FortiGate SD-WAN Configuration Guide using IPoE Interface
This guide details the configuration of FortiGate for SD-WAN utilizing IPoE (IP over Ethernet) services provided by Japan Network Enabler (JPNE) Co., Ltd. and NTT Communications Corporation. It covers two primary methods: Internet Breakout and Hybrid WAN.
Chapter 1: Introduction
This configuration guide introduces two basic methods for achieving SD-WAN using FortiGate with the "IPoE-based Fixed IP Internet Connection Service" offered by Japan Network Enabler (JPNE) Co., Ltd. and NTT Communications Corporation.
- Internet Breakout (Chapter 2): Routes specific high-load traffic, such as Office 365, over the IPv6 line.
- Hybrid WAN (Chapter 3): Differentiates between PPPoE/IPoE lines based on usage.
Applying these configurations according to customer requirements enables flexible network operations.
For information on each company's IPoE services, please refer to their official information:
- JPNE "v6プラス" Fixed Service: https://www.jpne.co.jp/service/v6plus-static/
- NTT Communications IPoE Service: https://www.ntt.com/business/services/network/internet-connect/ocn-business/ftth/know.html
For FortiGate IPoE configuration, please refer to the following links:
- JPNE "v6プラス" Fixed Service: https://www.fortinet.com/content/dam/fortinet/assets/deployment-guides/ja_jp/fg-jpne-v6plus.pdf
- NTT Communications IPoE Service: https://www.fortinet.com/content/dam/fortinet/assets/deployment-guides/ja_jp/fg-ocn-ipoe-fixip.pdf
1.1. Equipment and OS Version
- Equipment: FortiGate-60F
- Version: FortiOS 6.4.4
Adjust interface names and other device-dependent settings according to your FortiGate. Some GUI displays may be split for clarity.
1.2. Reference Materials
The configurations in this guide are based on official Fortinet deployment guides. For more detailed information, please refer to:
Chapter 2: Internet Breakout
2.1. Assumed Topology
The diagram illustrates a remote FortiGate-60F connected via an IPoE line to the internet. Office 365 traffic is routed directly to the internet via the VNE (IPoE) network, while other communications are routed through the central site via an IPsec VPN tunnel.
2.2. Prerequisites
- The remote site uses one IPoE line for internet connectivity.
- The remote site and central site are connected via IPsec VPN (refer to APPENDIX #1 for remote site IPsec configuration examples).
- Basic FortiGate configuration, IPoE connection setup, and proper cabling are completed.
- Default routes are configured on both the IPoE and IPsec interfaces, with the IPoE interface having a lower priority setting to ensure the IPsec interface is preferred.
2.3. Creating Breakout Policy
Navigate to Policy & Object > Firewall Policy and click + Create New.
Policy Configuration:
- Name: breakout (or a suitable name)
- Incoming Interface: vne.root (IPoE)
- Outgoing Interface: internal
- Destination: Click +, select Internet Services from the right pane, and choose the applications to break out (e.g., Microsoft-Microsoft Update, Microsoft-Office365, Microsoft-Office365-Published.Allow, Microsoft-Office365-Published.Optimize).
- Logging Options: Enable logging and select All Sessions.
Click OK to create the policy.
To prioritize the 'breakout' policy, drag and drop it to the top of the policy list.
This configuration ensures that Office 365 and Microsoft update traffic is handled by the 'breakout' policy.
2.4. Configuring Breakout Routing
Navigate to Network > Static Routes and create static routes for each application to be broken out.
- Internet Service: Microsoft-Microsoft.Update
- Interface: vne.root
Repeat this process for Microsoft-Office365, Microsoft-Office365-Allow, and Microsoft-Office365-Optimize.
Note: This guide sets default routes for vne.root and the IPsec interface. Adjust according to your actual environment.
2.5. Changing Static Route Priority
To ensure the IPsec interface is prioritized, modify the priority of the IPoE interface's default route.
Navigate to Network > Static Routes. Select the default route for the vne-root interface (0.0.0.0/0 vne.root) and click Edit.
Click Advanced Settings and change the Priority value to 1. (Lower priority values indicate higher priority; the default is 0).
Click OK to save the changes.
2.6. Verification Method
Verify the breakout operation by navigating to Log & Report > Forward Traffic. Ensure that Office 365 related traffic shows the policy ID 'breakout' and the destination interface as 'vne.root'.
Chapter 3: SD-WAN Hybrid WAN
3.1. Assumed Topology
The diagram shows a FortiGate-60F configured with both IPoE and PPPoE lines for load balancing and differentiated traffic routing.
3.2. Prerequisites
- The configuration uses a FortiGate-60F connected to the internet via both IPoE and PPPoE lines.
- Basic FortiGate configuration, IPoE, and PPPoE connection setup, and proper cabling are completed.
- Microsoft Update and Office 365 traffic primarily use the IPoE line, while other traffic utilizes both IPoE and PPPoE lines through load balancing.
- The PPPoE interface is named 'pppoe'.
3.3. Reference Materials
- SD-WAN Quick Start: https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/889544/sd-wan-quick-start
- Config system pppoe-interface: https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/98620/system-pppoe-interface
3.4. Creating SD-WAN Interface
Navigate to Network > SD-WAN Zone and click on virtual-wan-link.
Click + Create New to add SD-WAN members.
Edit the SD-WAN member, select vne-root for the interface, and click OK.
