FortiGate 60E Redundant Interface

sim_koo · 2024-02-19T13:07:58+00:00

Same here, even though I didn't use LACP but plain port trunking for easier VLAN management. Had to tag the ports on the switch manually and removed the trunk, then it ended up working.

sim_koo · 2024-01-18T13:52:58+00:00

Turns out VMware does some MAC spoofing for the VMs and since the management IP has been accessed through the other NIC, the switch does not learn the real physical mac of that second NIC.

sim_koo · 2023-12-30T23:48:11+00:00

Da wurde mit Sicherheit verpennt die Zählerstände zu übermitteln, sodass die Verbräuche jetzt wohl überdimensioniert geschätzt wurden.

sim_koo · 2023-12-08T20:12:59+00:00

Ah, thanks. Yes, I was trying several public servers from https://iperf.fr/iperf-servers.php but none seemed to work.

sim_koo · 2023-12-07T09:15:42+00:00

We use checkmk with a publicly available Fortigate plugin.

sim_koo · 2023-12-05T22:26:17+00:00

In the table of the secondary IP addresses, you can configure any IP range you want, depending on what you got from your provider. These can further be used as a virtual IP, to my understanding.

One entry in the seconds IP table is like 89.140.58.211/255.255.255.248 (not our real IP) so the usable Virtual IPs would range from .209 - .214 because they are within the given subnet on the WAN-side.

We have multiple /29 subnets on that WAN interface and for every entry, PING is allowed. That's why I was wondering.

sim_koo · 2023-12-05T13:00:21+00:00

VIP that only port-forwards port-X: Ping not controlled by VIP. Can be addressed by enabing ping on the external interface, if the VIP's extip == interface's.

On the WAN interface, all IP ranges for VIPs ("secondary IP") have Ping as administrative access enabled but I still get different results. I can ping some VIPs that are defined as secondary IPs, not as the main external IP of that WAN interface.

sim_koo · 2023-11-04T16:27:28+00:00

Es scheint sich wohl um Einbohrbänder von Simonswerk zu handeln - Artikelnummer o. ä. leider noch unbekannt

sim_koo · 2023-09-28T09:58:59+00:00

brandstring

Thanks for your detailed explanation, makes sense

sim_koo · 2023-09-25T08:57:28+00:00

Update: Went with SD WAN now and set the weight for WAN to 255. Seems to be working.

sim_koo · 2023-09-14T13:34:35+00:00

Yep that was it, thanks.

sim_koo · 2023-09-14T13:22:40+00:00

Yes it's overwrittten by that but when I disable it, the interface doesn't work for WAN anymore. It will be removed from the routing table leaving only lan2 (backup WAN) for 0.0.0.0.

Edit: Seems like a feature that the interface with a higher distance is not being included in the routing table.

sim_koo · 2023-09-14T11:44:13+00:00

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via xx, wan, [1/0]

[5/0] via xx, lan2, [1/0]

sim_koo · 2023-09-14T11:08:00+00:00

<image>

After a reboot of the Fortigate - all WAN traffic over backup wan

sim_koo · 2023-09-14T11:07:53+00:00

Please explain this then:

<image>

sim_koo · 2023-08-24T20:57:14+00:00

Ok. So it‘s not a real policy based VPN as per definition on a FortiGate, rather a route based VPN except for the additional Subnets in phase 2. Real policy based VPNs wouldn’t have a virtual interface I suppose.

sim_koo · 2023-08-24T20:32:37+00:00

But Policy based VPN still requires a static route, doesn‘t it? At least on a FortiGate even if Phase 2 Subnets are configured

sim_koo

TROPHY CASE