mangle add action=mark-outing chain=prerouting src-address=192.168.1.5 dst-address-type=!local new-routing-mark=<wan2 mark> ...

Note: the above rule needs to be executed before the usual PCC mangle logic
 
dhvu1990
just joined
Topic Author
Posts: 7
Joined: Fri Jan 04, 2019 6:03 am

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Sat Jul 20, 2019 6:30 am

It not working :(
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Sat Jul 20, 2019 11:57 am

"/export hide-sensitive" would help
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 183
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Sat Jul 20, 2019 10:24 pm

I work in mikrotik! I think he is using nat on fortigate! Because he is on dual wan (or sd-wan)!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
dhvu1990
just joined
Topic Author
Posts: 7
Joined: Fri Jan 04, 2019 6:03 am

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Sun Jul 21, 2019 4:06 am

This is my config on Mikrotik
/interface bridge
add comment=LAN name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1-7Mbps speed=100Mbps
set [ find default-name=ether2 ] comment=WAN2-3Mbps speed=100Mbps
set [ find default-name=ether3 ] comment=bridge1-LAN speed=100Mbps
set [ find default-name=ether4 ] comment=bridge1-LAN speed=100Mbps
/interface bridge port
add bridge=bridge1-LAN hw=no interface=ether3
add bridge=bridge1-LAN hw=no interface=ether4
/ip address
add address=10.1.1.2/30 interface=ether1 network=10.1.1.0
add address=10.2.2.2/30 interface=ether2 network=10.2.2.0
add address=192.168.0.1/24 interface=bridge1-LAN network=192.168.0.0
/ip firewall address-list
add address=192.168.1.5 list=goSpecialWAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether1 new-connection-mark=mark01 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether2 new-connection-mark=mark02 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark disabled=yes in-interface=ether1 new-connection-mark=mark01 passthrough=no
add action=mark-connection chain=input connection-mark=no-mark disabled=yes in-interface=ether2 new-connection-mark=mark02 passthrough=no
add action=mark-routing chain=output connection-mark=mark01 disabled=yes new-routing-mark=route01 out-interface=ether1 passthrough=no
add action=mark-routing chain=output connection-mark=mark02 disabled=yes new-routing-mark=route02 out-interface=ether2 passthrough=no
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=bridge1-LANadd action=mark-routing chain=prerouting dst-address-type=!local in-interface=bridge1-LAN new-routing-mark=go_WAN2 passthrough=no src-address-list=goSpecialWAN
add action=accept chain=prerouting dst-address=10.1.1.0/30 in-interface=bridge1-LAN
add action=accept chain=prerouting dst-address=10.2.2.0/30 in-interface=bridge1-LAN
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=mark01 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=mark02 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=mark01 in-interface=bridge1-LAN new-routing-mark=route01 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=mark02 in-interface=bridge1-LAN new-routing-mark=route02 passthrough=yes
add action=mark-routing chain=output connection-mark=mark01 new-routing-mark=route01 passthrough=yes
add action=mark-routing chain=output connection-mark=mark02 new-routing-mark=route02 passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=go_WAN1 passthrough=yes src-address-list=goWAN2
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=mark01 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=mark02 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=5 gateway=10.1.1.1 routing-mark=route01
add check-gateway=ping distance=5 gateway=10.2.2.1 routing-mark=route02
add distance=1 gateway=10.1.1.1 routing-mark=go_WAN2
add distance=1 gateway=10.2.2.2 routing-mark=go_WAN1
add check-gateway=ping distance=5 gateway=10.1.1.1
add check-gateway=ping distance=10 gateway=10.2.2.1
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Force IP (Fortigate) to use specific wan (Mikrotik)  [SOLVED]

Sun Jul 21, 2019 3:16 pm

Under "/ip route" I don't see any entries for "192.168.1.0/24", which would corroborate the fact that's not a routed network, and most likely natted.

Can you disable natting for that link in fortigate?

Who is online

Users browsing this forum: Google [Bot] and 28 guests