Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy route on same interface
Hi all. I'm needing to route traffic for certain IP addresses to another router on the same subnet, which tunnels traffic off to an external provider. I can use a static route on the FortiGate and this works no problem. I can't however do this using a policy route which is what I need to do (I have another VLAN that has a similar requirement and same destination IP addresses).
Does anyone know if I can route traffic to the same network using a policy route or if there are limitations with policy routing that prevent this?
Cheers,
Andre
Does anyone know if I can route traffic to the same network using a policy route or if there are limitations with policy routing that prevent this?
Cheers,
Andre
Solved! Go to Solution.
Labels:
- Labels:
-
General
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so I've worked this out. I needed to have a VLAN to VLAN policy even though it's the same VLAN.
edit 141
set name "Client VLAN to Client VLAN"
set srcintf "Client VLAN"
set dstintf "Client VLAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 141
set name "Client VLAN to Client VLAN"
set srcintf "Client VLAN"
set dstintf "Client VLAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be that the static route is taking priority over the policy route.
Static routes always win unless it's against a connected route.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When the static route isn't there (it was only put in when the policy route didn't work) the default route is used. I deleted the static route and tested this with the Routing Monitor and it shows that the default route is the one it's using.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a policy route should be able to achieve this, it has priority over other routes.
what did you use as other arguments, which source / destination and did you configure the gateway IP?
what did you use as other arguments, which source / destination and did you configure the gateway IP?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bart. I checked the routing monitor again and confirmed you are correct. If I enable the policy route, the routing monitor shows it as the chosen route. My ping tests fail when the policy route is enable though. If I disable the policy route, the static routes kick in and it works.
Below is the config from the policy route that doesn't work and under that are the static routes that do work.
config router policy
edit 1
set input-device "Client VLAN"
set srcaddr "VLAN Address"
set dstaddr "Dest 1" "Dest 2" "Dest 3" "Dest 4"
set gateway 10.82.82.99
set output-device "Client VLAN"
set status disable
next
end
config router static
edit 49
set dst 111.111.111.111 255.255.255.255
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 50
set dst 222.222.0.0 255.255.0.0
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 51
set dst 333.333.333.0 255.255.254.0
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 52
set dst 444.444.0.0 255.255.0.0
set gateway 10.62.62.99
set device "Client VLAN"
next
end
Below is the config from the policy route that doesn't work and under that are the static routes that do work.
config router policy
edit 1
set input-device "Client VLAN"
set srcaddr "VLAN Address"
set dstaddr "Dest 1" "Dest 2" "Dest 3" "Dest 4"
set gateway 10.82.82.99
set output-device "Client VLAN"
set status disable
next
end
config router static
edit 49
set dst 111.111.111.111 255.255.255.255
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 50
set dst 222.222.0.0 255.255.0.0
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 51
set dst 333.333.333.0 255.255.254.0
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 52
set dst 444.444.0.0 255.255.0.0
set gateway 10.62.62.99
set device "Client VLAN"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so I've worked this out. I needed to have a VLAN to VLAN policy even though it's the same VLAN.
edit 141
set name "Client VLAN to Client VLAN"
set srcintf "Client VLAN"
set dstintf "Client VLAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 141
set name "Client VLAN to Client VLAN"
set srcintf "Client VLAN"
set dstintf "Client VLAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
![](/skins/images/314F488D15A2016126B094729A0E57E8/responsive_peak/images/icon_anonymous_message.png)