Segregate 2 WAN ports on Dual Port Router

[pbolduc]

Hi there,

I require some assistance on setting up a Dual Port Freeguard 100 from Freedom 9. I've been in contact with Freedom9 and they are unable to provide any support for what I am trying to do. I have 2 Internet Service Providers connected to the same Freeguard 100 Router. Prior to this I was using WAN2 as a fail-over incase WAN1 went down. Now i've set the distance on both WAN interfaces to be the same.

ISP A on WAN1
ISP B on WAN2.
Internal LAN IP of router: 192.168.50.1 Subnet Mask: 255.255.255.0
I created a Virtual LAN Interface on the Router of: 192.168.52.1 Subnet Mask 255.255.255.0

What I am trying to achieve is have traffic from subnet 192.168.50.0 go through WAN1 which by the way it is currently doing. Then have traffic from the virtual LAN subnet 192.168.52.0 to go through WAN2. When I create the Virtual Interface on the router do i need to setup a manual routing table? Or will it do this automatically? Because computers behind 192.168.52.0 network are unable to ping 192.168.52.1 yet I am able to ping 192.168.52.1 from the CLI on the router. Both Networks need to be separate and basically need to be able to go through the WAN port which their subnet is configured for.

Example: 192.168.50.100 goes through ISPA
192.168.52.100 goes throguh ISPB


Thanks in advance,
Paul

[NooNoo]

I have deleted your duplicate thread...

Yes you could set up a routing table so that ips go to a particular gateway. But splitting your network like this removes the redundancy that you had before. If ISPb is connected to WAN2 and ISPb goes down, you would have to reconfigure all the ips in the routing table to route to Wan1/ISPa to get them back online. The manual for your router

What business problem are you trying to solve?

[pbolduc]

What was recommended by Freedom 9 was to perform the following steps:

1- Create the VLAN in the "Internal" interface. Go to "System->Network" and click on "Create New".
Name: Network_52
Interface: Internal
VLAN ID: 52 // Or any other VLAN ID
Addressing Mode: Manual
IP/Netmask: 192.168.52.1/255.255.255.0 // Or any other IP in that subnet
Enable PING in Administrative access

2- Create the Firewall policy between the new created interface and the WAN2. Go to Firewall->Policy and click in "Create New"
Source interface: Network_52
Destination interface: WAN2
Source address: 192.168.52.0/255.255.255.0
Destination address: 0.0.0.0
Schedule: always
Service: any
Action: Accept
NAT: Enabled

3- Create the policy route to force all the traffic from 192.168.52.0 to WAN2. Go to Router->Static->Policy route and click in "Create new":
Protocol: 0
Incoming Interface: Network_52
Source Address: 192.168.52.0/255.255.255.0
Destination Address: 0.0.0.0/0.0.0.0
Destination ports: from 0 to 65535
Outgoing Interface: WAN2
Gateway Address: The IP address of the default gateway of the provider in the WAN2 interface

These steps do not work because the routing policy and firewall policy do not to bind to the internal virtual LAN adapter created under System>Network. I am not sure why. Any other suggestions?

[pbolduc]

I hate leaving things unresolved and just last weekend I found myself in this same situation. I spent 2 long hard days trying to figure out how to make 2 segregate WAN ports function on a FreeGuard 100 which was sold by Freedom9 who are no longer in business. Essentially, a Freeguard 100 is a copy of the Fortigate 60B (FORTINET SOHO Business class router) and yes their Firmware works on these devices too. However, I am not using Fortigate firmware because their firmware comes at a price. $$$$

Anyway, in order to achieve STATIC IP segregation between the dual WAN Ports using this router it REQUIRES each WAN port to belong to a different Virtual Domain within the router. The problem with this is that it will separate your internal LAN clients from each other, not allowing a local firewall policy to be configured between your Virtual Domains. Aside from this shortfall, you can still make use of segregated static WAN ports, as well as, having multiple VLANS on each Virtual Domain. The local VLAN's within the same virtual domain can be controlled via firewall policies to allow specific inter-operable services between the networks. Very handy for separating LAN traffic and private networks from certain services.

***NOTE*** If your WAN Port IP's aren't set statically and remain dynamic such as when ISP's use DHCP MAC Registration for STATIC IP assignment, only then will WAN segregation work, as the automatic default gateway from each dynamic WAN port will get properly assigned the static route necessary to make WAN segregation work correctly.

Unfortunately, these routes we aren't able to create manually using the web interface or CLI due to a limitation of the firmware. When these routers detect a hard coded static IP on one of the WAN interfaces it will effectively disable the other WAN port from working as a secondary gateway as it was intended to be used as a WAN fail-over or load balancing between two dynamic ISP's.

I hope this helps clears up any confusion for anyone else who might find themselves in a similar situation with a Freedom9 Freeguard 100 SOHO Router.

A second limitation to these routers is that they fail to support port range forwarding from external internet clients to internal network clients. Each port has to be added manually and separately which can be a tedious process when you have a block of ports that need to be open for a particular service.


Regards,
Paul