Skip to main content
wallib
wallib
New Member
November 16, 2018
Solved

LAN-to-LAN 2 sites

  • November 16, 2018
  • 2 replies
  • 10098 views

Hello

 

 

I have 2 sites what need to be connected together temporarily until their re-structuring is finished. We are slowly fusioning both sites together but it's a bit on standby. 

 

LAN1 (site1) - 192.168.100.2/255.255.252.0 (connected directly to fortigate 60c internal1)

LAN2 (site2)- 192.168.200.254/255.255.0.0 (connected via antenna directly to 60c internal2)

 

These are overlapping subnets, however with set allow-subnet-overlap enable I am able to have lan1/lan2 on the same subnet.

 

I only really need 2-3 machines from site1 to talk to site2 and visa versa, but I'm a bit confused on LAN-to-LAN policies when both sites have their own internet connec./firewall/dhcp etc etc. However we have no IP conflicts between the both sites.

 

How should I attack this? I was even thinking of maybe using WAN1 for site2 and keeping site1 on LAN1 and configure it like a 'firewall' but I'm not sure this is a good idea.

    Best answer by Toshi_Esumi

    You need to run "flow debug". It would show you the reason if the FGT is dropping packets. By the way your internal3 subnet mask is not matching your original post.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 16, 2018

    I haven't used "allow-subnet-overlap" so I don't know how it would behave if a host in the smaller subnet resides on the other side. But LAN-to-LAN policies wouldn't have much difference from LAN-to-WAN other than GUI appearance. They're just separate interfaces so just internal1/2-to-internal2/1 policies.

    wallib
    wallibAuthor
    New Member
    November 19, 2018

    This is what I thought as well, I'm running a 80E as my actual firewall and I've had no problems replacing all the policies etc from my old 60C. 

     

        edit "internal1"
            set vdom "root"
            set ip 192.168.100.238 255.255.252.0
            set allowaccess ping https ssh http telnet capwap
            set vlanforward enable
            set type physical
            set alias "domaine_"
            set snmp-index 6

        edit "internal3"
            set vdom "root"
            set ip 192.168.200.238 255.255.252.0
            set allowaccess ping https http capwap
            set vlanforward enable
            set type physical
            set alias "domaine_2"
            set snmp-index 8
            set dns-server-override disable

     

    These are the 2 interfaces, from the cli in the firewall i can ping anything on both sites which is great, however impossible to get my machine ping a mobatime server on the other site2, I thought accepting all would help me debug, but nothing goes through. - 

            set srcintf "any"
            set dstintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat disable

     

    nat enable or nat disable has not helped me either. my 60C is my old firewall which was replaced by a 80E which means it has no more license/contract. Could this be causing problems? 

    Thanks alot

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    November 19, 2018

    You need to run "flow debug". It would show you the reason if the FGT is dropping packets. By the way your internal3 subnet mask is not matching your original post.

    wallib
    wallibAuthor
    New Member
    November 19, 2018

    Yes I realize now I mis-noted from my first post. I was copy/pasting from a file and I'd made a mistake. Right now my fortigate is connected via DHCP to site2 until I figure this out. I am no professional network manager that's for sure but I never realized I would have troubles letting traffic through 2 different ports!

     

    I've left a machine pinging my fortigate from site2 and using debug flow I get this, 192.168.160.62 is the machine on site2 and 192.168.160.19 is my fortigate on site1.

     

    2018-11-19 14:05:18 id=20085 trace_id=333 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 192.168.160.62:1->192.168.160.19:8) from internal3. code=8, type=0, id=1, seq=2594."
    2018-11-19 14:05:18 id=20085 trace_id=333 func=init_ip_session_common line=4624 msg="allocate a new session-0030357e"
    2018-11-19 14:05:18 id=20085 trace_id=333 func=fw_local_in_handler line=394 msg="iprope_in_check() check failed on policy 0, drop"

     

    What can I be missing? A route?

     

    get router info routing-table connected 
    C 192.168.0.0/16 is directly connected, internal3
    C 192.168.100.0/22 is directly connected, internal1

    get router info routing-table static
    S* 0.0.0.0/0 [5/0] via 192.168.200.254, internal3

     

     

     

    Terms & ConditionsAccessibility statement