Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gniedy
New Contributor

Allow Traffic Between Different Ports with different ips

I have to different ports on my Fortigate 

port 1 ( 10.201.0.0/16)

port 2 ( 192.168.0.0/16)

i need to allow traffic between both ports which will allow me to use all protocols i made a policy routes with a firewall-policy but nothing happen

19 REPLIES 19
ede_pfau
SuperUser
SuperUser

Delete the Policy Route. These networks already have (std) routes automatically, check Monitor > Routing Monitor.

You just need one policy per direction. If you have one, right-click and 'clone reverse'.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
gniedy

thanks ede_pfau for your answer.

 

do you mean firewall police or policy route? i did both with no result, sorry i am not expert with fortigate.

ede_pfau

Well exactly, you only need a plain policy.

Policy routing is routing - and that is already handled for you.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
gniedy
New Contributor

Hereunder my firewall configuration:

 

config firewall policy
    edit 9
        set name "ALLOW LAN TO CCTV"
        set uuid 9df94930-c025-51e9-4feb-d27f2893ce1c
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
        set nat enable
    next
end
 
ede_pfau

Why NAT?

Usually, for LAN to LAN traffic, you don't use NAT.

 

NAT is mandatory for LAN-to-Internet traffic, as the next router (with your ISP) doesn't know your subnets.

 

Apart from that, your policy looks OK. A bit sloppy with 'all' instead of proper address object, but that will do as well.

If this doesn't work for you, what exactly do you see if you, for example, ping from one host to the other?

Can each host ping the FGT port belonging to his LAN?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
gniedy

i disabled the NAT.

 

if i ping from fortigate with execute ping everything is ok. and if i ping with same subnets everything is ok. but when i am trying to ping from example ( 10.201.2.111 ) to ( 192.168.10.10 ) it shows request timed out

ede_pfau

Check the hosts:

- the default route needs to be the IP address of the FGT port it's connected to.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
gniedy

i can't change the default route, o i create a new route table with no result again. i know i miss something. please any more help

Dave_Hall
Honored Contributor

Not sure if that is a typo: port 1 =10.201.0.0/16 and port 2 = 192.168.0.0/16 but creating a firewall policy that goes from port 2 to port 1 when attempting to ping from port1 to an address on port 2.  I think you may also need a firewall policy in the opposite direction.  

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors