Here is the config for Wan1. It is working as far as passing traffic is concerned, however I cannot PING that interface externally (Or internally for that matter) I see that PING is enabled, what else am I missing?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you've already verified that the ICMP packets are reaching the device (using the console sniffer, naturally) then this is pretty much your next step. It'll be really arcane to look at, but... try these in the console, then ping...
diagnose debug flow filter daddr 148.51.230.148
diagnose debug flow filter proto 1
diagnose debug flow trace start 10
diagnose debug enable
These will make the Fortinet spew to the console every little thing it knows or decides about the packet, and is mostly readable by the very brave. You can also add a source address (saddr) criteria if you know what the source IP address should show up as.
LAN -> WAN, I would expect a ping response from that interface so long as you have an appropriate firewall policy that allows PING.
Use an internal host to ping the WAN interface with the following on the FGT:
diag debug enable
diag debug flow filter proto 1
diag debug flow filter daddr <wan IP address>
diag debug flow filter saddr <host IP address>
diag debug flow trace start 5
... and see what you get.
Not being able to ping the interface from externally could be due to your ISP. Use similar commands given above to look for the incoming packets.
You could also grab a PCAP to check whether the packets are actually coming in.
Pete
You should be able to ping it internally assuming it's a ping echo request coming from a machine that can also access the internet through this interface.
Are you able to ping outside IP addresses like 9.9.9.9, 1.1.1.1 etc?
What does your local-in policy look like? (show firewall local-in-policy)
As requested by colleagues please get the debug flow output while pining the wan ip of firewall, we can isolate the issue
(root) # id=65308 trace_id=1 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14232."
id=65308 trace_id=1 func=init_ip_session_common line=6073 msg="allocate a new session-022439b1, tun_id=0.0.0.0"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=1 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=1 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=2 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14233."
id=65308 trace_id=2 func=init_ip_session_common line=6073 msg="allocate a new session-022439da, tun_id=0.0.0.0"
id=65308 trace_id=2 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=2 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=2 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=2 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=3 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14234."
id=65308 trace_id=3 func=init_ip_session_common line=6073 msg="allocate a new session-022439ee, tun_id=0.0.0.0"
id=65308 trace_id=3 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=3 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=3 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=3 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=3 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=4 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14235."
id=65308 trace_id=4 func=init_ip_session_common line=6073 msg="allocate a new session-02243a06, tun_id=0.0.0.0"
id=65308 trace_id=4 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=4 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=4 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=4 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=5 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 98.191.124.38:1->148.51.230.148:2048) tun_id=0.0.0.0 from wan1. type=8, code=0, id=1, seq=14236."
id=65308 trace_id=5 func=init_ip_session_common line=6073 msg="allocate a new session-02243a2c, tun_id=0.0.0.0"
id=65308 trace_id=5 func=get_new_addr line=1228 msg="find DNAT: IP-10.2.0.2, port-0(fixed port)"
id=65308 trace_id=5 func=fw_pre_route_handler line=178 msg="VIP-10.2.0.2:1, outdev-wan1"
id=65308 trace_id=5 func=__ip_session_run_tuple line=3523 msg="DNAT 148.51.230.148:8->10.2.0.2:1"
id=65308 trace_id=5 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.2.0.2 via VDOMLK-BERG0"
id=65308 trace_id=5 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
Looks like you have a DNAT policy that is mapping 148.51.230.148 -> 10.2.0.2.
There is then no firewall policy to allow that traffic (hence the "Denied by forward policy check (policy 0)").
Pete
To expand on this correct answer you need to look at your VIPs and find the one that is mapping one-to-one your WAN1 interface IP to the internal address 10.2.0.2. This VIP is causing all traffic destined to WAN1 int IP to go to 10.2.0.2.
You probably want to adjust the VIP to be a port-based VIP so it's not hijacking your entire WAN IP.
I cannot ping 148.51.230.148 neither internally or externally.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.