Chapter 9 – SDWAN
9-1 SD-WAN
Learning Objectives
- Create a Demo of SDWAN
- Configure SDWAN features
Scenario: Software-defined wide-area network (SD-WAN) solutions transform an organization’s capabilities by leveraging the corporate wide-area network (WAN) as well as multi-cloud connectivity to deliver high-speed application performance at the WAN edge of branch sites. One of the chief benefits of SD-WAN is that it provides a dynamic path selection among connectivity options—MPLS, 4G/5G, or broadband—ensuring organizations can quickly and easily access business-critical cloud applications.[1] In this scenario, we are simulating SD-WAN by using OpenWrt and this allows you to play with the features of SD-WAN. Port 4 and Port 5 acts like your different connection and you can manage them through SD-WAN.
| Device | IP address |
| Webterm1 ( WRT Manager) | 192.168.1.2/24 |
| Webterm2 (Firewall Manager) | 192.168.20.2/24, GW: 192.168.20.1, DNS: 4.2.2.4 |
| FortiGate | Port 3: 192.168.20.1/24
Port 4: 10.200.2.1/24 Port 5: 10.200.3.1/24 |
| OpenWrt | Eth0: connected to WRT Manager
Eth1: connected to NAT Eth2: 10.200.2.254/24 Eth3: 10.200.3.254/24 |
| NAT |
Configure OpenWRT
To configure OpenWRT, you should connect through port eth0. By default, the IP address of eth0 is 192.168.1.1/24. So, you can set the WRTManager as 192.168.1.2/24 and connect to OpenWRT through the web browser. You can type in the browser: http://192.168.1.1, and click on “Login” without entering any password.
Then, go to network> interfaces > Add new interface …
And Enter the following information:
- Name of Interface: LAN2
- Cover the following interface: eth2
- Then, submit and add IPV4: 10.200.2.254 netmask: 255.255.255.0
- And finally, under Firewall Settings select firewall-zone as Lan
- Name of Interface: LAN3
- Cover the following interface: eth3
- Then, submit and add IPv4: 10.200.3.254 netmask: 255.255.255.0
- And finally, under Firewall Settings select firewall-zone as Lan
Your interfaces in OpenWrt should be like figure 9-9:
Firewall Configuration
1- Set the port3 as a management port and connect it to Firewall Manager(Webterm-2)
FGVM01TM19008000 # config system interface
FGVM01TM19008000 (interface) # edit port3
FGVM01TM19008000 (port3) # set ip 192.168.20.1/24
FGVM01TM19008000 (port3) # set allowaccess http https
FGVM01TM19008000 (port3) # end
2- Go to Firewall > Network > Interfaces> port4
-
- Set Name as WAN2 and IPV4 as 10.200.2.1/24
3- Go to Firewall > Network > Interfaces> port 5
-
- Set Name as WAN3 and IPV4 as 10.200.3.1/24
4- Go to Network > SD-WAN > Select Interface Port4
-
- Gateway: 10.200.2.254
5- Add SD-WAN > Select Interface Port5
-
- Gateway: 10.200.3.254
6- Create a static route as figure 9-15.
7- Create a firewall policy as following table:
| Name | SDWAN |
| Incoming Interface | LAN(PORT3) |
| Outgoing Interface | SD-WAN |
| Source | ALL |
| Destination | ALL |
| Schedule | Always |
| Service | ALL |
8- Go to Network > SD-WAN Rule, create a rule as follows:
-
-
- Name: MyRule
- Source Address: All
- Destination Address: All
- Protocol Number: Any
- Strategy: Best Quality
- Interface Preference: Port4, Port 5
-
9- Measured SLA
-
-
- Create a SLA
-
- Name: MySLA
- Protocol: Ping
- Server: 4.2.2.4
- Add Target and leave the default parameters
-
- Create a SLA
-
10- Go to Network > SD-WAN and verify your SD-WAN Usage.
11- Now, go to GN3 and disconnect port4. You should be able to reach the Internet from Firewall Manager.
12- Go to Network > SD-WAN and verify your SD-WAN Usage.
13- Open the browser in the Firewall Manager and type msn.com and then go to the Dashboard > FortiView Sessions. Verify your result.
14- Go to Log & Report> Event > SD-WAN Event. Verify your result.
