Hi,
First time user of the Fortinet Products.
I've followed the instructions in the docs to setup the fortigate as VM in VMWare ESXI 8, so far so good. Got my first WAN/LAN with IPAM setup. All working fine. Now for the part I can't seem to get working...
On the WAN i've got a /29 subnet assigned to me. I want to be able to use routing rules to dynamically assign ports/entire ip to servers in my LAN. The /29 subnet is delivered on a virtual switch. It enters the physical machine on the same cable on VLAN 4000. To make it easier i've created a VSwitch in ESXI at VLAN 4000 and patched it as Port 3 to the Fortigate. I've received all the details about the subnet as follows:
Subnet: | xx.xx.xx.224/29 |
Gateway: | xx.xx.xx.225 |
Netmask: | 255.255.255.248 |
Broadcast: | xx.xx.xx.231 |
When on port 3 i try to enter xx.xx.xx.224/29 as the ip i get the following error: Invalid IP Netmask.
When on port 3 i try to enter xx.xx.xx.225/29 as the ip it will let me save it. Unfortunately this does not work. When i try to ping the IP from my workstation (external to the network) it doesn't let me. (I didn't forget to allow the pings using the checkbox under administrative access). Neither does this work for xx.xx.xx.226/29, xx.xx.xx.226/32, etc. Also tried WAN/DMZ/Undefined, and many more different settings
What am i doing wrong or what can I do to debug this issue a bit more? I'm not bound to the external vswitch hetzner provides and also have a /29 subnet available directly on the primary WAN. I'm currently just looking for a solution.
Thanks in advance,
Kevin :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You may consider to sniff traffic "diagnose sniffer packet any 'host <destination IP address>' 4 0 a" and collect debug flow:
diagnose debug flow show function-name enable
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow trace start 10
diagnose debug enable
while trying to ping.
Created on 09-12-2023 12:56 AM Edited on 09-12-2023 12:59 AM
Hi,
I'm unfortunately not able to ping from the cli. I've also tried to do execute ping but it doesn't seem to work. This was from the CLI widget in the UI. Response is: Unknown action 0
Hello,
You may open several CLI GUI widgets simultaneously. And try to ping and collect debugs simultaneously.
Hi there,
I believe that .224/29 is your IP block not usable IP that why when enter 224/29 FGT will not let you save it. Your usable IP for that block begin from 225. Do you have any default route using port3 with the gateway of 225 and assign 226 for your port3? Can you try to assign 226 for port 3, created default route with gateway 225 via port3 and ping 226 from your computer and run the following command to see if traffic is arrived at FortiGate:
diag debug reset
diag debug flow filter addr X.X.X.226
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.