Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kevinVoosterhout
New Contributor

Created on ‎09-11-2023 03:48 PM

/29 Wan subnet on Hetzner Dedicated server not working

Hi,

 

First time user of the Fortinet Products. 

 

I've followed the instructions in the docs to setup the fortigate as VM in VMWare ESXI 8, so far so good. Got my first WAN/LAN with IPAM setup. All working fine. Now for the part I can't seem to get working...

 

On the WAN i've got a /29 subnet assigned to me. I want to be able to use routing rules to dynamically assign ports/entire ip to servers in my LAN. The /29 subnet is delivered on a virtual switch. It enters the physical machine on the same cable on VLAN 4000. To make it easier i've created a VSwitch in ESXI at VLAN 4000 and patched it as Port 3 to the Fortigate. I've received all the details about the subnet as follows:

 

Subnet:

xx.xx.xx.224/29

Gateway:

xx.xx.xx.225

Netmask:

255.255.255.248

Broadcast:

xx.xx.xx.231

 

When on port 3 i try to enter xx.xx.xx.224/29 as the ip i get the following error: Invalid IP Netmask. 

When on port 3 i try to enter xx.xx.xx.225/29 as the ip it will let me save it. Unfortunately this does not work. When i try to ping the IP from my workstation (external to the network) it doesn't let me. (I didn't forget to allow the pings using the checkbox under administrative access). Neither does this work for xx.xx.xx.226/29, xx.xx.xx.226/32, etc. Also tried WAN/DMZ/Undefined, and many more different settings

 

What am i doing wrong or what can I do to debug this issue a bit more? I'm not bound to the external vswitch hetzner provides and also have a /29 subnet available directly on the primary WAN. I'm currently just looking for a solution.

 

Thanks in advance,

 

Kevin :)

 

Screenshot 2023-09-12 at 00.44.18.png

Screenshot 2023-09-12 at 00.42.38.png

 

 

Labels:
655
0 Kudos
4 REPLIES 4
abarushka
Staff
Staff

Created on ‎09-12-2023 12:26 AM

Hello,

 

You may consider to sniff traffic "diagnose sniffer packet any 'host <destination IP address>' 4 0 a" and collect debug flow:

 

diagnose debug flow show function-name enable

diagnose debug flow filter daddr <destination IP address>

diagnose debug flow trace start 10

diagnose debug enable

 

while trying to ping.

FortiGate
636
0 Kudos
kevinVoosterhout
New Contributor
In response to abarushka

Created on ‎09-12-2023 12:56 AM Edited on ‎09-12-2023 12:59 AM

Hi,

 

I'm unfortunately not able to ping from the cli. I've also tried to do execute ping but it doesn't seem to work. This was from the CLI widget in the UI. Response is: Unknown action 0

631
0 Kudos
abarushka
Staff
Staff
In response to kevinVoosterhout

Created on ‎09-12-2023 01:00 AM

Hello,

 

You may open several CLI GUI widgets simultaneously. And try to ping and collect debugs simultaneously.

FortiGate
628
0 Kudos
mle2802
Staff
Staff

Created on ‎09-12-2023 06:39 AM

Hi there,

I believe that .224/29 is your IP block not usable IP that why when enter 224/29 FGT will not let you save it. Your usable IP for that block begin from 225. Do you have any default route using port3 with the gateway of 225 and assign 226 for your port3? Can you try to assign 226 for port 3, created default route with gateway 225 via port3 and ping 226 from your computer and run the following command to see if traffic is arrived at FortiGate:

diag debug reset
diag debug flow filter addr X.X.X.226
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

Regards,


616
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.