Skip to main content
Pierluigi
Pierluigi
New Member
February 20, 2017
Question

Help about internal routing between 2 subnets configured on one interface.

  • February 20, 2017
  • 1 reply
  • 20583 views

Hello

I need help about internal routing between 2 subnets configured on one interface.

 

I have :   1 Fortigate 80C with Fortinet 5.0      Phisical Interfaces :   WAN 1  and INTERNAL

WAN 1 Interface : HDSL to Internet with a public IP : 81.174.28.217

On the internal interface I have an IP/Net Mask : 192.168.33.1/255.255.255.0 (subnet 1) 

and also a Secondary Address :  192.168.34.1/255.255.255.0 (subnet 2)

I would like to be able from one subnet to reach the second one.

At the moment, I can reach (as an administrator) all the IPs (on both subnets) because on my PC I’m using 2 IPs ( 192.168.33.222 and 192.168.34.222).

But Now I need that some PCs on the 192.168.33.xx network to be able to reach PCs on 192.168.34xx network without using the double IPs on the PC itself.

At the moment my default route address for the Internal Interface is Network 0.0.0.0 ( with gateway my IP internet address 81.174.28.217). Infact I can browse internet from both internal networks.

 

I thought, well, I need just a routing between subnet1 and subnet2 , .... I searched... found info and ...

I created 2 new firewall object address : one for subnet 1 (129.168.33.1-to-255) and one fo subnet 2 (129.168.34.1to255)

2 new policies between the 2 subnets (on both direction) without NAT,  all as in the documents:

http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_install-route.html

but it doesn’t work.

 

I tried also to create a new Policy Routes for all protocol with source subnet1, destination subnet 2 and gw le internal interface 192.168.341.  But it doesn’t work.

 

What am I missing?

Any help will be appreciated :)

Pierluigi

 

    1 reply

    Jim_FH
    Jim_FH
    New Member
    February 20, 2017

    Are you able to create a new "vlan" interface for 192.168.34.1 that's a sub-interface for 192.168.33.1?  

     

    I've done that on a few fortigates (although with 5.2.x code).  You would then connect a dot1q trunk switchport to the physical interface that is configured to pass the two vlans, and you should be able to route between both subnets.

    Pierluigi
    PierluigiAuthor
    New Member
    February 20, 2017

    Hi Jim , ... first ... Thanks you for your reply :)

     

    I could create a new "vlan" interface for 192.168.34.1 that's a sub-interface for 192.168.33.1.

    Then, I need to do something into the switch (vlan and routing) . I have HP V1810-48G.

    But,  IF it is possible, I prefer not to change Switch configuration.

     

    Is it possible, just with a Fortigate configuration, "connect" the 2 subnets?

     

    Pierluigi

    jnliu_FTNT
    Staff
    jnliu_FTNT
    Staff
    February 20, 2017

    Hi Pierluigi,

     

    If you don't want use vlan interface,which is also I recommended, you need to do the following config:

    PC in subnet1, set gateway to 192.168.33.1

    PC in subnet2, set gateway to 192.168.34.1 On FGT, you need to create 2 firewall policys,

    policy1:

    srcintf and dstintf are internal, srcaddr is subnet1 dstaddr subnet2

    policy2:

    srcintf and dstintf are internal, srcaddr is subnet2 dstaddr subnet1

     

    Regards,

    Jining

    Terms & ConditionsAccessibility statement