New Member

Question

Forward traffic from LAN port to WAN

Forum|Forum|3 years ago
August 24, 2022
2 replies
6517 views

Port 1: gw.xx.xx.81/29 (WAN)

Port 2: lan.xx.xx.99/24 (DHCP)

Policy IPv4: Port 2 to Port 1 (all to all, NAT enabled)

I've tested at Port 1 that internet is accessible using static IP.

When connected to Port 2 with a LAN IP via DHCP, internet is inaccessible.

What should I create to instruct Port 1 to allow internet access from Port 2, i.e. Port 1 is like a gateway to Port 2? Just upstream traffic would is fine. Thanks.

FortiGate

kcheng

Staff & Editor

Hi @sgClarence

You may want to check the flow of the traffic to see what's happening. Try getting the following output while having a test client to test the traffic:

diag deb flow filter saddr <src_IP>

diag deb flow filter daddr 8.8.8.8

diag deb flow filter proto 1

diag deb flow sh function-name en

diag deb flow sh iprope en

diag deb flow trace start 20

diag deb en

Once the above has been entered on the CLI/Putty, navigate to your test client and ping 8.8.8.8. We can examine why is the traffic is not reaching to the Internet.

sgClarenceAuthor

New Member

Hi Kayzie,

We've modified the ports and run the flow debug.

Port 5: isp.xx.169.229

Port 6: wan.xx.38.81

port 7: lan.168.8.99

Static Routes: 0.0.0.0/0 -> isp.xx.169.229 (port 5)

Policy IPv4: Port5->Port6 (downstream), Port6->Port5(upstream) and port7->port6(lan to internet via port 5 as gateway using public IP of port 5, NAT enabled)

The results:

id=20085 trace_id=1 func=print_pkt_detail line=4489 msg="vd-root received a packet(proto=1, 192.168.8.100:1->8.8.8.8:8) from port7. code=8, type=0, id=1, seq=21."
id=20085 trace_id=1 func=init_ip_session_common line=4645 msg="allocate a new session-0000c5d2"
id=20085 trace_id=1 func=iprope_dnat_check line=4633 msg="in-[port7], out-[]"
id=20085 trace_id=1 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=1 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-isp.xx.169.229 via port5"
id=20085 trace_id=1 func=iprope_fwd_check line=630 msg="in-[port7], out-[port5], skb_flags-00800000, vid-0"
id=20085 trace_id=1 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-2, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2014 msg="policy-0 is matched, act-drop"
id=20085 trace_id=1 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=1 func=fw_forward_handler line=567 msg="Denied by forward policy check (policy 0)"

So, as expected, the default static route is used.

I wonder what policy/rule to create to make wan.xx.38.81 at Port 5 act as our default internet gateway for LAN users?

kcheng

Staff & Editor

Hi @sgClarence

From the debug flow, the traffic is not being SNATTED. But it does finds that port5 is the outgoing interface. Can you post your firewall policy configuration for port7 -> port5 with the following command:

config firewall policy

edit <policy id>

sh fu

end

A

Anonymous_User

Contributor

Hi @sgClarence ,

This is my understanding:

Port 5: isp.xx.169.229

Port 6: wan.xx.38.81

port 7: lan.168.8.99
Static Routes: 0.0.0.0/0 -> isp.xx.169.229 (port 5)

Based on this information, all your traffic will go to port5 to go out internet.
So, here is the policy:
Source interface: Port7

Destination interface: Port5

Nat : Enabled

If you need to use port6 and port7 as your internet, consider to use SDWAN features.

sgClarenceAuthor

New Member

Thanks Haiqal, I wanted a simple setup, SD-WAN looks like an overkill.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded