FortiGate Policy Routes (PBR) Lab
實驗目地: 希望維持 WAN1 為主路由 (Priority 10)、 WAN2 為備路由 (Priority 20), 且 WAN2 的 Virtual Server 會通.
實驗架構簡圖
Test WAN2 DNAT
順便再測一下 WAN1 DNAT 是否可以併存...(設定步驟這裡就省略了)
實驗設定(略)
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 110.100.100.1 255.255.255.224
set allowaccess ping
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 220.100.100.1 255.255.255.224
set allowaccess ping
set type physical
set src-check disable
set snmp-index 3
next
config firewall policy
edit 1
set name "WEB-IN"
set uuid 872489d8-1ee5-51f1-91a3-9838e225d9f8
set srcintf "port3"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "WEB-DNAT"
set schedule "always"
set service "ALL"
next
end
config firewall vip
edit "WEB-DNAT"
set uuid 528b1c78-1ee5-51f1-b558-b153d89f1cf2
set extip 220.100.100.20
set mappedip "192.168.1.20"
set extintf "port3"
next
end
config router static
edit 1
set gateway 110.100.100.30
set device "port2"
next
edit 2
set gateway 220.100.100.30
set distance 20
set device "port3"
next
end
config router policy
edit 1
set input-device "port1"
set srcaddr "WEB-Server"
set dstaddr "all"
set gateway 220.100.100.30
set output-device "port3"
next
end
