Skip to main content
wraithhunter
wraithhunter
New Member
January 20, 2022
Question

Inter subnet communication

  • January 20, 2022
  • 2 replies
  • 2579 views

Have 2 subnets I am trying to have communication between.  I have set up firewall policies and policy routes to allow communication.  I am seeing the communication being denied by the local-in policy, not sure why.  here are some log information below.  Any idea why this communication is not working?  Destination inter face should be wifi on interface 2 and source is internal on interface 1. One other note I also have a Palo Alto behind the Fortigate.

srcip=192.168.1.199 srcname="CC-101" srcport=1546 srcintf="internal" srcintfrole="lan"
dstip=10.1.2.239 dstport=81 dstintf="root" dstintfrole="undefined"

proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/81"

 

Fortigate 60F version 7.0.2

2 replies

akristof
Staff
akristof
Staff
January 21, 2022

Hi,

 

Usually, if this log appears, it means that FortiGate is trying to "deliver packet to itself".

So verify, if IP address 10.1.2.239 does belong to some interface of FortiGate - if yes, if it is not duplicate IP address, you will need to enable admin access - ping, or htttp, etc.

Or it can be explicitly denied by local-in-policy

show full firewall local-in-policy

 

I recommend to check from debug flow what is FortiGate doing with the packet, it can gives you more information:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

ede_pfau
SuperUser
ede_pfau
SuperUser
January 21, 2022

The log says that traffic is denied by the implicit Deny policy (id=0). That is, there is no explicit policy allowing this connection from "internal" to "root".

Please show us the policy/policies you created.

And delete the policy route(s) - you don't need policy routes as there is a regular route already. Each interface definition triggers that a route to that network is created and installed automatically. In the Routing Monitor, you see these as of type "Connected".

Terms & ConditionsAccessibility statement