Skip to main content
pietro_coletta
pietro_coletta
New Member
June 18, 2020
Question

Internal routing problem

  • June 18, 2020
  • 2 replies
  • 19855 views

Hello to everyone,

I'm managing a Fortigate 500E (firmware v5.4.8,build4108 (GA)).

Port7 has been connected to a switch and "multiplied" using VLANs.

The subinterface "Telecontrollo" is connected to a subnet where is present only a PC reachable via RDP and HTTP.

I created, without any trouble, all the rules necessary for the PC to be reachable from the internet via public IP and VPN.

 

 

The strangest thing is that the policy #135, the simplest of them all, which should permit the traffic from the LAN to the Telecontrollo subnet doesn't work. I debugged the packet's path on the firewall and they are sent to the WAN interface (port2) instead of port7, even though the routing is properly set.

 

Any ideas will be appreciated :D

 

Bye.

Pietro

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 18, 2020

    You don't need any of the 2 constructs, static route and policy routing.

     

    1- if you define a subnet on an interface the FGT automatically creates a route for it, with distance 0 and status "connected". This is so that it overrides any other manually configured route.

    2- you only need policy routing if the path cannot be determined by the destination address. PR allows path selection by source address, source port or destination port. In your case, simply using the (auto-) route will do.

     

    And why forwarding to the WAN port? see "gateway=0.0.0.0"? That network is not local.

    pietro_coletta
    pietro_colettaAuthor
    New Member
    June 18, 2020

    Thank you both for answering.

    To tell the all truth at first I hadn't created the static routes and policy routes, I added them later when things weren't working.

    I deleted them now but things are still not working.

    I did this test to give you some details in the troubleshooting:

    from a PC on the LAN (10.0.0.96) I'm pinging the computer 172.16.15.10, while I'm sniffing the packet on the Fortigate.

    This is what I get:

    id=20085 trace_id=1124 func=print_pkt_detail line=4930 msg="vd-root received a packet(proto=1, 10.0.0.96:1->172.16.15.10:2048) from port3. type=8, code=0, id=1, seq=2604." id=20085 trace_id=1124 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-23272381, original direction" id=20085 trace_id=1124 func=npu_handle_session44 line=1048 msg="Trying to offloading session from port3 to port2, skb.npu_flag=00000400 ses.state=00012204 ses.npu_state=0x00001008" id=20085 trace_id=1124 func=ids_receive line=252 msg="send to ips" id=20085 trace_id=1124 func=__ip_session_run_tuple line=2905 msg="SNAT 10.0.0.96->PublicIP_WAN:62464"

     

    Thanks.

    Pietro

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 18, 2020

    nice that you can record debug flow. Now, the interesting part is missing: how the route is found.

    First, check via Policy Lookup which policy will allow this connection.

    Then, edit the policy in CLI and add the line "set auto-asic dis". This prevents the FGT from offloading to the NP.

    Offloaded traffic cannot be seen in the sniffer or debug flow.

    Then kill all sessions (or just wait for 3 minutes without any traffic), and ping once again, with trace on.

    GusTech
    GusTech
    New Member
    June 18, 2020

    You already have route to 172.16.15 why do you need policy route in addition?

     

    What is the config of your VIPs?

    lobstercreed
    lobstercreed
    New Member
    June 18, 2020

    I agree with Ede, it is possible that your static route is actually the source of your problems since your gateway is 0.0.0.0

     

    In any case, you should remove all static and policy routes related to the telecontrollo interface and let the connected route do its thing.  You'll see the route under Monitor -> Routing Monitor.

    Terms & ConditionsAccessibility statement