Why I cannot ping internet

Matie · ‎08-23-2022

Hi,

I don't understand why I cannot ping internet from Clients. I can ping subinterface on port 2 23.1.2.71. But if I try ping from Linux or VPC 8.8.8.8 it is unsuccessful. I have static route on FortiGate 0.0.0.0/0 to router 23.1.2.1 which is router IP on port gi0/0. Switch ports gi0/0 and gi0/2 are trunk and ports gi0/1 and gi0/3 are vlan interfaces. I can ping internet 8.8.8.8 from Fortigate. Something on FW is missing I guess. Policies are applied and when I ping from client to subinterface "To Internet", policy is working. Please check pictures.

Markus_M · ‎08-24-2022

Hello Matie,

it will help to run the sniffer this way:

diag sniffer packet any 'icmp and host 8.8.8.8' 4 0 a

You filter only in one direction., The filter above shows packet in both directions, for any interface and also which interface. You may then see the packet on an inbound interface and again at the outbound interface (suggesting a firewall policy is in place and allows the traffic).

Looks like this:

diag sniffer packet any 'icmp and host 8.8.8.8' 4 0 a
interfaces=[any]
filters=[icmp and host 8.8.8.8]
2022-08-24 22:50:59.879436 internal6 in 192.168.111.2 -> 8.8.8.8: icmp: echo request
2022-08-24 22:50:59.879610 wan1 out 123.123.123.123 -> 8.8.8.8: icmp: echo request
2022-08-24 22:50:59.896803 wan1 in 8.8.8.8 -> 123.123.123.123: icmp: echo reply
2022-08-24 22:50:59.896865 internal6 out 8.8.8.8 -> 192.168.111.2: icmp: echo reply
2022-08-24 22:51:00.881151 internal6 in 192.168.111.2 -> 8.8.8.8: icmp: echo request
2022-08-24 22:51:00.881288 wan1 out 123.123.123.123 -> 8.8.8.8: icmp: echo request
2022-08-24 22:51:00.936263 wan1 in 8.8.8.8 -> 123.123.123.123: icmp: echo reply
2022-08-24 22:51:00.936315 internal6 out 8.8.8.8 -> 192.168.111.2: icmp: echo reply

Best regards,

Markus

Matie · ‎08-24-2022

Hello Marcus,

I did it. Filter is in place but it shows traffic only one way still. I have tried to ping from both hosts. There is only echo request and no echo reply etc. Any idea why I see only echo request? Can you please help? Please bear with me, I am new in Fortinet. Thanks

Muhammad_Haiqal · ‎08-24-2022

Hi @Matie ,

Thank you for providing the information. I can see direct connectivity(same segment is fine) based on your ping test.

Can you summarize the finding like this:

10.10.10.49 to 10.10.10.1(fgt) - OK/Not ok

10.10.10.49 to 23.1.2.71(fgt) - OK/ Not ok

10.10.10.49 to 23.1.2.1(fgt) - OK/Not ok

23.1.2.100 to 8.8.8.8 - OK/not OK << this is a direct test to router.

Im also concern about your setup from switch to router. I believe you should make it "access port vlan 23" instead of trunk.

Can you add 1 more PC sitting on VLAN 23? GW 23.1.2.1(router).
This pc means direct connect to your router. Bypass Fortigate.
Are you able to get the internet?

haiqal

Matie · ‎08-25-2022

10.10.10.49 to 10.10.10.1(fgt) - OK

10.10.10.49 to 23.1.2.71(fgt) - OK

10.10.10.49 to 23.1.2.1(router) - Not ok

23.1.2.100 to 8.8.8.8 - OK - direct connection to router without FortiGate

If I reconfigure trunk port on switch as access port, I lose connectivity with internet. Port has to be configured as a trunk.

I have added PC to VLAN 23 with gateway 23.1.2.1 (router). It is directly connected to router via switch. FortiGate is bypassed and there is connectivity with internet 8.8.8.8. What else can we do here?