Fortinet Fortigate 110C failover problem

[nobitakun]

Hello;

I've been working in a new company since two weeks ago and my boss told me that I need to be in charge of the networking part as well (the company is small). But the last technician didn't left any network topology nor any other network related info.

I've been investigating and we have a redundant system with:

1 Fiber 100/30 MB for computers/internet
1 ADSL 20/2MB for computers/internet (backup)
1 Metrolan Fiber 5/5MB for VoIP telephony

We have a Fortinet Fortigate Firewall which has 2 WAN interfaces:

WAN1 - Receives Fiber
WAN2 - Receives ADSL
Port8 - Receives Metrolan Fiber

If I disconnect either WAN1 or WAN2 internet is still present, so it's working correctly.

The problem is about the VoIP connections. If I disconnect Port8 the phones stop working for calling outside the company. I don't know how to configure the firewall to give the phones the current working WAN interface as a backup to use in case Metrolan Fiber goes down. In a nutshell: If Metrolan Fiber goes down it should change to WAN1 or WAN2, depending which one is in use at that moment.

I hope I made myself understand, because is a configuration I never had to use at work.

Thank you for help!

 

[Genx87]

Im not familiar with Fortinet. But can you specify a fail over for each interface?

Also is it possible your VOIP provider is restricting traffic based on a circuit? Is there a router on premise for your VOIP system?

I am implementing a Shortel system right now. We have a 5Mpbs circuit that hooks into their managed router for VOIP traffic. With a backup interface that goes out over our backup data circuit if the voice circuit goes down. But Shortel has to program their router for this to work.

 

[nobitakun]

Yes, I specified the WAN1, WAN2 and Port8 interfaces in the section ECMP Load Balancing Method (Source IP Based). I create them one by one, with the ICMP request settings, the gateway IP, the intervals and the timeouts.

But the problem is that I don't understand why the traffic through Port8 is still working if either WAN1 or WAN2 is active. I mean, with a failover system you always have an active interface and the rest are kept for backup purposes, it does not matter how many you have, isn't it?, So with my little knowledge I would find this ECMP configuration wrong, since it would not be using Port8 unless WAN1 and WAN2 are dead, which is not happening at all, since Port8 is indeed working someway for the VoIP phones.

In static routes I have the 3 interfaces configured, each one pointing to their default gateway with IP/mask 0.0.0.0/0.0.0.0. Their priority is 0 for Fiber, 10 for ADSL and 20 for VoIP line.
In policy routes I have like 20 policies (some of them are exactly the same, I don't know why).

I hope this extra info can make the things someway more clear.

Thank you!

 

[ylin0811]

That is achievable if the fortinet has some sort of a virtual router or virtual routing instance. A quick google search reveals a mode called vdom, which you can split your fortinet into two virtual instances. Have you looked to see if that is the case?