Skip to main content
tarapapa80
tarapapa80
New Member
April 6, 2011
Question

Routing for Proxy and bypass proxy

  • April 6, 2011
  • 6 replies
  • 13370 views
HI All, I have 4 interface as below: Port 13 = WAN 1 x.x.x.x Port 14 = WAN 2 x.x.x.x Port 15 = WAN 3 x.x.x.x Port 9 = Internal 192.168.1.1 I have 4 static routes as below: destination 0.0.0.0/0 gateway x.x.x.x (WAN 1) destination 0.0.0.0/0 gateway x.x.x.x (WAN 2) destination 0.0.0.0/0 gateway x.x.x.x (WAN 3) destination 192.168.1.0/24 gateway 192.168.1.2 192.168.1.2 is their proxy server. Computer that access internet need to point their gateway to the proxy server to access internet. This is working fine. Customer request that they want certain PC to bypass the proxy server and point directly to Fortigate. To bypass the proxy server, the computer needs to point their gateway to the firewall interface which is 192.168.1.1. The computer that bypass proxy have speed problems. How do i configure the routing for the computer that needs to bypass the proxy?

    6 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 6, 2011
    Hi, and welcome to the forums! Route no. 4 is unnecessary and probably interferes with your host. The proxy setup involves more than a route, you have to place policies as well to prevent everyone to use .1.1 as their gateway and bypass the proxy. Just allow the proxy itself and an address group of ' priviledged' PCs to go from internal to wan. This way all other hosts are blocked from internet access EXCEPT FOR if they use the proxy.
      tarapapa80
      tarapapa80Author
      New Member
      April 6, 2011
      Hi Ede, Thank you for your help. Actually i need the route no.4 because i have more than 1 internal subnet. Below is the full static route table. 192.168.1.1 and 199.168.10.1 is the proxy actually. The 192.168.1.0 subnet is the network that has a few PC that needs to bypass proxy. Interface of the FW is 192.168.1.2 and 199.168.10.2. Thanks in advance, Fendi
      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      April 6, 2011
      This is why there is a Routing Monitor tab - you have defined some routes but from the table of definitions you cannot tell which routes take precedence. Please post the routes in effect, from the Monitor. Regarding route no. 4: what does it do? Hosts from that subnet will not use the route anyway. They determine by looking at their own IP address and netmask that 192.168.1.2 (or any other host on that subnet) is LOCAL so they just arp for the layer 2 MAC address and communicate directly with the target. Routing only takes place from a different subnet. You will see in the active routing table (monitor) that there is already a directly connected route to 192.168.1.0 which takes precedence anyway.
        tarapapa80
        tarapapa80Author
        New Member
        April 6, 2011
        I see, in that case can i just remove the static route as below from the static route table? destination gateway Device 192.168.1.0/24 192.168.1.1 port 9 199.168.10.0/24 199.168.10.1 port10 Below is the routing monitor:
        ede_pfau
        SuperUser
        ede_pfau
        SuperUser
        April 6, 2011
        Exactly. Both routes are redundant and can be deleted. What about the policies? Did you check them?
          tarapapa80
          tarapapa80Author
          New Member
          April 6, 2011
          Thanks Ede. I learn something really basic about routing today. Which i just realize after doing this for 2 years...haha. Below is the policy. The concern is on the LAN > WAN policy
          tarapapa80
          tarapapa80Author
          New Member
          April 6, 2011
          I just want to say thanks Ede because you really help me when the support people cannot or very slow to advice to. I think we already found the root cause why when bypass proxy the pc affected becomes very slow. Which is because i create a static route which is not needed. I understand fully now. Thank you very much :)
            ede_pfau
            SuperUser
            ede_pfau
            SuperUser
            April 6, 2011
            Policies look OK this way. Assuming that policies #4 and #6 are only there for logging violation traffic, right? Otherwise superflous. Back to your original question: do the hosts from the ' Bypass' group still have problems? Ping times, losses, traceroutes? It does look sound now.
              ede_pfau
              SuperUser
              ede_pfau
              SuperUser
              April 6, 2011
              To assist you could ping from the FGT CLI (" exec ping a.b.c.d" ). It doesn' t have all the options but it might give you a clue. If you see dropped packets when pinging from the FGT to a remote target then the WAN line has hickups.
                tarapapa80
                tarapapa80Author
                New Member
                April 6, 2011
                Actually i already tried that and no timeout at all. So its definitely the firewall that causing the timeout and i think its because i wrongly create the additional static route
                Felinxandy
                Felinxandy
                New Member
                July 19, 2024

                Your setup looks solid, especially if policies #4 and #6 are just for logging violations. If the 'Bypass' group is still having issues, checking ping times and traceroutes might help. For more advanced proxy solutions, you could look into websites like proxyrotator.com.

                  Terms & ConditionsAccessibility statement