Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AndrHann
New Contributor III

Policy route on same interface

Hi all. I'm needing to route traffic for certain IP addresses to another router on the same subnet, which tunnels traffic off to an external provider. I can use a static route on the FortiGate and this works no problem. I can't however do this using a policy route which is what I need to do (I have another VLAN that has a similar requirement and same destination IP addresses).

Does anyone know if I can route traffic to the same network using a policy route or if there are limitations with policy routing that prevent this?

Cheers,
Andre
1 Solution
AndrHann
New Contributor III

OK so I've worked this out. I needed to have a VLAN to VLAN policy even though it's the same VLAN.

edit 141
  set name "Client VLAN to Client VLAN"
  set srcintf "Client VLAN"
  set dstintf "Client VLAN"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
  set logtraffic all
next

View solution in original post

5 REPLIES 5
ShanWill
New Contributor III

It might be that the static route is taking priority  over the policy route.
Static routes always win unless it's against a connected route.


AndrHann
New Contributor III

When the static route isn't there (it was only put in when the policy route didn't work) the default route is used. I deleted the static route and tested this with the Routing Monitor and it shows that the default route is the one it's using.
bartsikk

a policy route should be able to achieve this, it has priority over other routes.

what did you use as other arguments, which source / destination and did you configure the gateway IP?
AndrHann
New Contributor III

Hi Bart. I checked the routing monitor again and confirmed you are correct. If I enable the policy route, the routing monitor shows it as the chosen route. My ping tests fail when the policy route is enable though. If I disable the policy route, the static routes kick in and it works.

Below is the config from the policy route that doesn't work and under that are the static routes that do work.

config router policy
edit 1
set input-device "Client VLAN"
set srcaddr "VLAN Address"
set dstaddr "Dest 1" "Dest 2" "Dest 3" "Dest 4"
set gateway 10.82.82.99
set output-device "Client VLAN"
set status disable
next
end

config router static
edit 49
set dst 111.111.111.111 255.255.255.255
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 50
set dst 222.222.0.0 255.255.0.0
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 51
set dst 333.333.333.0 255.255.254.0
set gateway 10.62.62.99
set device "Client VLAN"
next
edit 52
set dst 444.444.0.0 255.255.0.0
set gateway 10.62.62.99
set device "Client VLAN"
next
end
AndrHann
New Contributor III

OK so I've worked this out. I needed to have a VLAN to VLAN policy even though it's the same VLAN.

edit 141
  set name "Client VLAN to Client VLAN"
  set srcintf "Client VLAN"
  set dstintf "Client VLAN"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
  set logtraffic all
next