- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Connect two subnets within same Fortigate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Connect two subnets within same Fortigate
Hi. I have two subnets 172.20.25.x and 192.168.48.x managed by the same FortiGate 60F firewall. I created two subnets in Policy & Objects -> Addresses and rules in Firewall Policy but there is still no communication between the subnets. What am I doing wrong?
Labels:
- Labels:
-
FortiGate
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sliver001 ,
To understand further, could you please confirm below details and did you configured sub-interface with vlans?
#show sys interface internal
#show sys interface
#get router info routing-table details 172.20.25.0
#get router info routing-table details 192.168.48.0
And can you verify is packet coming to firewall ?
#dia sniffer packet any "host x.x.x.x" 4 0 l <<--- where x.x.x.x, specify destination ip address
And then initiate traffic towards destination.
Thanks,
Mayur Padma
Created on 07-14-2023 05:48 AM Edited on 07-14-2023 06:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG # show sys interface internal
config system interface
edit "internal"
set vdom "root"
set ip 172.20.25.177 255.255.255.0
set allowaccess ping https
set type hard-switch
set stp enable
set device-identification enable
set monitor-bandwidth enable
set role lan
set snmp-index 8
next
endFG # show sys interface
config system interface
edit "wan1"
set vdom "root"
set ip 80.51.39.xxx 255.255.255.252
set allowaccess ping https http
set type physical
set alias "Secondary"
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set ip 80.50.141.xxx 255.255.255.252
set allowaccess ping https http
set type physical
set alias "Main"
set lldp-reception enable
set monitor-bandwidth enable
set role wan
set snmp-index 2
set secondary-IP enable
config secondaryip
edit 1
set ip 213.76.179.xxx 255.255.255.255
set allowaccess ping https http
next
edit 2
set ip 213.76.179.xxx 255.255.255.255
set allowaccess ping https http
next
edit 3
set ip 213.76.179.xxx 255.255.255.255
set allowaccess https http
next
end
next
edit "dmz"
set vdom "root"
set ip 10.10.20.1 255.255.255.0
set allowaccess ping https fgfm fabric
set type physical
set role dmz
set snmp-index 3
next
edit "internal1"
set vdom "root"
set type physical
set snmp-index 10
next
edit "internal2"
set vdom "root"
set type physical
set snmp-index 11
next
edit "internal3"
set vdom "root"
set type physical
set snmp-index 12
next
edit "internal4"
set vdom "root"
set type physical
set snmp-index 13
next
edit "internal5"
set vdom "root"
set allowaccess ping https http
set type physical
set alias "WIFI Pub port5"
set lldp-reception disable
set lldp-transmission disable
set monitor-bandwidth enable
set role lan
set snmp-index 14
next
edit "a"
set vdom "root"
set type physical
set snmp-index 4
next
edit "b"
set vdom "root"
set ip 46.170.119.xxx 255.255.255.248
set allowaccess ping https
set type physical
set snmp-index 5
next
edit "modem"
set vdom "root"
set mode pppoe
set status down
set type physical
set snmp-index 6
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 15
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 16
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "internal"
set vdom "root"
set ip 172.20.25.177 255.255.255.0
set allowaccess ping https
set type hard-switch
set stp enable
set device-identification enable
set monitor-bandwidth enable
set role lan
set snmp-index 8
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 169.254.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "a"
set lldp-reception enable
set lldp-transmission enable
set snmp-index 9
next
edit "HQ-1.1"
set vdom "root"
set type tunnel
set snmp-index 17
set interface "wan1"
next
edit "HQ-1.2"
set vdom "root"
set type tunnel
set snmp-index 18
set interface "wan2"
next
edit "HQ-2.1"
set vdom "root"
set type tunnel
set snmp-index 19
set interface "wan1"
next
edit "HQ-2.2"
set vdom "root"
set type tunnel
set snmp-index 20
set interface "wan2"
next
edit "VLAN33"
set vdom "root"
set ip 192.168.16.1 255.255.255.0
set status down
set alias "OK_IPPOZ"
set device-identification enable
set role lan
set snmp-index 23
set interface "internal"
set vlanid 33
next
edit "VLAN34"
set vdom "root"
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https http
set status down
set alias "OK_CCTV"
set device-identification enable
set role lan
set snmp-index 24
set interface "internal"
set vlanid 34
next
edit "VLAN1000"
set vdom "root"
set ip 10.10.10.3 255.255.255.0
set allowaccess ping https http
set alias "Manage"
set device-identification enable
set role lan
set snmp-index 25
set interface "internal"
set vlanid 1000
next
edit "Loopback1111"
set vdom "root"
set ip 10.210.1.2 255.255.255.255
set allowaccess ping
set type loopback
set role lan
set snmp-index 26
next
edit "VPN_L"
set vdom "root"
set type tunnel
set monitor-bandwidth enable
set snmp-index 27
set interface "wan1"
next
edit "VLAN20"
set vdom "root"
set ip 195.130.25.177 255.255.255.0
set alias "WiFi_Public_Sekretariat"
set device-identification enable
set role lan
set snmp-index 21
set interface "internal"
set vlanid 20
next
edit "WIFI_VLAN35"
set vdom "root"
set ip 192.168.35.1 255.255.255.0
set allowaccess ping https http
set alias "WIFI_Public35"
set device-identification enable
set role lan
set snmp-index 22
set interface "internal5"
set vlanid 35
next
end FG # get router info routing-table details 192.168.48.0
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* 80.50.141.xxx, via wan2
* 80.51.39.xxx, via wan12023-07-14 14:40:48.270869 internal in 192.168.48.12.47293 -> 192.168.48.255.8192: udp 92
2023-07-14 14:40:48.356633 internal in 172.20.25.181 -> 192.168.48.12: icmp: echo request
