New Member

Question

Issues routing to Vlan interface.

Forum|Forum|8 years ago
January 30, 2018
2 replies
13588 views

Hi All

I have the following vlan interface set up under my Lan interface.

KDVLAN

10.0.10.2/24

I have a non-routable vlan set up on the core switch:

10.0.10.1/24

I am able to ping a host on the default vlan from a test machine in the KDVLAN.

ping 10.0.1.30 from 10.0.10.10 succeeds

But I am unable to ping the test machine from the host.

I need communication to work both ways:

ping 10.0.10.10 from 10.0.1.30 fails

I have policies set up both ways:

Allow source/dest from KDVLAN to LAN and from LAN to KDVLAN

However when pinging from the host (10.0.1.30) to test machine (10.0.10.10), traffic seems to hit the internet policy:

Lan to SD-WAN

As far as I understand I do not require a route as the route is Directly connected through the vlan interface.

I don't have any conflicting static or policy routes besides my default route.

I have a SD-WAN rule that allows the server range (10.0.1.0/24) to any destination through Wan1.

Both the test pc and the host uses the firewall as the default gateway.

PC uses the vlan interface ip as the DG (10.0.10.2)

Host uses the Lan interface ip as DG (10.0.1.15)

Any advice?

Thanks

FortiKoala

Staff

This article explains how to trouble shoot traffic flowing through the FGT http://kb.fortinet.com/kb/documentLink.do?externalID=FD30038

ede_pfau

SuperUser

As it seems the FGT does not have a route back to the switch for 10.0.10.0/24. Consequently, the FGT forwards traffic to this 'unknown' address via the default route, into the WAN.

Alpha7

New Member

check the routing monitor for 10.0.10.0/24 network, if correct entry exist, check the route cache

#diag ip rtcache list

if there is any wrong route, clear it

check the session table, if there is any existing session

#diag sys session list | grep 10.0.10.10

rwpatterson

New Member

Ballzack wrote:
As far as I understand I do not require a route as the route is Directly connected through the vlan interface.
I don't have any conflicting static or policy routes besides my default route.
I have a SD-WAN rule that allows the server range (10.0.1.0/24) to any destination through Wan1.

This is not entirely true. Yes the route is directly connected, but the distance has to be adjusted to one lower than the default gateway. The DG is the path of last resort, so anything you need to not go there has to be tried first. If you let the Fortigate choose, it may pick either one as it is doing now.

dwear

New Member

I just ran into this same issue. I have a VLAN interface on my FG, 192.168.2.0. I have an SDWAN interface for my Internet interface. Traffic from VLAN 1 to VLAN 2 would for some reason hit my internet policy. If I do a route lookup, the routing table will match the connected VLAN 2 route. But if I do a policy lookup, I hit the LAN to SDWAN policy.

The workaround that I figure out was to create a Policy Based Route that matched the connected route to that sub interface. That seems to have fixed the issue and it matches the appropriate policy now.

I'm going to open up a ticket. Doesn't make sense that a PBR would work, but static and connected routes dont.

BallzackAuthor

New Member

Yes I also resolved my issue with a BPR. This shouldn't be a requirement as I have no conflicting static routes. Please let me know the outcome of your ticket.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded