Skip to main content
toku
toku
New Member
February 2, 2023
Solved

Routing issue on Fortigate setup.

  • February 2, 2023
  • 3 replies
  • 7955 views

Hello!

I'm new to FortiGate and experienced a roadblock during my setup.

I was trying to reach the VM from the public IP(my PC), but there was no response from the VM. Attached are the diagram and packet capture results from FortiGate.

diagram.JPG

Note:

  1. The default route is going to an ASR router, but I want all incoming and outgoing traffic to go via the same specific interface on the firewall. (highlighted orange)

  2. Static route cannot be used because the source IP can be anything.

  3. Tried the policy route, but it didn't work :(

 

Kindly advise what could be the root cause.
If you need additional information, feel free to let me know!
Appreciate the comments!

3 replies

srajeswaran
Staff
srajeswaran
Staff
February 2, 2023

Can you enable Source NAT on the policy towards VM and test?

toku
tokuAuthor
New Member
February 7, 2023
While i was doing trace, i found the following error:
id=20085 trace_id=19 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop
Any idea what this means?
Thanks!
gfleming
Staff
gfleming
Staff
February 7, 2023

This means the FortiGate is dropping the packet because the Source IP for the packet is not in a subnet that it has a route to on the interface it is coming in on.

 

In other words, if the packet has a source IP of 10.0.0.1 and it's coming in on the interface 'lan', the FortiGate will not forward it if it does not have a route to 10.0.0.0/24 via the 'lan' interface. This is reverse path forwarding and is a method of preventing IP spoofing.

 

Since you only pasted a snippet of the trace we do not know the whole story so it's hard to say. But chances are you have no route pointing Provider A for your PC's public IP address.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 2, 2023

If you're coming from the internet, unless you advertise the public subnet where the VM sits in only through Provider A side toward the internet, instead of advertising via the default internet provider, your access to the VM's public IP always comes from the default internet provider (right side in your diagram). Never comes via Provider A unlike your inbound orange arrow.

 

The returning direction will follow the reverse direction of the inbound/original direction based on the session. You won't be able to change that.

 

Toshi

toku
tokuAuthor
New Member
February 7, 2023

I guess you're talking about this?

While i was doing trace, i found the following error:
id=20085 trace_id=19 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop
 
No alternative solution?
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 7, 2023

Which provider, the default internet provider or Provider A, provides the public IP the VM has? Or do you own the public subnet the VM is in?

If it's from the default internet provider, you have no control for the incoming path but always come through the provider.

You can see it when you traceroute from outside to the VM's public IP.

 

Only if you own the subnet VM is in, you can advertise the subnet with BGP through either or both of the default internet provider and Provider A to control the inbound path.

 

Toshi

toku
tokuAuthorAnswer
New Member
February 14, 2023

The issue is resolved!
I followed this article.
https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementation-and/ta-p/194382

Terms & ConditionsAccessibility statement