Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tturba
New Contributor III

BGP not using public IP address on outgoing IF

Hello. I'm migrating configuration from Juniper JSR4350 to FortiGate 140D unit with BGP, and almost everything is working. My domains are available online with public IP class C addresses like X.Y.Z.0/24, but when I surf the internet - my IP is seen as ISP interface on router like 2.0.0.162, not X.Y.Z.129. I was trying to add IP pool with overload one address X.Y.Z.129 but my BGP is connected to a normal router and the connection is beind disabled so this is not working for me, but it all about I need: http://www.mylesgray.com/...policy-on-a-fortigate/

 

I think this could be related to NEXT_HOP or ROUTE_MAP, or routing table?

 

The routing goes like this:

BGP device X.Y.Z.190 = route dst X.Y.Z.0/24 next-hop X.Y.Z.129 FW device 10.0.0.1 = route dst 0.0.0.0 next-hop X.Y.Z.190

 

It looks like a routing loop? But it worked on Juniper

 

Thanks in advance, regards!

 

4 REPLIES 4
emnoc
Esteemed Contributor III

Qs:

 

[ul]
  • You mention BGP but is this a SNAT related issue?[/ul][ul]
  • Did you run diag debug flow[/ul][ul]
  • Are the networks your advertising are they show up on a route-server/looking-glass[/ul][ul]
  • The ippool that your SNAT is it being advertised?[/ul]

     

    For the later, you might have to  define a loopback address and static the ippool /24s behind that interface. BGP will need the route in the local route-table in order to advertise it.

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    tturba
    New Contributor III

    emnoc wrote:

    Qs:

     

    [ul]
  • You mention BGP but is this a SNAT related issue?[/ul][ul]
  • Did you run diag debug flow[/ul][ul]
  • Are the networks your advertising are they show up on a route-server/looking-glass[/ul][ul]
  • The ippool that your SNAT is it being advertised?[/ul]

     

    For the later, you might have to  define a loopback address and static the ippool /24s behind that interface. BGP will need the route in the local route-table in order to advertise it.

  • Hello! Thanks for quick reply.

     

    1. Basically it is probalby a SNAT issue, I've tried this: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11969&sliceId=1&d... but network goes down, probably by routing loop?

     

    BGP device X.Y.Z.190 = route dest X.Y.Z.0/24 next-hop X.Y.Z.129 FW device 10.0.0.1 = route dest 0.0.0.0 next-hop X.Y.Z.190

     

    2. I did not run the diag debug flow, I'm reading the manual for now, can you send me the whole command and what to search?

     

    3. The routing on FortiGate looks like this:

     

    FG # get router info routing-table all | grep X.Y.Z.
    B X.Y.Z.0/24 [20/0] is a summary, Null, 19:48:39
    S X.Y.Z.0/26 [10/0] via X.Y.Z.129, port3
    C X.Y.Z.128/26 is directly connected, port3
    S X.Y.Z.240/29 [10/0] via X.Y.Z.129, port3

    FG #

    And this is my FG BGP configuration...:

    config router bgp
        set as 00000
        set router-id X.Y.Z.190
        set keepalive-timer 45
        set holdtime-timer 120
        set bestpath-med-missing-as-worst enable
        set log-neighbour-changes enable
        set graceful-restart enable
            config aggregate-address
                edit 1
                    set prefix X.Y.Z.0 255.255.255.0
                    set as-set enable
                next
            end
            config neighbor
                edit "3.3.3.33"
                    set description "ISP3"
                    set remote-as 33333
                    set send-community6 disable
                    set keep-alive-timer 45
                    set holdtime-timer 120
                    set connect-timer 60
                    set weight 50
                next
                edit "2.2.2.157"
                    set description "ISP2"
                    set remote-as 222222
                    set send-community6 disable
                    set keep-alive-timer 45
                    set holdtime-timer 120
                    set connect-timer 60
                    set weight 100
                next
                edit "1.1.1.161"
                    set next-hop-self enable
                    set description "ISP1"
                    set remote-as 11111
                    set send-community6 disable
                    set keep-alive-timer 45
                    set holdtime-timer 120
                    set connect-timer 60
                    set weight 250
                next
            end
            config network
                edit 1
                    set prefix X.Y.Z.0 255.255.255.0
                next
            end
            config redistribute "connected"
            end
            config redistribute "rip"
            end
            config redistribute "ospf"
            end
            config redistribute "static"
                set status enable
            end
            config redistribute "isis"
            end
            config redistribute6 "connected"
            end
            config redistribute6 "rip"
            end
            config redistribute6 "ospf"
            end
            config redistribute6 "static"
            end
            config redistribute6 "isis"
            end
        set graceful-stalepath-time 180
        set graceful-update-delay 180
    end

     

    I think I'm missing something, maybe this SNAT as you said, but how to implement this is the network goes down... Basically also maybe the route isn't advertised correctly? I can use X.Y.Z.0/24 on the Internet, but only outgoing interface is not working with this address (X.Y.Z.129) and the SMTP server also (X.Y.Z.189) - I land in a blacklist because of ISP interface being used.