Similarly, create a new member and add the PPPoE interface (pppoe). The virtual-wan-link (SD-WAN) interface will then display vne.root and pppoe as its members.
3.5. Creating Priority Interface for Specific Applications
Create an interface that prioritizes application traffic identified by ISDB. In this guide, the vne-root interface is used for Office 365 and Microsoft Update traffic.
Navigate to Network > SD-WAN Rules and click + Create New.
SD-WAN Rule Configuration:
- Name: o365 (or any desired name)
- Source Address: all (applies to all users in this guide)
- Internet Services: Microsoft-Microsoft_Update, Microsoft-Office365, Microsoft-Office365-Allow, Microsoft-Office365-Optimize
- Outgoing Interface: Manual
- Preferred Interface: vne-root
Click OK to create the SD-WAN rule.
Traffic not matching the created rule will be handled by an implicit rule.
3.6. Creating Default Route
Create a static route that sets the SD-WAN interface as the default route (Destination 0.0.0.0/0.0.0.0).
Navigate to Network > Static Routes and click + Create New.
Select SD-WAN for the Interface and click OK.
3.7. Creating Policy
Navigate to Policy & Object > Firewall Policy and click + Create New.
New Policy Configuration:
- Name: Internal to sd-wan (or any desired name)
- Incoming Interface: internal
- Outgoing Interface: virtual-wan-link
- Source: all
- Destination: all
- Service: ALL
- Logging Options: Enable logging and select All Sessions.
Click OK to complete the policy creation.
Note: This guide configures all traffic to use the SD-WAN interface. Adjust source, destination, and security profiles as needed.
The created policy will appear in the firewall policy list.
3.8. Changing MSS Value
Due to the addition of IPv6 headers, the TCP MSS (Maximum Segment Size) value for sessions passing through vne.root needs to be adjusted.
TCP MSS values can be configured in the firewall policy. Open the CLI console by clicking the >_ icon in the upper right of the GUI.
Execute the following commands in the CLI console:
config firewall policy
edit 1
set tcp-mss-sender 1420
set tcp-mss-receiver 1420
end3.9. Verification Method
Generate traffic (e.g., Office 365 or other traffic) from a terminal device. Navigate to Network > SD-WAN Zone and confirm that traffic volumes are being counted for each SD-WAN member interface (download and upload).
Navigate to Log & Report > Forward Traffic and verify the following:
- Office 365 traffic is primarily sent via vne-root.
- Other traffic is sent via both vne-root and pppoe interfaces.
Appendix #1: IPsec VPN Configuration for Remote/Central Sites
This appendix explains the IPsec VPN configuration for remote and central sites when performing the "Internet Breakout" setup described in Chapter 2.
1. Assumed Topology
The diagram illustrates the IPsec VPN configuration between a remote FortiGate-60F and a central FortiGate.
2. Reference Materials
- Basic site-to-site VPN: https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/202791/site-to-site-vpn
- VPN IPsec troubleshooting: https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/137844/vpn-ipsec-troubleshooting
3. Prerequisites
- No network addresses are configured for the IPsec tunnel.
- Key exchange is configured in Aggressive mode.
- Authentication method is set to Pre-shared Key.
- Configuration uses the VPN wizard's Custom option.
- Default settings are applied for unspecified configurations.
4. IPsec VPN Configuration
Navigate to VPN > IPsec Wizard and run the VPN creation wizard.
- Name: ipsec (or any desired name)
- Template Type: Custom. Click Next. Selecting Custom exits the wizard and transitions to the detailed configuration screen. Configuration is required for both the central and remote sides.
Network Settings:
- Remote Gateway IP Address: Enter the WAN IP address of the central site (e.g., 10.130.186.56).
- Local Gateway IP Address: Enter the IP address of the vne.root interface on the remote site.
- Interface:
- Remote Site: Select vne.root.
- Central Site: Select WAN1.
Authentication:
- Method: Pre-shared Key
- Pre-shared Key: Enter any desired string.
IKE:
- Mode: Aggressive
- Accept Type: Any Peer ID
Phase 2 Selector:
- Local Address: Enter 192.168.1.0/255.255.255.0.
4.3. IPsec Routing Configuration
Navigate to Network > Static Routes. Configure the IPsec tunnel as the default route (Destination 0.0.0.0/0.0.0.0) and click OK.
Similarly, configure a static route on the central site's FortiGate so that traffic destined for the central FortiGate (Destination 10.130.186.56/255.255.255.255) goes via vne.root. (On the central FortiGate, set the IP address of vne.root as the destination and WAN1 as the interface).
After configuration, the routing settings will appear as shown.
5. IPsec Policy Configuration
Create IPsec Policy: Navigate to Policy & Object > Firewall Policy and click + Create New.
IPsec Policy Editing:
- Name: internal-to-ipsec (or any desired name)
- Incoming Interface: internal
- Outgoing Interface: ipsec
- NAT: Disable
Click OK to complete the policy creation.
6. Verification Method
After completing the settings on both the remote and central sides, generate traffic from a device within the remote LAN to the central site. Verify that the IPsec status becomes active.
You can check the IPsec status on the FortiGate dashboard. Navigate to Dashboard > +. In the Add Widget screen, click IPsec and then Add Widget.
Clicking the newly added IPsec Monitor on the dashboard allows you to view the status of IPsec interfaces.
Revision History
| Version | Release Date | Revision History |
|---|---|---|
| 1.00 | 2021.2 | Initial Release |
