Skip to main content
pszewczyk
pszewczyk
New Member
January 31, 2017
Solved

Fortigate 90D routing problem

  • January 31, 2017
  • 2 replies
  • 8921 views

Hi Guys,

 

I'm facing a problem replacing my old Cisco 1921 to Fortigate 90D.

 

I have a public IP range from ISP, i.e.: 76.252.105.128/26. I divided this range to multiple subnets. Between Fortigate and ISP router there is 76.252.105.128/28 subnet (ISP router 76.252.105.129 and fortigate WAN: 76.252.105.130). The rest of public IPs were divided into small 4 IP subnets and assigned to LAN interfaces, i.e. LAN_1 76.252.105.176/30. The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.

 

I also have a private LAN_2 (192.168.1.0) which is overloaded to 76.252.105.130 and it works great!

 

I don't have ideas why public IP routing doesn't want to work. On old Cisco everything works great. Do you have any ideas? 

    Best answer by Jzhang_FTNT

    >>>The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.

     

    Since the IP of internet servers is a public one, ISP should always has route back,  so firewall policy is good, no nat no VIP required. please check the routing-table on FGT by 'get router info routing-table all'

    2 replies

    moby
    moby
    New Member
    January 31, 2017

    Hi  - you should do some basic testing  - -run a constant ping between two IP addresses and then run a sniffer trace from the Fortigate CLI on the interfaces such as:

     

    diag sniffer packet Lan_1 'host x.x.x.x and host x.x.x.x'

     

    Does the packet arrive at the LAN_1 interface?

     

    Then:

     

    diag sniffer packet wan1 'host x.x.x.x and host x.x.x.x'

     

    Does the packet leave the wan1 interface and do you get a response back from the upstream router?

     

    That would be a good starting point  - -if that does not help then do a debug flow such as:

     

    diag debug enable

    diag debug flow filter saddr x.x.x.x

    diag debug flow filter daddr x.x.x.x

    diag debug flow show console enable

    diag debug flow trace start 50

     

    See if that gives you some clues.

     

    Moby.

     

     

     

     

     

    rwpatterson
    rwpatterson
    New Member
    January 31, 2017

    Two issues here.

    1) All outbound policies need to have NAT enabled for traffic to pass to the Internet.

     

    2) Inbound traffic: I'm not too familiar with how the Cisco works, but I do know that your ISP has to pass the traffic for the inbound servers to one firewall or another. This has to managed manually (unless you are using a routing protocol). You need to see from the outside where the traffic is being pushed to. If it is the Fortigate, then you have to make sure your Virtual IP (VIP) mappings are set up correctly and that the policies are in place to allow that traffic.

    Jzhang_FTNT
    Staff
    Jzhang_FTNTAnswer
    Staff
    February 1, 2017

    >>>The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.

     

    Since the IP of internet servers is a public one, ISP should always has route back,  so firewall policy is good, no nat no VIP required. please check the routing-table on FGT by 'get router info routing-table all'

    pszewczyk
    pszewczykAuthor
    New Member
    February 2, 2017

    Hello Guys,

     

    Thanks for your advices!

     

    @moby, I did a testing and it helped me to figure out what's the problem. 

     

    @Jzhang_FTNT you were right. The problem is located in route table in ISP router. 

     

    To be more specific:

     

    The ISP router interface should be configured with IP: 76.252.105.129/28. To the rest of public IPs (76.252.105.144-76.252.105.191) there should be IP route via our router interface (76.252.105.130).

     

    However I discovered that when I'm trying to ping.one of my public IPs 76.252.105.178 ISP router sends ARP broadcast requesting mac of 76.252.105.178 instead of sending packet via our router interface. I've asked ISP to check this router configuration and they confirmed that router interface has IP 76.252.105.129/26 instead of 76.252.105.129/28. That's the error! Old Cisco took care of it somehow and Fortinet can't do it.

     

    ISP will reconfigure their router and it will solve problem.

     

    Thanks again!

     

       
    MikePruett
    MikePruett
    New Member
    February 16, 2017

    I prefer, in situations like this, to get a /30 for the WAN interface of the Gate. That can be the external address and they can then route the /26 or /28 or whatever pool of addresses to the WAN interface of the Gate. From there you have clean control via VIPs etc.

    Terms & ConditionsAccessibility statement