Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kvemi
New Contributor

Problem - Access from VLAN2 (WAN2) to VLAN1 (WAN1)

Hello,

 

On the Fortigate 80E (ver7x) we need to set up access from VLAN2 (WAN2 / ISP2) to VLAN1 (WAN1 (ISP1).

 

On the firewall we have two Internet connections (WAN1 and WAN2) and internal networks VLAN1 and VLAN2. Under VLAN1 is an internal HTTPs server (accessible from the Internet via DNAT), assigned to WAN1. Under VLAN2 is the guest network, assigned to WAN2 (another ISP). Now we need to access this HTTPs server from guest VLAN2/WAN2 but we are not able to do it. We've tried something within the firewall and address translation, but to no avail / I'm out of ideas.

 

kvemi_0-1657639415762.png

Thanks for the help

1 Solution
Toshi_Esumi
Esteemed Contributor II

So you seem to have a policy route: everything from VLAN2 goes toward wan2. That's why those accesses to vlan1 IP and wan1 IP are steered toward wan2.

 

In your case you need to add another, or two more policy routes to override the existing policy route or exclude them, and place them above the existing one.

 

Toshi

View solution in original post

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor II

You can set up policies to allow VLAN2->WAN1(then VIP to VLAN1). So-called hairpin NAT/VIP like in below KB.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

 

Toshi

kvemi

Thank you for answer.

I've seen this procedure before, but couldn't relate it to my configuration. I must be making a mistake somewhere.

I don't know how to access the instructions when I have two WAN ports (WAN1 and WAN2). I've tried both Example 1 and 2, but I must be missing something.

Toshi_Esumi
Esteemed Contributor II

Since it's inside of one physical FGT, unless you split two wan interfaces to two VDOMs, wan1's interface IP is directly connected and reachable from VLAN2 as long as you have a policy VLAN2->wan1. Can you ping from a VLAN2 device to wan1 IP after placing a policy?

After that, you need to do "flow debug" how the FGT is handling the traffic from VLAN2 to VLAN1 via VIP.

 

Toshi

kvemi

Hello,

 

For example:

WAN1 eth1 public IP: 1.1.1.1 (from ISP we have addresses with /29 mask)
WAN2 eth2 non-public IP: 2.2.2.2

Ping from VLAN2 to public IP 1.1.1.1 works

 

I send the debug flow:
1.) From VLAN2 (10.0.176.60:443) to VLAN1 (192.168.172.6:443)

 

 

vtag->sip[0] b2ffacb9, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0
                vtag->sport 7886, vtag->mtu 1500, vtag->flags 12, vtag->np6_flag 0x1, skb->npu_flag=0xc0880"
2022-07-15 08:38:50 id=20085 trace_id=77 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 10.0.176.60:52769->192.
168.172.6:443) from VLAN2. flag [S], seq 3522623264, ack 0, win 64240"
2022-07-15 08:38:50 id=20085 trace_id=77 func=init_ip_session_common line=5918 msg="allocate a new session-91315e0c"
2022-07-15 08:38:50 id=20085 trace_id=77 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=1: to 2.2.2.2 via if
index-6"
2022-07-15 08:38:50 id=20085 trace_id=77 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-2.2.2.2 via w
an2"
2022-07-15 08:38:50 id=20085 trace_id=77 func=get_new_addr line=1229 msg="find SNAT: IP-185.172.255.178(from IPPOOL), port-52769"
2022-07-15 08:38:50 id=20085 trace_id=77 func=fw_forward_handler line=853 msg="Allowed by Policy-30: SNAT"
2022-07-15 08:38:50 id=20085 trace_id=77 func=__ip_session_run_tuple line=3478 msg="SNAT 10.0.176.60->185.172.255.178:52769"
2022-07-15 08:38:50 id=20085 trace_id=77 func=np6lite_hif_nturbo_build_vtag line=1101 msg="vtag->magic d153beef, vtag->coretag 65, vtag->v
id 0

 

 

 

2.) From VLAN2 (10.0.176.60:443) to WAN1 (1.1.1.1:443)
* Dropped by default policy. I have a rule allowing from VLAN2 to WAN1 (or VLAN2 to VLAN1) set

 

 

2022-07-15 08:44:03 id=20085 trace_id=91 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 10.0.176.60:5
2794->85.13.111.105:443) from VLAN2. flag [S], seq 1861588583, ack 0, win 64240"
2022-07-15 08:44:03 id=20085 trace_id=91 func=init_ip_session_common line=5918 msg="allocate a new session-913d87f6"
2022-07-15 08:44:03 id=20085 trace_id=91 func=get_new_addr line=1229 msg="find DNAT: IP-192.168.172.6, port-443"
2022-07-15 08:44:03 id=20085 trace_id=91 func=get_new_addr line=1229 msg="find SNAT: IP-1.1.1.1(from IPPOOL), port-52794"
2022-07-15 08:44:03 id=20085 trace_id=91 func=fw_pre_route_handler line=181 msg="VIP-192.168.172.6:443, outdev-unknown"
2022-07-15 08:44:03 id=20085 trace_id=91 func=__ip_session_run_tuple line=3492 msg="DNAT 1.1.1.1:443->192.168.172.6:443"
2022-07-15 08:44:03 id=20085 trace_id=91 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=1: to 2.2.2.2 via if
index-6"
2022-07-15 08:44:03 id=20085 trace_id=91 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-2.2.2.2 via w
an2"
2022-07-15 08:44:03 id=20085 trace_id=91 func=fw_forward_handler line=687 msg="Denied by forward policy check (policy 0)"
2022-07-15 08:44:03 id=20085 trace_id=92 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=6, 10.0.176.60:52795->85.1
3.111.105:443) from BiGy_WiFi. flag [S], seq 15044941, ack 0, win 64240"
2022-07-15 08:44:03 id=20085 trace_id=92 func=init_ip_session_common line=5918 msg="allocate a new session-913d883c"
2022-07-15 08:44:03 id=20085 trace_id=92 func=get_new_addr line=1229 msg="find DNAT: IP-192.168.172.6, port-443"
2022-07-15 08:44:03 id=20085 trace_id=92 func=get_new_addr line=1229 msg="find SNAT: IP-1.1.1.1(from IPPOOL), port-52795"
2022-07-15 08:44:03 id=20085 trace_id=92 func=fw_pre_route_handler line=181 msg="VIP-192.168.172.6:443, outdev-unknown"
2022-07-15 08:44:03 id=20085 trace_id=92 func=__ip_session_run_tuple line=3492 msg="DNAT 1.1.1.1:443->192.168.172.6:443"
2022-07-15 08:44:03 id=20085 trace_id=92 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=1: to 2.2.2.2 via if
index-6"

 

 

 

GUI:

Snímek obrazovky 2022-07-15 093002_edit.pngSnímek obrazovky 2022-07-15 093201_edit.png

Thank you 

Toshi_Esumi
Esteemed Contributor II

So you seem to have a policy route: everything from VLAN2 goes toward wan2. That's why those accesses to vlan1 IP and wan1 IP are steered toward wan2.

 

In your case you need to add another, or two more policy routes to override the existing policy route or exclude them, and place them above the existing one.

 

Toshi

kvemi

Thanks for the help and direction leading to a resolved issue.


I added policy routes first and set stop policy routing. Now everything works as I need.

 

Thank you

Toshi_Esumi
Esteemed Contributor II

By the way, to set VLAN1 to use wan1 and VLAN2 to use wan2, you don't have to have a policy route. By having two default routes to both wan1 and wan2 you can use just firewall policies to dictate which wan interface to use for the internet. Policy routes cause necessity of another policy route like this, then another one when you need to change something, and again and again. I call it "policy route jail". If possible, better avoid using it.

 

Toshi

kvemi

Thank you for the warning. We'll try to adjust it to make it right.