Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Client connected to DMZ can' t go out to the Internet
Hi,
Help me to resolve the problem described below, please.
I' ve installed Fortigate 60B and now need to provide access to our guests.
Guests must be isolated from office infrastructure.
For this configuration I' ve set up DMZ interface with DHCP server.
Client connected to DMZ port gets DHCP configuration but can' t go out to the Internet.
Internal interface:
Addressing mode: manual (10.0.0.250/24)
DMZ interface config:
Addressing mode: manual (192.168.16.1/24)
DHCP server config (for DMZ interface):
Type: regular
IP: 192.168.16.100-199
Netmask: 255.255.255.0
Def Gateway: 192.168.16.1
DNS: 192.168.16.1
Policy:
DMZ(all) --> WAN1(all) = accept
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
Make sure you have NAT checked in the policy. Without, reply traffic cannot be routed back to your network.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for a quick replay.
Just now I checked that NAT is enabled.
May be I need to add a route?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No not really. I assume you have a default route in place for the internal hosts. If not, add a static route ' 0.0.0.0/0' , interface WAN, no gateway address. This will work for both internal and DMZ subnets.
The FGT already knows where to find the DMZ subnet so no need for any additional routes here.
Do you use Policy Routing somewhere - might interfere with routing.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ping to 8.8.8.8 don' t arrive.
I' ve added static route (' 0.0.0.0/0' , interface WAN, no gateway address).
In Policy Routing I don' t have any rules.
Here my def.gateway on the client PC, connected to DMZ.
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.16.1 0.0.0.0 UG 0 0 0 eth0
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can check which routes are active (vs. configured) in the Routing Monitor. If your office staff has been able to browse the internet in the past then the additional default route wasn' t necessary. There' s probably one set by the interface config for the WAN port (' override default gateway' ).
If you post the screenshot of the Routing Monitor then you could also post the policy ' DMZ' ->' WAN' . These are the only two essential parts of the config needed for traffic flow.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Funny how the most important parts of the config only become visible in the end...
You never mentioned you had 2 WAN lines. Could it be traffic from the DMZ leaves on WAN1 and the reply comes in on WAN2?
Again, a peek into the Routing Monitor table would tell more.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The network mask for the DMZ subnet is too small: /32. Specify /24 instead.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!