     

    This is my old configuration which is working correctly, but the device is too old :)

     


    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.100.140.254/24;
                }
            }
        }
        ge-0/0/1 {
            description INSITE;
            unit 0 {
                description INSITE_if;
                family inet {
                    address X.Y.Z.190/26;
                }
            }
        }
        ge-0/0/2 {
            description ISP2;
            unit 0 {
                description ISP2;
                family inet {
                    address 2.2.2.158/30;
                }
            }
        }
        ge-0/0/3 {
            description ISP1;
            unit 0 {
                description ISP1;
                family inet {
                    address 1.1.1.162/30;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
    }
    routing-options {
        static {
            route X.Y.Z.0/26 next-hop X.Y.Z.129;
            route 10.0.0.0/8 next-hop 10.100.140.1;
            route X.Y.Z.240/29 next-hop X.Y.Z.129;
        }
        aggregate {
            route X.Y.Z.0/24;
        }
        router-id X.Y.Z.190;
        autonomous-system XXXXX loops 1;
    }
    protocols {
        bgp {
            accept-remote-nexthop;
            group NETIA {
                type external;
                export [ R_PUB_POLICY REJECT_ALL ];
                neighbor 1.1.1.161 {
                    peer-as 11111;
                }
            }
            group MULTIPLAY {
                type external;
                export [ R_PUB_POLICY REJECT_ALL ];
                neighbor 2.2.2.157 {
                    peer-as 222222;
                }
            }
        }
    }
    policy-options {
        prefix-list R_PUB {
            X.Y.Z.0/24;
        }
        policy-statement R_PUB_POLICY {
            from {
                protocol aggregate;
                prefix-list R_PUB;
            }
            then accept;
        }
        policy-statement REJECT_ALL {
            then reject;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        zones {
            security-zone trust {
                tcp-rst;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                http;
                                https;
                                ssh;
                                telnet;
                                dhcp;
                            }
                        }
                    }
                    ge-0/0/1.0;
                    ge-0/0/2.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                            protocols {
                                bgp;
                            }
                        }
                    }
                    ge-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                            protocols {
                                bgp;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy ban-ntp {
                    match {
                        source-address any;
                        destination-address any;
                        application [ junos-nntp junos-ntp junos-ms-sql ];
                    }
                    then {
                        deny;
                    }
                }
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy ban-ntp {
                    match {
                        source-address any;
                        destination-address any;
                        application [ junos-ntp junos-nntp junos-ms-sql ];
                    }
                    then {
                        deny;
                    }
                }
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            default-policy {
                deny-all;
            }
        }
    }

    emnoc
    Esteemed Contributor III

    1st let's start by seeing what your sending via BGP. The distribution of  BGP is one thing, the SNAT is another ( ip pools ).

     

    So are you sending the prefix that contains the nat-pool ?

     

     get router info bgp neighbors

     get router info bgp network

     diagnostic reset

     diagnose ip router bgp  events < insert ipv4 address/prefix>

     diagnostic enable

     

    If that looks good, run the diagnostic flow command against one host that sending traffic that should be SNAT

     

     diag debug dis

     diag debug reset

     diag debug flow filter addr <x.y.x.x>

     diag debug flow show console enabl

     diag debug enable

     diag debug flow trace start 100

     

    Now start some traffic and review and capture the output.

     

    When done reset diagnostics

     

     diag debug disable

     diag debug reset

     

    Start withe the above, I'm assuming the summary route in your route-table is the prefixes your sending and covers the ip-pool range?

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    tturba
    New Contributor III

    emnoc wrote:

    1st let's start by seeing what your sending via BGP. The distribution of  BGP is one thing, the SNAT is another ( ip pools ).

     

    So are you sending the prefix that contains the nat-pool ?

     

     get router info bgp neighbors

     get router info bgp network

     diagnostic reset

     diagnose ip router bgp  events < insert ipv4 address/prefix>

     diagnostic enable

     

    If that looks good, run the diagnostic flow command against one host that sending traffic that should be SNAT

     

     diag debug dis

     diag debug reset

     diag debug flow filter addr <x.y.x.x>

     diag debug flow show console enabl

     diag debug enable

     diag debug flow trace start 100

     

    Now start some traffic and review and capture the output.

     

    When done reset diagnostics

     

     diag debug disable

     diag debug reset

     

    Start withe the above, I'm assuming the summary route in your route-table is the prefixes your sending and covers the ip-pool range?

     

    Thank you for a quick learning guide, I will do this, but basically I disabled the NAT on the policy LAN->WAN and it started to work! This post: https://forum.fortinet.co...p;m=128453&mpage=1

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors