Description

This article describes how to configure a FortiGate to route/allow traffic between 2 (or more) subnets attached to the same interface of a FortiGate.

Scope

All FortiGates or VDOMs running in NAT/Route Mode.

Solution

• subnet 10.1.1.0/24   ===== [ port1 FortiGate ]
  
• subnet 172.16.1.0/24 ===== [ port1           ]

Expectations, Requirements:

Assume that subnet 10.1.1.0/24 is configured on port1, and 172.16.1.0/24 is configured as a secondary IP address of port1.

For this example, it is expected the all traffic flows from 10.1.1.0/24 to 172.16.1.0/24 and vice versa.

Configuration:

The following firewall policy will allow traffic between both subnets.
A policy from a port to the same port is sometimes also referred as a hairpin policy (or one-arm firewall).

config firewall policy  
    edit 0
        set srcintf "port1"
        set dstintf "port1"
        set srcaddr "all"            
        set dstaddr "all"            
        set action accept
        set schedule "always"
        set service "ANY"            
    next

To get a finer control on the traffic flows in either direction, more than one hairpin policy may be needed, with specific IP source or destination IP addresses.

Troubleshooting:

For troubleshooting connectivity problems, see related articles about sniffer and debug flow.

Related articles:

• Troubleshooting Tip: How to use the FortiGate sniffer and debug flow in presence of NP2 ports
• Troubleshooting Tool: Using the FortiOS built-in packet sniffer
• Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...