Tunnel Group
Consider the symmetric FortiWAN sites with multiple WAN links on each side, a tunnel between the two units are the connection with one WAN link of local unit and one WAN link of remote unit. A tunnel group contains multiple tunnels which might be various combinations of WAN links between the two FortiWAN units. A tunnel group is the basic unit to be used for a Tunnel Routing transmission. Packets of a session transferred via tunnel routing between units would be distributed (according to the balancing algorithms) to the multiple tunnels defined in the tunnel group. Therefore, a tunnel group is logically a big tunnel that multiple WAN links are integrated to.
The figure below is an example to illustrate tunnels and tunnel groups. Tunnel Group 1 contains two tunnels which tunnel 1 is established with FWN-A’s WAN 1 and FWN-B’s WAN 1, and tunnel 2 is established with FWNA’s WAN 2 and FWN-B’s WAN 2. A transmission via Tunnel Group 1 will be distributed over tunnel 1 and tunnel 2.
Tunnel Group 2 also contains two tunnels which tunnel 3 is established with FWN-A’s WAN 3 and FWN-B’s WAN 4, and tunnel 4 is established with FWN-A’s WAN 4 and FWN-B’s WAN 3. Containing only one tunnel in a tunnel group, which is a degenerate case, is allowed.
Tunnel group is the basic unit to be employed for tunnel routing transmission. Therefore, balancing algorithms, encryption, the opposite site, tunnels in the group and even quality of the WAN links are the necessary associations for a tunnel group transmission. To set up a tunnel group, here is the necessary information:
l Which opposite FortiWAN unit the tunnel group is established with: Remote host ID l What are the tunnels included in the tunnel group: Local IP and Remote IP for a tunnel l How to distribute packets over the tunnels: Algorithm l Does the transmission keep in secret:Encryption
Note that every tunnel group must contain at least one tunnel which is configured with one static public IP address. FortiWAN supports up to 100 tunnel groups for FWN-200B, 400 tunnel groups for FWN1000B and 1000 tunnel groups for FWN-3000B. All of the three models have a default maximum total allowed enable amount of 2500 GRE tunnels.
In this configuration table, tunnels are configured for a tunnel group with IP addresses of WAN links of local and remote FortiWAN units and the routing algorithm used to rout packets over tunnels.
| Add | Click the Add button to add a new Tunnel Group setting panel.
Note that the default maximum allowed to add is: |
||
| l | 100 tunnel groups for FortiWAN 200B | ||
| l | 400 tunnel groups for FortiWAN 1000B | ||
| l | 1000 tunnel groups for FortiWAN 3000B | ||
| Group Name | Assign a group name to the tunnel group. | ||
| Remote Host ID | Enter the Host ID of the Remote unit the Tunnel Group connects to. | ||
| Algorithm | l | Round-Robin: Route the connections in every tunnel by weight. Note: Please specify the weight value of “Group Tunnels” when selecting “Round-Robin” (See Load Balancing Algorithms). | |
| l | By Upstream Traffic: Route the connections to the tunnel with the lightest upstream traffic flow (See Load Balancing Algorithms). | ||
Group Tunnels
Click the add button on the Group Tunnels panel, then a configuration block pops up for adding a GRE tunnel in the tunnel group. Move the cursor over an existing tunnel (it will be highlighted) and click it, the configuration block pops up also for editing it.
| Enable | Check to enable/disable this GRE tunnel.
Note that the default maximum allowed to enable for a tunnel group is 16 GRE tunnels. For all the configured tunnel groups, a maximum total of 2500 enabled GRE tunnels is allowed. |
| Local IP | Configure local IP address for tunnels in the tunnel group. The local IP addresses here are the localhost IP defined on the WAN links of local FortiWAN. According to the WAN type defined on WAN links, here are several types of Local IP for options.
l Static-IP WAN link without NAT on local side: If the WAN link of local FortiWAN you want to employ for the tunnel is configured with a static public IP address and there will be no NAT translation to this IP address, please select “IPv4 Address” and configure it with the static public IP address of the WAN link. l Static-IP WAN link with NAT on local side: If the WAN link of local FortiWAN you want to employ for the tunnel is configured with a static IP address and there is a NAT translation to this IP address, please select “(NAT) IP Address” and configure it with the static IP address of the WAN link. l Dynamic-IP WAN link without NAT on local side: If the WAN link of local FortiWAN you want to employ for the tunnel is configured with a dynamic IP address (Bridge Mode: PPPoE or DHCP for the WAN type) and there will be no NAT translation to the dynamic IP address, please select “Dynamic WANx” for the configuration. l Dynamic-IP WAN link with NAT on local side: If the WAN link of local FortiWAN you want to employ for the tunnel is configured with a dynamic IP address (Bridge Mode: PPPoE or DHCP for the WAN type) and there is a NAT translation to the dynamic IP address, please select “(NAT) Dynamic WANx” for the configuration. According your WAN Setting, “Dynamic WAN x” and “(NAT) Dynamic WAN x” are listed in pair in the drop-down menu to correspond all the dynamic WAN links (Bridge Mode: PPPoE and Bridge Mode: DHCP). To avoid a TR transmission failure, please select corresponding types for the deployments which involve NAT translating within. If the IP addresses that ISP provides is private IP addresses (no matter they are static or dynamic), the ISP might perform NAT translations to the private IP addresses. Please contact with the ISP for further information. For options “Static-IP WAN link without NAT” and “Static-IP WAN link with NAT”, if a change on the IP address of the WAN link is made (from Network Setting) on the local FortiWAN unit, a corresponding update to the setting here is necessary (manually). For deployment of Tunnel Routing over IPSec, make sure Local IP here is equal to the Local IP configured to correspondent IPSec Phase 1 (See “IPSec – Define routing policies for an IPSec VPN”). |
| Remote IP | Configure remote IP address for tunnels in the tunnel group. The remote IP addresses here are the localhost IP defined on the WAN links of remote FortiWAN. According to the WAN type defined on WAN links, here are several types of Remote IP for options.
l Static-IP WAN link without NAT on remote side: If the WAN link of remote FortiWAN you want to employ for the tunnel is configured with a static IP and there will be no NAT translation to the IP address, please select “IPv4 Address” and configure it with the static IP address of the WAN link. l Dynamic-IP WAN link without NAT on remote side: If the WAN link of remote FortiWAN you want to employ for the tunnel is configured with a dynamic IP and there will be no NAT translation to the IP address, please select “Dynamic IP” for the configuration. l WAN link with NAT on remote side: No matter the WAN link of remote FortiWAN you want to employ for the tunnel is configured with a static or dynamic IP address, please select “(NAT) Dynamic IP” for the configuration if there is a NAT translation to the IP address. To avoid a TR transmission failure, please select corresponding types for the deployments which involve NAT translating within. For option “Static-IP WAN link without NAT”, if a change on the IP address of the WAN link is made (from Network Setting) on the remote FortiWAN unit, a corresponding update to the setting here is necessary (manually). For deployment of Tunnel Routing over IPSec, make sure Remote IP here is equal to the Remote IP configured to correspondent IPSec Phase 1 (See “IPSec – Define routing policies for an IPSec VPN”). |
| Weight | The weight/priority of the tunnel for the Round-Robin balancing algorithm. This field is displayed only if Round-Robin is selected for Algorithm. |
| Encrypt | Check to enable/disable encryption for packets transferred via this tunnel. Remember to set the secret key for encryption. This is a simple encryption built in Tunnel Routing, which employs AES in ECB mode. If a higher and stricter security is required, please perform Tunnel Routing under protection of IPSec Transport mode (See “IPSec”). |
| DSCP | DSCP(Differentiated Services Code Point) provides simple mechanism for quality of service (QoS) on IP networks. DSCP uses the differentiated services code in IP header to indicated different traffic QoS classification. If your ISP provides DSCP service, please contact them for the values. In the field, specify the value to the tunnel. Leave it blank if you do not apply DSCP to the tunnel. Note that only the tunnels established with static local and remote IP addresses support DSCP. This will primarily be used for tunnels over MPLS networks. |
| Add (button) | Click to add configuration of the tunnel into Group Tunnels panel. After clicking, this tunnel is listed on the panel. Note that clicking the Apply button is still required to save the whole configurations to system back-end for Tunnel Routing. |
| Save (button) | This button appears while you are editing an existing tunnel. Click to save the editing back to Group Tunnels panel. Note that clicking the Apply button is still required to save the whole configurations to system back-end for Tunnel Routing. |
| Cancel (button) | Click to close the configuration block. |
As previous description, for the performance of bidirectional transmission, Tunnel Routing will automatically fix any TCP control packet (packet without data payload) to the first available tunnel listed on the Group Tunnel block in bottom-up order. Not only the control packets but also data packets will be assigned to this specific tunnel, therefore, the more bandwidth this tunnel is capable of, the more smoothly the control packets can be delivered. You are suggested to arrange the tunnels (by clicking the Move Down and Move Up buttons) in a order that the higher throughput the lower position on the list.
Note that one group tunnel configuration cannot be duplicates (group tunnels with the same configuration on fields Local IP and Remote IP) for multiple tunnel groups. One group tunnel configured with a static local IP address and a static remote IP address can only be used for one tunnel group between one pair of local host and remote host. One group tunnel configured with a static IP address and a dynamic WAN link can be duplicates in the tunnel groups which is used with different remote host, but cannot be duplicates in the tunnel groups which is used with the same remote host.
Beside the GRE tunnels, configuration of a tunnel group includes setting for Default Rule, which is an option. If your TR network deployment requires more than 100 TR routing rules, replacing the TR routing rules with TR default rules will be suggested for better performance. Default Rule is introduced in How to set up routing rules for Tunnel Routing.
See also
Tunnel Routing
How the Tunnel Routing Works
How to set up routing rules for Tunnel Routing
Tunnel Routing – Benchmark Scenarios
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!