xrcd2 網路小頑童

2026年3月13日星期五

FortiGate SD-WAN Lab

FortiGate SD-WAN Lab

實驗目地: 希望維持 WAN1 為主路由 )、 WAN2 為備路由，且 WAN2 的 Virtual Server 會通的設定方式.

又不影響到既有 WAN1上原有的任何服務或規則之下，加入新擴增 WAN2 的其它運用．

事前導讀請參關 FortiGate Policy Routes (PBR) Lab

https://xrcd2.blogspot.com/2026/03/fortigate-policy-routes-pbr-lab.html

(1) 浮動靜態路由模式 / 主備模式

(設定簡略)

config router static

edit 1

set gateway 110.100.100.30

set priority 1

set device "port2"

next

edit 2

set gateway 220.100.100.30

set priority 2

set device "port3"

next

end

這個最為簡單,不需配合 Policy Routes (PBR) 相關設定.

(2) 軟體定義廣域網路（SD-WAN）模式.

這就需要大改了,但日後維運上更為方便.

SD-WAN移轉改接測試如下所示....

---> Rule 規則移轉 GG (要人工介入大改後方可使用)

(設定簡略)

config system sdwan

set status enable

config zone

edit "virtual-wan-link"

next

end

config members

edit 1

set interface "port3"

set gateway 220.100.100.30

next

edit 2

set interface "port2"

set gateway 110.100.100.30

next

end

config health-check

edit "WAN.1.GW"

set server "110.100.100.30"

set members 2

next

edit "WAN.2.GW"

set server "220.100.100.30"

set members 1

next

end

config service

edit 1

set name "Prefer_WAN1"

set mode priority

set dst "all"

set src "all"

set health-check "WAN.1.GW"

set priority-members 2 1

next

end

end

config router static

edit 1

set distance 1

set sdwan-zone "virtual-wan-link"

next

end

DNAT

差異設定對照 rule

(1) 2 WAN

(2) SD-WAN

差異設定對照 Static Routes

(1) 2 WAN

(2) SD-WAN

Routing Table

(1) 2 WAN

(2) SD-WAN

SD-WAN Rule

FortiGate Policy Routes (PBR) Lab

FortiGate Policy Routes (PBR) Lab

實驗目地: 希望維持 WAN1 為主路由 (Priority 10)、 WAN2 為備路由 (Priority 20)，且 WAN2 的 Virtual Server 會通．

實驗架構簡圖

Port3 Setting

show routing table

Test WAN2 DNAT

順便再測一下 WAN1 DNAT 是否可以併存...(設定步驟這裡就省略了)

實驗設定(略)

config system interface

edit "port1"

set vdom "root"

set ip 192.168.1.1 255.255.255.0

set allowaccess ping https ssh http fgfm

set type physical

set snmp-index 1

next

edit "port2"

set vdom "root"

set ip 110.100.100.1 255.255.255.224

set allowaccess ping

set type physical

set snmp-index 2

next

edit "port3"

set vdom "root"

set ip 220.100.100.1 255.255.255.224

set allowaccess ping

set type physical

set src-check disable

set snmp-index 3

next

config firewall policy

edit 1

set name "WEB-IN"

set uuid 872489d8-1ee5-51f1-91a3-9838e225d9f8

set srcintf "port3"

set dstintf "port1"

set action accept

set srcaddr "all"

set dstaddr "WEB-DNAT"

set schedule "always"

set service "ALL"

next

end

config firewall vip

edit "WEB-DNAT"

set uuid 528b1c78-1ee5-51f1-b558-b153d89f1cf2

set extip 220.100.100.20

set mappedip "192.168.1.20"

set extintf "port3"

next

end

config router static

edit 1

set gateway 110.100.100.30

set device "port2"

next

edit 2

set gateway 220.100.100.30

set distance 20

set device "port3"

next

end

config router policy

edit 1

set input-device "port1"

set srcaddr "WEB-Server"

set dstaddr "all"

set gateway 220.100.100.30

set output-device "port3"

next

end

訂閱：意見 (Atom)