Segregate 2 WAN ports on Dual Port Router

[NooNoo]

I have deleted your duplicate thread...

Yes you could set up a routing table so that ips go to a particular gateway. But splitting your network like this removes the redundancy that you had before. If ISPb is connected to WAN2 and ISPb goes down, you would have to reconfigure all the ips in the routing table to route to Wan1/ISPa to get them back online. The manual for your router

What business problem are you trying to solve?

[pbolduc]

What was recommended by Freedom 9 was to perform the following steps:

1- Create the VLAN in the "Internal" interface. Go to "System->Network" and click on "Create New".
Name: Network_52
Interface: Internal
VLAN ID: 52 // Or any other VLAN ID
Addressing Mode: Manual
IP/Netmask: 192.168.52.1/255.255.255.0 // Or any other IP in that subnet
Enable PING in Administrative access

2- Create the Firewall policy between the new created interface and the WAN2. Go to Firewall->Policy and click in "Create New"
Source interface: Network_52
Destination interface: WAN2
Source address: 192.168.52.0/255.255.255.0
Destination address: 0.0.0.0
Schedule: always
Service: any
Action: Accept
NAT: Enabled

3- Create the policy route to force all the traffic from 192.168.52.0 to WAN2. Go to Router->Static->Policy route and click in "Create new":
Protocol: 0
Incoming Interface: Network_52
Source Address: 192.168.52.0/255.255.255.0
Destination Address: 0.0.0.0/0.0.0.0
Destination ports: from 0 to 65535
Outgoing Interface: WAN2
Gateway Address: The IP address of the default gateway of the provider in the WAN2 interface

These steps do not work because the routing policy and firewall policy do not to bind to the internal virtual LAN adapter created under System>Network. I am not sure why. Any other suggestions?

[pbolduc]

I hate leaving things unresolved and just last weekend I found myself in this same situation. I spent 2 long hard days trying to figure out how to make 2 segregate WAN ports function on a FreeGuard 100 which was sold by Freedom9 who are no longer in business. Essentially, a Freeguard 100 is a copy of the Fortigate 60B (FORTINET SOHO Business class router) and yes their Firmware works on these devices too. However, I am not using Fortigate firmware because their firmware comes at a price. $$$$

Anyway, in order to achieve STATIC IP segregation between the dual WAN Ports using this router it REQUIRES each WAN port to belong to a different Virtual Domain within the router. The problem with this is that it will separate your internal LAN clients from each other, not allowing a local firewall policy to be configured between your Virtual Domains. Aside from this shortfall, you can still make use of segregated static WAN ports, as well as, having multiple VLANS on each Virtual Domain. The local VLAN's within the same virtual domain can be controlled via firewall policies to allow specific inter-operable services between the networks. Very handy for separating LAN traffic and private networks from certain services.

***NOTE*** If your WAN Port IP's aren't set statically and remain dynamic such as when ISP's use DHCP MAC Registration for STATIC IP assignment, only then will WAN segregation work, as the automatic default gateway from each dynamic WAN port will get properly assigned the static route necessary to make WAN segregation work correctly.

Unfortunately, these routes we aren't able to create manually using the web interface or CLI due to a limitation of the firmware. When these routers detect a hard coded static IP on one of the WAN interfaces it will effectively disable the other WAN port from working as a secondary gateway as it was intended to be used as a WAN fail-over or load balancing between two dynamic ISP's.

I hope this helps clears up any confusion for anyone else who might find themselves in a similar situation with a Freedom9 Freeguard 100 SOHO Router.

A second limitation to these routers is that they fail to support port range forwarding from external internet clients to internal network clients. Each port has to be added manually and separately which can be a tedious process when you have a block of ports that need to be open for a particular service.


Regards,
Paul