Routing

Hi,   please supply ALL the information to set us into the picture. So, you set up a route? On which device? How does it look like? What about the routes on the leftmost router?   In order to access the internet, both devices have to "know" how to route back to the source host. So you need a route on the first and the second (FGT) router.

Hi there,

When you say 'users', which interface are they connected to? Internet or another network on the Fortigate?

- In this case, you need a route on the Fortigate with destination as 192.168.x.x and gateway as 10.1.1.1

- Make sure, there is a Firewall policy also allowing the users to get to the 192.168.x.x

- If still has issues, enable NAT on Firewall policy

Debug flow output can be helpful here.

here is the route  from the fortigate 

any ip 10.1.1.0/24 want to access internet fortigate is the gateway 10.1.1.5 , if they want to access 192.168.7.10 i have created static route , the first router has the route ( static ) to go to 192.168.7.0 network .

SW#sh ip route 192.168.7.10 Routing entry for 192.168.7.0/24 Known via "static", distance 20, metric 0 Routing Descriptor Blocks: 172.15.2.19 Route metric is 0, traffic share count is 1 * 172.15.2.11 Route metric is 0, traffic share count is 1

But still not working 

Thanks

Hello,

Please get the output of : # get router info routing-table details Also, diag debug reset diag debug disable diag debug enable diag debug flow filter daddr 192.168.7.x     --->> whichever the IP to which you are initiating the traffic to diag debug flow show console enable diag debug flow trace start 30 Once the above commands are executed on the FGT CLI , try to initiate the traffic to 192.168.7.x - run 'diag debug disable' to stop the disable - Get the output pasted here

Hi,

This command seems not working 

[style="background-color: #888888;"]get router info routing-table details[/style]

command parse error before 'router' Command fail. Return code -61

Thanks

Hi Please find the output below

(root) # get router info routing-table details Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

S* 0.0.0.0/0 [10/0] via 1public ip , wan1 S 10.0.3.0/24 [10/0] via 10.0.5.1, mgmt2 C 10.0.5.0/24 is directly connected, mgmt2 C 10.1.1.0/20 is directly connected, port1 C 10.0.250.0/23 is directly connected, port3 C public ip /28 is directly connected, wan1

S 192.168.7.10/32 [10/0] via 10.1.1.1, port1 [10/0] via 10.0.250.1, port3

debug output

(root) # id=13 trace_id=61 msg="vd-root received a packet(proto=17, 10.0.250.56:62905->192.168.7.10:53) from port3." id=13 trace_id=61 msg="allocate a new session-02db1135" id=13 trace_id=61 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=61 msg="use addr/intf hash, len=1" id=13 trace_id=61 msg="Denied by forward policy check" id=13 trace_id=62 msg="vd-root received a packet(proto=17, 10.0.250.38:4097->192.168.7.10:53) from port3." id=13 trace_id=62 msg="allocate a new session-02db1136" id=13 trace_id=62 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=62 msg="use addr/intf hash, len=1" id=13 trace_id=62 msg="Denied by forward policy check" id=13 trace_id=63 msg="vd-root received a packet(proto=17, 10.1.1.81:58892->192.168.7.10:53) from port1." id=13 trace_id=63 msg="allocate a new session-02db1137" id=13 trace_id=63 msg="find a route: gw-10.0.250.1 via port3" id=13 trace_id=63 msg="use addr/intf hash, len=1" id=13 trace_id=63 msg="Denied by forward policy check" id=13 trace_id=64 msg="vd-root received a packet(proto=17, 10.0.250.46:40300->192.168.7.10:53) from port3." id=13 trace_id=64 msg="allocate a new session-02db1138" id=13 trace_id=64 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=64 msg="use addr/intf hash, len=1" id=13 trace_id=64 msg="Denied by forward policy check" id=13 trace_id=65 msg="vd-root received a packet(proto=17, 10.1.1.81:58892->192.168.7.10:53) from port1." id=13 trace_id=65 msg="allocate a new session-02db1139" id=13 trace_id=65 msg="find a route: gw-10.0.250.1 via port3" id=13 trace_id=65 msg="use addr/intf hash, len=1" id=13 trace_id=65 msg="Denied by forward policy check" id=13 trace_id=66 msg="vd-root received a packet(proto=17, 10.0.250.84:7516->192.168.7.10:53) from port3." id=13 trace_id=66 msg="allocate a new session-02db113a" id=13 trace_id=66 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=66 msg="use addr/intf hash, len=1" id=13 trace_id=66 msg="Denied by forward policy check" id=13 trace_id=67 msg="vd-root received a packet(proto=17, 10.0.250.40:36574->192.168.7.10:53) from port3." id=13 trace_id=67 msg="allocate a new session-02db113c" id=13 trace_id=67 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=67 msg="use addr/intf hash, len=1" id=13 trace_id=67 msg="Denied by forward policy check" id=13 trace_id=68 msg="vd-root received a packet(proto=17, 10.0.250.40:33892->192.168.7.10:53) from port3." id=13 trace_id=68 msg="allocate a new session-02db113d" id=13 trace_id=68 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=68 msg="use addr/intf hash, len=1" id=13 trace_id=68 msg="Denied by forward policy check" id=13 trace_id=69 msg="vd-root received a packet(proto=17, 10.0.250.36:53987->192.168.7.10:53) from port3." id=13 trace_id=69 msg="allocate a new session-02db113e" id=13 trace_id=69 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=69 msg="use addr/intf hash, len=1" id=13 trace_id=69 msg="Denied by forward policy check" id=13 trace_id=70 msg="vd-root received a packet(proto=1, 10.1.1.81:1->192.168.7.10:8) from port1." id=13 trace_id=70 msg="allocate a new session-02db1140" id=13 trace_id=70 msg="find a route: gw-10.0.250.1 via port3" id=13 trace_id=70 msg="use addr/intf hash, len=1" id=13 trace_id=70 msg="Denied by forward policy check" id=13 trace_id=71 msg="vd-root received a packet(proto=17, 10.0.250.36:45108->192.168.7.10:53) from port3." id=13 trace_id=71 msg="allocate a new session-02db1141" id=13 trace_id=71 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=71 msg="use addr/intf hash, len=1" id=13 trace_id=71 msg="Denied by forward policy check" id=13 trace_id=72 msg="vd-root received a packet(proto=17, 10.0.250.40:10706->192.168.7.10:53) from port3." id=13 trace_id=72 msg="allocate a new session-02db1144" id=13 trace_id=72 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=72 msg="use addr/intf hash, len=1" id=13 trace_id=72 msg="Denied by forward policy check" id=13 trace_id=73 msg="vd-root received a packet(proto=17, 10.0.250.38:56704->192.168.7.10:53) from port3." id=13 trace_id=73 msg="allocate a new session-02db1145" id=13 trace_id=73 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=73 msg="use addr/intf hash, len=1" id=13 trace_id=73 msg="Denied by forward policy check" id=13 trace_id=74 msg="vd-root received a packet(proto=17, 10.0.250.38:26683->192.168.7.10:53) from port3." id=13 trace_id=74 msg="allocate a new session-02db1146" id=13 trace_id=74 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=74 msg="use addr/intf hash, len=1" id=13 trace_id=74 msg="Denied by forward policy check" id=13 trace_id=75 msg="vd-root received a packet(proto=17, 10.0.250.38:16751->192.168.7.10:53) from port3." id=13 trace_id=75 msg="allocate a new session-02db1147" id=13 trace_id=75 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=75 msg="use addr/intf hash, len=1" id=13 trace_id=75 msg="Denied by forward policy check" id=13 trace_id=76 msg="vd-root received a packet(proto=17, 10.0.250.56:60118->192.168.7.10:53) from port3." id=13 trace_id=76 msg="allocate a new session-02db1148" id=13 trace_id=76 