Skip to main content
subramanis
Staff
subramanis
Staff
March 24, 2025

Technical Tip: Policy route behavior and directly connected interface limitation

  • March 24, 2025
  • 0 replies
  • 1092 views
Description This article describes the configuration behavior when both the source and destination networks are directly connected, and there is a requirement to influence traffic flow using a policy route.
Scope FortiGate.
Solution

The source network 192.168.1.0/24 is directly connected to VLAN10.

The destination network 192.168.2.0/24 is directly connected to mgmt1.

By default, traffic between these networks follows the directly connected route.

However, if there is a requirement to route traffic from a specific source IP 192.168.1.10 (VLAN10) to a specific destination 192.168.2.30 (mgmt1) via port11 policy route

 

Source:


edit "VLAN10"

set vdom "root"
set ip 192.168.1.0 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 68
set color 28
set interface "fortilink"
set vlanid 100

next

C 192.168.1.0/24 is directly connected, VLAN10

 

Destination:

 

edit "mgmt1"

set vdom "root"
set management-ip 192.168.2.2 255.255.255.0
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set role lan
set snmp-index 1

next

 

A specific static route has been added to reach the destination via port11

 

S 192.168.2.30/32 [10/0] via 192.168.2.254, port11, [1/0]

 

config router policy

    edit 1

        set input-device "VLAN10"
        set srcaddr "192.168.1.0/24"
        set dstaddr "192.168.2.0/24"
        set gateway 192.168.2.254
        set output-device "port11"
    next
end

 

The firewall policy allows specific traffic from the source to the destination over port11

 

edit 122
    set name "Test"
    set uuid 1d3615bc-d983-51ef-e1ad-9282698740da
    set srcintf "VLAN10"
    set dstintf "port11"
    set action accept
    set srcaddr "192.168.1.10/32"
    set dstaddr "192.168.2.30/32"
    set schedule "always"
    set service "ALL"
next


2025-01-23 13:13:16 id=65308 trace_id=10 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:1->192.168.2.30:2048) tun_id=0.0.0.0 from VLAN10. type=8, code=0, id=1, seq=13."
2025-01-23 13:13:16 id=65308 trace_id=10 func=init_ip_session_common line=6043 msg="allocate a new session-0d065999, tun_id=0.0.0.0"
2025-01-23 13:13:16 id=65308 trace_id=10 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
2025-01-23 13:13:16 id=65308 trace_id=10 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=22, len=9"
2025-01-23 13:13:16 id=65308 trace_id=10 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 0, drop"

 

The directly connected route always takes precedence over a static route. As a result, the policy route will not be applied, and this configuration will not work as intended.
    Terms & ConditionsAccessibility statement