Skip to main content
jfernandz
jfernandz
New Member
May 15, 2021
Question

When should I enable NAT for policies?

  • May 15, 2021
  • 2 replies
  • 19919 views

Hi everybody, I've got a FortiWiFi (which I think it's pretty similar to a FortiGate but with a WiFi interface, correct me if I'm wrong) and it's in NAT mode, so I'm wondering if has this something to do with the fact that I have had to enable NAT for some policies, to be able to reach equipments in one VLAN from another different VLAN.

 

I mean, to clarify, here a table with info about these VLANs

 

+-----------+-----------+-----------------+--------------------------------+---------------------------+ | VLAN ID   | interface  | IP/Netmask     | DHCP Range                       | Related address object  | +-----------+-----------+-----------------+--------------------------------+---------------------------+ | 10           | internal5  | 10.100.0.1/12 | 10.100.0.2-10.100.255.253 | 10.96.0.0/12                | +-----------+-----------+-----------------+--------------------------------+---------------------------+ | 20           | internal1  | 172.20.1.1/24 | 172.20.1.2-172.20.1.254     | 172.20.1.0/24              | +-----------+-----------+-----------------+--------------------------------+---------------------------+

 

So I've created a policy with the '172.20.1.0/24' address object as source and '10.96.0.0/12' address object as destination but apparently I have to enable NAT for that policy if I want to reach hosts in the VLAN 10, is this right? Why is this? 

 

Thank you all, and excuse my ignorance with networking topics if so.

 

PS: Obviously VLAN ID is just a way to tag every VLAN and it's more related with the switches in my network, but that's the setup that I've got.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 15, 2021

    The term "NAT mode" is used in a context describing the system (or VDOM) operation that is capable handling IPs (layer 3) against "Transparent mode", which doesn't have IPs in the user plane. For any internal IPs, like your VLAN to VLAN policies, generally you don't want to enable NAT(SNAT), which would hide the source IP and replace with the outgoing interface IP.

    jfernandz
    jfernandzAuthor
    New Member
    May 15, 2021

    So what could explain that apparently I'm not able to reach any host in VLAN 10 from VLAN 20 if NAT is not enabled? 

       

    SJFriedl
    SJFriedl
    New Member
    May 15, 2021

    jfernandz wrote:

    So what could explain that apparently I'm not able to reach any host in VLAN 10 from VLAN 20 if NAT is not enabled? 

    On VLAN20, are all the hosts using interface "internal1" using 172.20.1.1 as their default gateway?

     

    If NAT is enabled in the policy, then the host on VLAN20 is responding to a host on the local subnet (172.20.1.1), and that doesn't care about the default gateway, but if NAT is off, then the hosts *do* need to reply via the gateway.

    Etctan
    Etctan
    Visitor III
    February 21, 2023

    Currently I have same issue. Is there any way to disable NAT or without setting gateway?

    Terms & ConditionsAccessibility statement