Page 1 of 1

Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Fri Jul 19, 2019 10:53 am
by dhvu1990
I have a network topo as follow:
Image
I want Computer 01 go outside throught ISP 02:
- On Fortigate: I set policy to force IP Computer 01 (192.168.1.5/24) go outside throught Wan 1 Fortigate (192.168.0.2/24). It's OK.
- But on Mikrotik, I don't know how to config that IP force to outside throught ISP 02 ???
Please help me. Thank you.

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Fri Jul 19, 2019 12:49 pm
by sebastia
Hey

I hope you don't perform natting on fortigate?

If not you can route-mark (table:chain -> mangle:prerouting) all packets from "computer 01" ip's with mark for WAN02.

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Fri Jul 19, 2019 1:04 pm
by dhvu1990
Thank for your reply.
If not you can route-mark (table:chain -> mangle:prerouting) all packets from "computer 01" ip's with mark for WAN02.
Can you explain more? Thank you.

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Fri Jul 19, 2019 2:09 pm
by sebastia
To do PCC you need to do mangling, and assign route-marks to packets (part of some connection) to always send them some particular route.
To force packets from an ip some route, you have to "hard-code" the routing-mark assignment to the one of wan2.

in this case, something like:
# all packets from comp01, not for internal network need to go over wan2
/ip firewall mangle add action=mark-outing chain=prerouting src-address=192.168.1.5 dst-address-type=!local new-routing-mark=<wan2 mark> ...

Note: the above rule needs to be executed before the usual PCC mangle logic

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Sat Jul 20, 2019 6:30 am
by dhvu1990
It not working :(

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Sat Jul 20, 2019 11:57 am
by sebastia
"/export hide-sensitive" would help

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Sat Jul 20, 2019 10:24 pm
by ingdaka
I work in mikrotik! I think he is using nat on fortigate! Because he is on dual wan (or sd-wan)!

Re: Force IP (Fortigate) to use specific wan (Mikrotik)

Posted: Sun Jul 21, 2019 4:06 am
by dhvu1990
This is my config on Mikrotik
/interface bridge
add comment=LAN name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1-7Mbps speed=100Mbps
set [ find default-name=ether2 ] comment=WAN2-3Mbps speed=100Mbps
set [ find default-name=ether3 ] comment=bridge1-LAN speed=100Mbps
set [ find default-name=ether4 ] comment=bridge1-LAN speed=100Mbps
/interface bridge port
add bridge=bridge1-LAN hw=no interface=ether3
add bridge=bridge1-LAN hw=no interface=ether4
/ip address
add address=10.1.1.2/30 interface=ether1 network=10.1.1.0
add address=10.2.2.2/30 interface=ether2 network=10.2.2.0
add address=192.168.0.1/24 interface=bridge1-LAN network=192.168.0.0
/ip firewall address-list
add address=192.168.1.5 list=goSpecialWAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether1 new-connection-mark=mark01 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=ether2 new-connection-mark=mark02 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark disabled=yes in-interface=ether1 new-connection-mark=mark01 passthrough=no
add action=mark-connection chain=input connection-mark=no-mark disabled=yes in-interface=ether2 new-connection-mark=mark02 passthrough=no
add action=mark-routing chain=output connection-mark=mark01 disabled=yes new-routing-mark=route01 out-interface=ether1 passthrough=no
add action=mark-routing chain=output connection-mark=mark02 disabled=yes new-routing-mark=route02 out-interface=ether2 passthrough=no
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=bridge1-LANadd action=mark-routing chain=prerouting dst-address-type=!local in-interface=bridge1-LAN new-routing-mark=go_WAN2 passthrough=no src-address-list=goSpecialWAN
add action=accept chain=prerouting dst-address=10.1.1.0/30 in-interface=bridge1-LAN
add action=accept chain=prerouting dst-address=10.2.2.0/30 in-interface=bridge1-LAN
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=mark01 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=mark02 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=mark01 in-interface=bridge1-LAN new-routing-mark=route01 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=mark02 in-interface=bridge1-LAN new-routing-mark=route02 passthrough=yes
add action=mark-routing chain=output connection-mark=mark01 new-routing-mark=route01 passthrough=yes
add action=mark-routing chain=output connection-mark=mark02 new-routing-mark=route02 passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=go_WAN1 passthrough=yes src-address-list=goWAN2
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=mark01 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=mark02 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=5 gateway=10.1.1.1 routing-mark=route01
add check-gateway=ping distance=5 gateway=10.2.2.1 routing-mark=route02
add distance=1 gateway=10.1.1.1 routing-mark=go_WAN2
add distance=1 gateway=10.2.2.2 routing-mark=go_WAN1
add check-gateway=ping distance=5 gateway=10.1.1.1
add check-gateway=ping distance=10 gateway=10.2.2.1

Re: Force IP (Fortigate) to use specific wan (Mikrotik)  [SOLVED]

Posted: Sun Jul 21, 2019 3:16 pm
by sebastia
Under "/ip route" I don't see any entries for "192.168.1.0/24", which would corroborate the fact that's not a routed network, and most likely natted.

Can you disable natting for that link in fortigate?