2023-07-14 14:40:48.356780 wan2 out 80.50.141.226 -> 192.168.48.12: icmp: echo request
2023-07-14 14:40:48.370878 internal in 192.168.48.12.47293 -> 192.168.48.255.8192: udp 92FG # dia sniffer packet any "host 172.20.25.181" 4 0 l
2023-07-14 15:01:01.791324 internal in 172.20.25.181.61893 -> 172.20.25.177.443: ack 4028158496
2023-07-14 15:01:01.948883 internal in 172.20.25.181.61908 -> 192.168.48.12.445: syn 2589385065
2023-07-14 15:01:02.000945 internal in 172.20.25.181.61915 -> 192.168.48.12.139: syn 2747022179
2023-07-14 15:01:02.801431 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028158496 ack 3704093274
2023-07-14 15:01:02.801798 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028158634 ack 3704093274
2023-07-14 15:01:02.806277 internal in 172.20.25.181.61893 -> 172.20.25.177.443: ack 4028159182
2023-07-14 15:01:03.000655 internal in 172.20.25.181.61915 -> 192.168.48.12.139: syn 2747022179
2023-07-14 15:01:03.811429 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028159182 ack 3704093274
2023-07-14 15:01:03.811801 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028159320 ack 3704093274
2023-07-14 15:01:03.814614 internal in 172.20.25.181.61893 -> 172.20.25.177.443: ack 4028159656
2023-07-14 15:01:03.963135 internal in 172.20.25.181.61908 -> 192.168.48.12.445: syn 2589385065
2023-07-14 15:01:04.134652 internal in 172.20.25.181.58968 -> 172.20.25.177.443: psh 419884683 ack 3635243115
2023-07-14 15:01:04.134696 internal out 172.20.25.177.443 -> 172.20.25.181.58968: ack 419884771
2023-07-14 15:01:04.143096 internal out 172.20.25.177.443 -> 172.20.25.181.58968: psh 3635243115 ack 419884771
2023-07-14 15:01:04.143805 internal out 172.20.25.177.443 -> 172.20.25.181.58968: psh 3635243664 ack 419884771
2023-07-14 15:01:04.147924 internal in 172.20.25.181.58968 -> 172.20.25.177.443: ack 3635243695
2023-07-14 15:01:04.149249 internal in 172.20.25.181.58968 -> 172.20.25.177.443: psh 419884771 ack 3635243695
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sliver001 ,
As per the below logs, observing there is no reverse route for 192.168.48.0/24 . Due to which RPF check failing in your case.
FG # get router info routing-table details 192.168.48.0
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* 80.50.141.xxx, via wan2
* 80.51.39.xxx, via wan1
Add reverse static route for 192.168.48.0/24 towards "internal" interface.
Before that verify , is it directly connected to internal or behind internal interface any L3 device is connected.
If any L3 device connected , refer below example and same way need to added static route .
E.g:
[internet] ------------<<wan [FGT] internal : 172.16.1.1>>----------<<172.16.1.2 : port1 [L3 device] LAN>> 10.10.10.0/24
in this case, you will be adding static route as below in FGT
config router static
edit 0
set dst 10.10.10.0/24
set device internal
set gateway 172.16.1.2
end
If the setup is not like above scenario, could you please mention how's your network topology
Thanks,
Mayur Padma
Created on 07-17-2023 05:33 AM Edited on 07-17-2023 05:35 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG # get router info routing-table details 192.168.48.0
Routing table for VRF=0
Routing entry for 192.168.48.0/24
Known via "static", distance 10, metric 0, best
* directly connected, internal
Thank you for your help. After adding the reverse static route, I got connected. Unfortunately, only some of the machines with which there is communication if I connect through the network card set to 192.168.48.0
What should the gateway be set to? My network topology.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sliver001 ,
As per the network diagram, PC3 configured with gateway ip address : 192.168.48.177
And Interface configuration in FortiGate firewall, don't have this network [192.168.48.0/24] as directly connected.
Could you confirm [192.168.48.177] ip address configured on switch ?
If yes, then configured Gateway Address as 192.168.48.177 in reverse static route.
If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
Thanks,
Mayur Padma
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @msanjaypadma ,
And Interface configuration in FortiGate firewall, don't have this network [192.168.48.0/24] as directly connected.
I don't understand. Do you mean "Network->Interfaces"? I don't have a network set there [192.168.48.0/24]
Could you confirm [192.168.48.177] ip address configured on switch ?If yes, then configured Gateway Address as 192.168.48.177 in reverse static route.
I don't have an address configured on the switch.
Created on 07-19-2023 11:25 PM Edited on 07-19-2023 11:29 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sliver001 ,
If you don't have configured this ip address 192.168.48.177 on firewall or switch, how traffic from client is being getting forwarded to Gateway IP?
I hope you should have that IP address configure either on subinterface with VLAN set in firewall and vlan to be allowed in switch or else , if your switch is acting as L3 device then you can configure gateway ip address on switch interface.
If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
Thanks,
Mayur Padma
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sliver001 ,
For VLAN based configuration, you can refer below article . I hope it will helpful.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...
If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
Thanks,
Mayur Padma
Related Posts
- How to route ougoing FG traffic... 109 Views
- Fortigate IPsec Two Tunnels running con-currently 221 Views
- Mistenkly I I have disabled the... 183 Views
- Typing not working in the serial... 372 Views
- FortiAP 231F wont broadcast 2.4 gHz... 97 Views
Labels
-
FortiGate
6,767 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiExtender
33 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.