Skip to main content
supportombm
supportombm
New Member
August 31, 2021
Question

Routing problem outside VPN

  • August 31, 2021
  • 1 reply
  • 3087 views

Hi Guys!

I have a fortigate 60F with 6.2.7 and i have a routing problem.

 

Interface OFFICE 172.xxx.xxx.xxx (LAN1)

Interface MACHINE 10.xxx.xxx.xxx (LAN2)

 

MACHINE has a VPN for 142.xxx.xxx.xxx (This is on of our supplier LAN but it is also a public IPs LAN)

 

So i have a remote lan which is needed on both interface OFFICE and MACHINE

The problem is, MACHINE can't navigate outside VPN for security reasons.

OFFICE can't use and JOIN the VPN.

 

I've setup static route for both with different distance but OFFICE always try to go out on VPN which is denied, and i don't know how to let this interface (OFFICE) use WAN1 as outgoing route for traffic to 142.xxx.xxx.xxx .

I even tried with Policy routes but with no success

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
August 31, 2021

Do you mean "OFFICE should use wan1 and over the internet to get to 142.xxx.xxx.xxx/xx"? Then you have to use policy routes at least for this destination. I think the default route is enough for routing part to steer the traffic toward wan1 for OFFICE source while 142/xx route exists toward VPN for MACHINE source.

supportombm
supportombmAuthor
New Member
September 2, 2021

Sorry for the late reply, i've spent the past few days trying to figure this out.

 

Yes, i had to setup 2 static routes (same distance different priority) so the route will show up on the routing table.

Then setting up a policy routes (not one each for interface, just one for the OFFICE) and browsing is fine now, waiting for the feedback.

 

But is it normal that ping from firewall console/ssh with ping-options source "OFFICE gateway" will always route inside the VPN?

That make me loose at least one hour lol, then i checked with a Full tunnel ssl vpn.

 

THank you anyway

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
September 2, 2021

Traffic initiated from the FGT itself wouldn't follow any policies, and I think, policy routes/VIPs as well. It just follows the routing table and puts the source IP you specified on the packets.

Terms & ConditionsAccessibility statement