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=76 msg="use addr/intf hash, len=1" id=13 trace_id=76 msg="Denied by forward policy check" id=13 trace_id=77 msg="vd-root received a packet(proto=17, 10.0.250.38:41906->192.168.7.10:53) from port3." id=13 trace_id=77 msg="allocate a new session-02db1149" id=13 trace_id=77 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=77 msg="use addr/intf hash, len=1" id=13 trace_id=77 msg="Denied by forward policy check" id=13 trace_id=78 msg="vd-root received a packet(proto=17, 10.0.250.56:65383->192.168.7.10:53) from port3." id=13 trace_id=78 msg="allocate a new session-02db114a" id=13 trace_id=78 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=78 msg="use addr/intf hash, len=1" id=13 trace_id=78 msg="Denied by forward policy check" id=13 trace_id=79 msg="vd-root received a packet(proto=17, 10.1.1.81:58892->192.168.7.10:53) from port1." id=13 trace_id=79 msg="allocate a new session-02db114b" id=13 trace_id=79 msg="find a route: gw-10.0.250.1 via port3" id=13 trace_id=79 msg="use addr/intf hash, len=1" id=13 trace_id=79 msg="Denied by forward policy check" id=13 trace_id=80 msg="vd-root received a packet(proto=17, 10.0.250.38:49128->192.168.7.10:53) from port3." id=13 trace_id=80 msg="allocate a new session-02db114c" id=13 trace_id=80 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=80 msg="use addr/intf hash, len=1" id=13 trace_id=80 msg="Denied by forward policy check" id=13 trace_id=81 msg="vd-root received a packet(proto=17, 10.0.250.38:14627->192.168.7.10:53) from port3." id=13 trace_id=81 msg="allocate a new session-02db114d" id=13 trace_id=81 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=81 msg="use addr/intf hash, len=1" id=13 trace_id=81 msg="Denied by forward policy check" id=13 trace_id=82 msg="vd-root received a packet(proto=17, 10.0.250.56:62905->192.168.7.10:53) from port3." id=13 trace_id=82 msg="allocate a new session-02db114f" id=13 trace_id=82 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=82 msg="use addr/intf hash, len=1" id=13 trace_id=82 msg="Denied by forward policy check" id=13 trace_id=83 msg="vd-root received a packet(proto=17, 10.0.250.40:36290->192.168.7.10:53) from port3." id=13 trace_id=83 msg="allocate a new session-02db1150" id=13 trace_id=83 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=83 msg="use addr/intf hash, len=1" id=13 trace_id=83 msg="Denied by forward policy check" id=13 trace_id=84 msg="vd-root received a packet(proto=17, 10.0.250.84:52695->192.168.7.10:53) from port3." id=13 trace_id=84 msg="allocate a new session-02db1151" id=13 trace_id=84 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=84 msg="use addr/intf hash, len=1" id=13 trace_id=84 msg="Denied by forward policy check" id=13 trace_id=85 msg="vd-root received a packet(proto=17, 10.0.250.27:20233->192.168.7.10:53) from port3." id=13 trace_id=85 msg="allocate a new session-02db1152" id=13 trace_id=85 msg="find a route: gw-10.0.250.1 via port3" id=13 trace_id=86 msg="vd-root received a packet(proto=17, 10.0.250.38:32045->192.168.7.10:53) from port3." id=13 trace_id=86 msg="allocate a new session-02db1155" id=13 trace_id=86 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=86 msg="use addr/intf hash, len=1" id=13 trace_id=86 msg="Denied by forward policy check" id=13 trace_id=87 msg="vd-root received a packet(proto=6, 10.1.1.5:23739->192.168.7.10:8000) from local." id=13 trace_id=87 msg="Find an existing session, id-02db1118, original direction" id=13 trace_id=88 msg="vd-root received a packet(proto=1, 10.1.1.81:1->192.168.7.10:8) from port1." id=13 trace_id=88 msg="allocate a new session-02db1158" id=13 trace_id=88 msg="find a route: gw-10.0.250.1 via port3" id=13 trace_id=88 msg="use addr/intf hash, len=1" id=13 trace_id=88 msg="Denied by forward policy check" id=13 trace_id=89 msg="vd-root received a packet(proto=6, 10.1.1.5:23740->192.168.7.10:8000) from local." id=13 trace_id=89 msg="allocate a new session-02db1159" id=13 trace_id=90 msg="vd-root received a packet(proto=17, 10.0.250.56:65383->192.168.7.10:53) from port3." id=13 trace_id=90 msg="allocate a new session-02db115a" id=13 trace_id=90 msg="find a route: gw-10.1.1.1 via port1" id=13 trace_id=90 msg="use addr/intf hash, len=1" id=13 trace_id=90 msg="Denied by forward policy check"

Sim

1st the picture and debug is good,

"now the forward check normally means = uRPF failues"

"Denied by forward policy check"

Are we 100% sure that traffic is coming via port#3?

Could you do a big favor and source the ping from the fortgate and via ipv4 address for port3?

e.g ( ping-options )

execute ping-options < port3 ipv4 address here >

execute ping-options repeat-count 5

execute ping  192.168.7.10

Repeat the above but form port#1 also. Does any one of these work? ( keep in mind the far end mighht have filters not allowing these two-sources address )

You can also run a diag debug while attempting the 2 above actions and see what happens if any.

Hi,

Sorry  i missed one thing in the routing table 

S 192.168.7.10/32 [10/0] via 10.1.1.1, port1                             [10/0] via 10.0.250.1, port3

from 10.0.250.0 i can reach 192.168.7.10

but  10.1.1.0 cannot reach