Skip to main content
KPS
KPS
New Member
March 14, 2017
Question

Virtual Wire with NAT-Mode - How to access management port from both "sides" of the VWire

  • March 14, 2017
  • 1 reply
  • 5866 views

Hi!

 

I am trying to setup a VWire-firewall behind the perimeter routers.

Everything is working fine, except every connection that:

- traverses the VWire

- AND terminates at the firewall

 

In the attached picture:

--> PC 2+3 can access FG-Management-Port

--> PC 1 CANNOT access FG-Management-Port

--> PC 1 can access PC 2+3

 

Do you have any idea, how to avoid problems with packages, which are passing the VWire and terminating to the FG-Management-Interface?

 

Thank you

Regards

KPS

    1 reply

    MikePruett
    MikePruett
    New Member
    March 14, 2017

    What does the policy look like for that v-wire?

    KPS
    KPSAuthor
    New Member
    March 14, 2017

    Hi!

     

    The VWire-Policy does allow everything in both directions.

    If I move the VWire to another VDOM, the system is working, but that is a problem for the rest of my config.

     

    There seems to be an issue, if the packet is traversing VWire on the way to the Layer3-interface on the same VDOM.

     

    Regards,

    KPS

    dennisv
    dennisv
    New Member
    March 16, 2017

    Hi ,

    this is a known issue , as designed.

    Reason is the shared routing table within VWP. You want to access a subnet that is know in the routing table but is not allowed by means of the VWP (else VWP would kinda break as you escape from the VWP).

    VWP works fine for traffic between the protected subnets.

    Solution, dont use VWP if traffic need to route to the fortigate itself (within a single VDOM).

    A second VDOM seperates the routing table and does not have this issue.

     

    Regards

     

     

      Terms & ConditionsAccessibility statement