Client connected to DMZ can' t go out to the Inte... - Fortinet Community

Support Forum

The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Hi, Help me to resolve the problem described below, please. I' ve installed Fortigate 60B and now need to provide access to our guests. Guests must be isolated from office infrastructure. For this configuration I' ve set up DMZ interface with DHCP server. Client connected to DMZ port gets DHCP configuration but can' t go out to the Internet. Internal interface: Addressing mode: manual (10.0.0.250/24) DMZ interface config: Addressing mode: manual (192.168.16.1/24) DHCP server config (for DMZ interface): Type: regular IP: 192.168.16.100-199 Netmask: 255.255.255.0 Def Gateway: 192.168.16.1 DNS: 192.168.16.1 Policy: DMZ(all) --> WAN1(all) = accept

12121

14 REPLIES 14

hi, and welcome to the forums. Make sure you have NAT checked in the policy. Without, reply traffic cannot be routed back to your network.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

3440

Thank you for a quick replay. Just now I checked that NAT is enabled. May be I need to add a route?

3440

No not really. I assume you have a default route in place for the internal hosts. If not, add a static route ' 0.0.0.0/0' , interface WAN, no gateway address. This will work for both internal and DMZ subnets. The FGT already knows where to find the DMZ subnet so no need for any additional routes here. Do you use Policy Routing somewhere - might interfere with routing.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

3440

Ping to 8.8.8.8 don' t arrive. I' ve added static route (' 0.0.0.0/0' , interface WAN, no gateway address). In Policy Routing I don' t have any rules. Here my def.gateway on the client PC, connected to DMZ. $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.16.1 0.0.0.0 UG 0 0 0 eth0 Thanks.

3440

You can check which routes are active (vs. configured) in the Routing Monitor. If your office staff has been able to browse the internet in the past then the additional default route wasn' t necessary. There' s probably one set by the interface config for the WAN port (' override default gateway' ). If you post the screenshot of the Routing Monitor then you could also post the policy ' DMZ' ->' WAN' . These are the only two essential parts of the config needed for traffic flow.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

3440

Thank you, Ede! Please check attached files with screenshots.

58 KB

3440

Funny how the most important parts of the config only become visible in the end... You never mentioned you had 2 WAN lines. Could it be traffic from the DMZ leaves on WAN1 and the reply comes in on WAN2? Again, a peek into the Routing Monitor table would tell more.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

3440

This is my routing monitor:

37 KB

3440

The network mask for the DMZ subnet is too small: /32. Specify /24 instead.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

3440

Top Kudoed Authors

User

Count

1633

1063

751

443

210

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Copyright 2024 Fortinet, Inc. All Rights Reserved.