Skip to main content
Yngve0
Yngve0
New Member
October 8, 2018
Question

Policybased routing not working as expected

  • October 8, 2018
  • 1 reply
  • 4251 views

I have some issues with a Fortigate 60C Build0762. 

I am not able to make PolicyBasedRouting to work as I expected.

I have the following VLAN/Subnet:

[ul]
  • internal5 (Untagged): Tech/SMZ-subnet. Restricted internet access routed through local access
  • 201 Router: Uplink to router. Frontend router is supplied by my ISP and I cant control it.=> DHCP & NAT
  • 202 Directly: Should have internet locally
  • 203 ViaVPN: Internet-trafic should be routed through HQ.[/ul]

     

    There is a switch in front so all Vlan is tagged on internal5.

     

     

    Is seems like randomly however outbound trafic  is routed over local gateway or via VPN. 2 devices connected to technical net (10.201.1.x) is routed differently.

     

    I know that the NAT/DHCP on linknet could give some issues, but since the VPN is connected and stable (also after reboot) I presume this is not a problem.

     

    Could anyone tell me what I am doing wrong?

     

    config system interface
        edit "internal5"
            set vdom "vdom_THIS"
            set ip 10.201.1.1 255.255.255.0
            set allowaccess ping
            set type physical
            set listen-forticlient-connection enable
            set snmp-index 20
        next
        edit "201 Router"
            set vdom "vdom_THIS"
            set mode dhcp
            set distance 25
            set allowaccess ping
            set snmp-index 31
            set interface "internal5"
            set vlanid 201
        next
        edit "202 Directly"
            set vdom "vdom_THIS"
            set ip 10.201.202.1 255.255.255.0
            set allowaccess ping
            set device-identification enable
            set snmp-index 32
            set interface "internal5"
            set vlanid 202
        next
        edit "203 ViaVPN"
            set vdom "vdom_THIS"
            set ip 10.201.203.1 255.255.255.0
            set allowaccess ping
            set snmp-index 33
            set interface "internal5"
            set vlanid 203
        next
        edit "GW_HQ"
            set vdom "vdom_THIS"
            set ip 10.0.0.2 255.255.255.255
            set type tunnel
            set remote-ip 10.0.0.1
            set snmp-index 34
            set interface "201 Router"
        next
    end
    config router static
        edit 1
            set dst 10.203.107.0 255.255.255.0
            set distance 3
            set device "GW_HQ"
        next
        edit 4
            set distance 25
            set device "GW_HQ"
        next
    end
    config router policy
        edit 1
            set input-device "203 ViaVPN"
            set src "0.0.0.0/0.0.0.0"
            set dst "192.168.11.0/255.255.255.0"
            set output-device "201 Router"
        next
        edit 3
            set input-device "203 ViaVPN"
            set src "10.201.203.0/255.255.255.0"
            set dst "10.201.202.0/255.255.255.0"
            set output-device "202 Directly"
        next
        edit 4
            set input-device "203 ViaVPN"
            set src "10.201.203.0/255.255.255.0"
            set dst "10.201.1.0/255.255.255.0"
            set output-device "internal5"
        next
        edit 2
            set input-device "203 ViaVPN"
            set src "10.201.203.0/255.255.255.0"
            set dst "0.0.0.0/0.0.0.0"
            set output-device "GW_HQ"
        next
        edit 5
            set input-device "202 Directly"
            set src "10.201.202.0/255.255.255.0"
            set dst "0.0.0.0/0.0.0.0"
            set output-device "internal5"
        next
    end

     

     

     

      • 1 reply

      tanr
      tanr
      New Member
      October 9, 2018

      How are your link-monitor objects set up?  Maybe they're marking an interface as down when it is not?

      Yngve0
      Yngve0Author
      New Member
      October 10, 2018

      Thanks Tanr;

       

      I have now link-monitor configured. I also see that there are outbound trafic on both gateway on the same time.

       

      Branch01-FGT60C (vdom_THIS) # get router info routing-table al
      Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
             O - OSPF, IA - OSPF inter area
             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
             E1 - OSPF external type 1, E2 - OSPF external type 2
             i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
             * - candidate default
       
      S* 0.0.0.0/0 [25/0] via 192.168.11.1, 201 Router (***DHCP recieved gateway***)
                        [25/0] via 10.0.0.1, GW_HQ
      C 10.0.0.1/32 is directly connected, GW_HQ
      C 10.0.0.2/32 is directly connected, GW_HQ
      C 10.201.202.0/24 is directly connected, 202 Directly
      C 10.201.203.0/24 is directly connected, 203 ViaVPN
      C 192.168.11.0/24 is directly connected, 201 Router
      C 10.201.1.0/24 is directly connected, internal5
      S 10.203.107.0/24 [3/0] via 10.0.0.1, GW_HQ
       
       
      Branch01-FGT60C (vdom_THIS) #

       

       

      Yngve0
      Yngve0Author
      New Member
      October 25, 2018

      Solved.

      I had to re-enter the policys in correct order and add gateway / ip to the GW-interface.

       

      Y

      Terms & ConditionsAccessibility statement