Skip to main content
kvemi
kvemi
New Member
July 12, 2022
Solved

Problem - Access from VLAN2 (WAN2) to VLAN1 (WAN1)

  • July 12, 2022
  • 2 replies
  • 3345 views

Hello,

 

On the Fortigate 80E (ver7x) we need to set up access from VLAN2 (WAN2 / ISP2) to VLAN1 (WAN1 (ISP1).

 

On the firewall we have two Internet connections (WAN1 and WAN2) and internal networks VLAN1 and VLAN2. Under VLAN1 is an internal HTTPs server (accessible from the Internet via DNAT), assigned to WAN1. Under VLAN2 is the guest network, assigned to WAN2 (another ISP). Now we need to access this HTTPs server from guest VLAN2/WAN2 but we are not able to do it. We've tried something within the firewall and address translation, but to no avail / I'm out of ideas.

 

kvemi_0-1657639415762.png

Thanks for the help

Best answer by Toshi_Esumi

So you seem to have a policy route: everything from VLAN2 goes toward wan2. That's why those accesses to vlan1 IP and wan1 IP are steered toward wan2.

 

In your case you need to add another, or two more policy routes to override the existing policy route or exclude them, and place them above the existing one.

 

Toshi

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 12, 2022

You can set up policies to allow VLAN2->WAN1(then VIP to VLAN1). So-called hairpin NAT/VIP like in below KB.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

 

Toshi

kvemi
kvemiAuthor
New Member
July 14, 2022

Thank you for answer.

I've seen this procedure before, but couldn't relate it to my configuration. I must be making a mistake somewhere.

I don't know how to access the instructions when I have two WAN ports (WAN1 and WAN2). I've tried both Example 1 and 2, but I must be missing something.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 14, 2022

Since it's inside of one physical FGT, unless you split two wan interfaces to two VDOMs, wan1's interface IP is directly connected and reachable from VLAN2 as long as you have a policy VLAN2->wan1. Can you ping from a VLAN2 device to wan1 IP after placing a policy?

After that, you need to do "flow debug" how the FGT is handling the traffic from VLAN2 to VLAN1 via VIP.

 

Toshi

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
July 15, 2022

So you seem to have a policy route: everything from VLAN2 goes toward wan2. That's why those accesses to vlan1 IP and wan1 IP are steered toward wan2.

 

In your case you need to add another, or two more policy routes to override the existing policy route or exclude them, and place them above the existing one.

 

Toshi

kvemi
kvemiAuthor
New Member
July 18, 2022

Thanks for the help and direction leading to a resolved issue.


I added policy routes first and set stop policy routing. Now everything works as I need.

 

Thank you

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 18, 2022

By the way, to set VLAN1 to use wan1 and VLAN2 to use wan2, you don't have to have a policy route. By having two default routes to both wan1 and wan2 you can use just firewall policies to dictate which wan interface to use for the internet. Policy routes cause necessity of another policy route like this, then another one when you need to change something, and again and again. I call it "policy route jail". If possible, better avoid using it.

 

Toshi

Terms & ConditionsAccessibility statement