New Member

Question

What is missing - Routing, NAT or Policy

Forum|Forum|3 years ago
August 9, 2022
4 replies
5104 views

Hello, I am beginner in Fortigate and I would like to know what should I do to get this working. I have port 1 configured as a management port. Its a DHCP and address is 192.168.76.130. Client is configured as DHCP client and his address is in that network 192.168.76.0/24 (before .129 now actually .135). On a Fortigate I have configured dhcp server on port 8. Current IP address is 192.168.21.1/24. And DHCP Client has 192.168.21.100/24. Please check pictures. What should I configure if I want to ping from one site to the other end? From 192.168.76.135 to 192.168.21.100. I dont know whether I have to set default route, or NAT that or configure some kind of policy. Can you help? Take management port as a internet and DHCP client as a private network. I hope its clear. Thank You

Ping from DHCP Client.jpg Ports Configuration.jpg

FortiGate v5.4

zhiqiang

New Member

Can you share policy for Fortigate

MatieAuthor

New Member

Hi, I didnt create policy. I have tried to create that, but it didn't work, therefore I deleted that and now is there only implicit deny. I am waiting for someone suggest how the policy should look. Everything is blank. There is no route, no NAT and no Policy. How should I configure policy? Thanks

Zhuo

Explorer

Hi Matie.
please check firewall policy

The problem should be in fortigate's ipv4 policy.

best regards。

MatieAuthor

New Member

Hi, I didnt create policy. I have tried to create that, but it didn't work, therefore I deleted that and now is there only implicit deny. I am waiting for someone suggest how the policy should look. Everything is blank. There is no route, no NAT and no Policy. How should I configure policy? Thanks

Zhuo

Explorer

Hi Matie.
fortigate ipv4 policy rules are 2

Article 1: port8 to port1
Article 2: port1 to port8

This allows for interoperability

Zhuo

Explorer

Good Matie.
Notice,
is to open two ipv4 policy
Article 1: port8 to port1
Article 2: port1 to port8

MatieAuthor

New Member

Hi Zhuo. I have set the policies as you told me. However I cannot ping from Net to Private. Please check pictures. Notice that address range has changed because of DHCP on Net site. I can ping from private that means from 192.168.21.100 to Net 192.168.76.129 but I cannot ping vice versa although Policies are in place. It looks like all traffic is denied by implicit deny. I dont know why. NAT is enabled, but that is not a problem. I have tried also without NAT.
Firewall Policies.jpg Permit all from Net.jpg Permit all from Private.jpg Ping from Net.jpg Ping from private.jpg

sw2090

SuperUser

You don't need NAT here since your FortiGate is the Gateway on both "endpoints" and the FGT does have an interface in both subnets. NAT might even be contra-productive here.

Try to disable it. The rest of you policies looks good so far.

Basically all you need is a policy to allow traffic from port1 to port8. Then you can ping from port1 subnet to port8 subnet.

If you want to ping from port 8 subnet to port1 subvnet you need the reverse policy to the above one too.

Only if on the endpoints the FortiGate is NOT your default gateway you would need a static route to the "opposite" subnet on each endpoint that has the FGT as gateway.

MatieAuthor

New Member

Thank You. But I am worried that I dont know how to do that. What do you mean by reverse policy? I have policies 1 to 8 and 8 to 1 so 1 to 8 is reverse to 8 to 1 and vice versa. Am I wrong?

I have tried to do static route but it doesn't work, because I dont know what should be a def gateway in this direction. I have one static route but it is created automatically. I didn't create that. I don't know how it came with that default gateway. Maybe it is caused by DHCP. If I have to create static route, what will be the default gateway from 1 to 8?

Static route.png

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded