Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wraithhunter
New Contributor

Communication between subnets

Been working on this for awhile and no luck.  I have two subnets that I need to allow communication between, 10.1.2.0 and 192.168.1.0.  This seems simple but I am missing something somewhere. 

  • FortiOS 7.2.5 on FortiGate 60F. 
  • Each subnet a physical hardware port on the FortiGate
  • I do have Firewall Policy allowing communication between the two with no NAT.

Do I need to add a static route?

Thanks for any help.

 

KH
KH
18 REPLIES 18
AEK
Honored Contributor

No need to add static route.

Check forward traffic logs to see if the traffic is reaching the firewall and if it is being blocked.

AEK
AEK
wraithhunter
New Contributor

Being blocked by the local-in-policy. How do I go about allowing this through.

KH
KH
Toshi_Esumi
Esteemed Contributor III

The local-in-policy wouldn't block traffic between interfaces. It can block only traffic destined to the FGT itself, like admin access, incoming VPNs, FortiGuard traffic, etc.

 

Toshi

AEK
Honored Contributor

Make sure you are configuring the right gateways on your hosts. Then please share port configuration and policy configuration.

AEK
AEK
wraithhunter
New Contributor

Here is the policy:

 

edit 27
set status enable
set name "Internal_Communitcation"
set uuid 352dc698-72ec-51ec-2074-a13ec13cf71b
set srcintf "internal" "Wireless-user"
set dstintf "Wireless-user" "internal"
set action accept
set nat64 disable
set nat46 disable
set ztna-status disable
set srcaddr "all"
set dstaddr "all"
set internet-service disable
set internet-service-src disable
unset reputation-minimum
set internet-service6 disable
set internet-service6-src disable
unset reputation-minimum6
set rtp-nat disable
set schedule "always"
set schedule-timeout disable
set policy-expiry disable
set service "ALL"
set tos-mask 0x00
set anti-replay enable
set dynamic-shaping disable
set passive-wan-health-measurement disable
set utm-status disable
set inspection-mode flow
set profile-protocol-options "default"
set ssl-ssh-profile "no-inspection"
set logtraffic all
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set np-acceleration enable
set nat disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set fec disable
set wccp disable
set disclaimer disable
set email-collect disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set srcaddr6-negate disable
set dstaddr-negate disable
set dstaddr6-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end

 

KH
KH
wraithhunter
New Contributor

Here is what I am seeing in the log. I am able to ping the Gateway.
Action
Action deny
Policy ID0
Application
Application PING
Application Category unscanned
Protocol1
Service PING
Data
Duration 0
Received Packets0
Sent Packets 0
0.0 KB/0.0 KB
 
Type
Sub Type local
Type traffic
Others
Date2023-06-26
Date/Time15:11:52
Device Time2023-06-26 15:11:41
Event Time1687806702194263105
Identifier 1
Policy Type local-in-policy
Time15:11:41
Time Zone-0400
logflag3
logver702051517
KH
KH
wraithhunter
New Contributor

Additional information. I am not seeing the denies in the Forward Traffic logs but I am seeing them in the Local Traffic logs.  

KH
KH
Toshi_Esumi
Esteemed Contributor III

That means the FGT is not blocking. If you sniff ping packets on "Wireless-user" interface while you're pinging from "internal" inteface side, you would see them going out. That policy should be allowing them. But my guess is ping replies are not coming back from the AP side.

 

Toshi

 

Toshi

AEK
Honored Contributor

Then you are somehow pinging FGT, not your hosts.

Check if the IP you are pinging is on the FGT as well. Can you also share interface configuration?

AEK
AEK
Labels
Top Kudoed Authors