New Member

Solved

Policy route to wan2 blocking connections to wan1 (FGT60D)

Forum|Forum|8 years ago
August 14, 2017
2 replies
9292 views

Hi,

I have two Wan interfaces, 1 and 2. Wan 1 is set for vlan 10 and Wan 2 for vlan 60.

To be able for computers on vlan 60 use the wan 2 internet, I created a Policy Route below:

The problem:

There is an http server in vlan 10 that hosts a website and it is listening in wan 1 IP (already set in Fortigate and on Http Server).

Computers on vlan 10 can open the website using the wan "1" IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.

When I disable the policy route created before, vlan 60 can open the website normally.

What is the problem?

Thank you.

Best answer by Antonio_Milanese

Hi Ragno,

Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.

Regards,

Antonio

oheigl

New Member

Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?

ragnoAuthor

New Member

oheigl wrote:
Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?

Currently now the virtual IP is set this way, isn't right?

Antonio_Milanese

New Member

hi Ragno,

ragno wrote:
Computers on vlan 10 can open the website using the wan "1" IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.
When I disable the policy route created before, vlan 60 can open the website normally.
What is the problem?

If you think about PBR goal this is the expected behavior since the policy route was defined with destination 0.0.0.0/0 (any) and any protocol ... Pbr replaces/override the normal routes lookup then traffic is forced to be forwarded to specified gateway (if up / present in the FIB)..

Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.

Regards,

Antonio

ragnoAuthor

New Member

Antonio Milanese wrote:
Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.

Antonio,

Should I do this setting by command line?

I can't find the suggested option to stop the policy routing on the menu, by going "Router > Static > Policy Routes"

Antonio_MilaneseAnswer

New Member

Hi Ragno,

Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.

Regards,

Antonio

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded