Skip to main content
bebab
bebab
New Member
February 25, 2024
Question

Policy based routing questions

  • February 25, 2024
  • 4 replies
  • 2596 views

First off network architecture explanation.

Two sites exist one in a colo in atlanta with a public range, And my house where a fortigate 60F exists on the latest firmware.

An ipsec tunnel exists between the two sites and routes are exchanged via OSPF.

Colo site has given me a /29 of public ip addresses and are routing them over the ipsec tunnel to me.

However I have a default route out my own wan and the return traffic coming to these public IPs must go back out the ipsec tunnel.

I have assigned this public range to a vlan interface so it can go down into my lan for servers.

I want all traffic sourced from this vlan interface to go out the ipsec tunnel interface.

However since this is a session based firewall I suspect I am in a split horizon routing scenario at present and the policy route I put in place was getting hit but when running a diagnostic it shows pings being dropped due to no return route being found.

Quite confused and could use some help thanks in advance!

4 replies

sahmed_FTNT
Staff & Editor
sahmed_FTNT
Staff & Editor
February 25, 2024

Hello, you can see below kb for policy base routing configuration:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-p/189996

Further is you are seeing no return route which simply means traffic is not returning back from expected interface. Most probably it will be a routing issue.

    syao
    Staff & Editor
    syao
    Staff & Editor
    February 26, 2024

    I suggest running a debug flow and a packet sniffer to verify if the traffic is hitting your PBR rule, also make sure to turn off the offloading at the policy level to see them when you're debugging:

    https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

    https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/392369/disabling-np-offloading-for-firewall-policies


      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      February 26, 2024

      Why do you need a policy route? Your DC have a /29 public subnet that you need to route over the IPSec tunnel from your FGT while your general internet goes out through wan1 interface, right? Then you just need to set a static route for the /29 toward the tunnel interface with a static route. If it's OSFP, it should have been automatically taken care of.

       

      Of course you have to adjust phase2 selector to allow the /29 destined traffic to the other side of the tunnel if the current selector is not 0/0<->0/0, But I assume you've already know that very well while you're handling other IPSecs.

      I think you're overthinking.

      Toshi

        hbac
        Staff
        hbac
        Staff
        February 26, 2024

        Hi @bebab,

         

        I don't quite understand your network architecture. Why are you assigning public range to your VLAN interface? Can you provide a network diagram? 

         

        Regards, 

        Terms & ConditionsAccessibility statement