Connect two subnets within same Fortigate

sliver001 · ‎07-14-2023

Hi. I have two subnets 172.20.25.x and 192.168.48.x managed by the same FortiGate 60F firewall. I created two subnets in Policy & Objects -> Addresses and rules in Firewall Policy but there is still no communication between the subnets. What am I doing wrong?

msanjaypadma · ‎07-14-2023

Hi @sliver001 ,

To understand further, could you please confirm below details and did you configured sub-interface with vlans?

#show sys interface internal
#show sys interface
#get router info routing-table details 172.20.25.0
#get router info routing-table details 192.168.48.0

And can you verify is packet coming to firewall ?

#dia sniffer packet any "host x.x.x.x" 4 0 l <<--- where x.x.x.x, specify destination ip address

And then initiate traffic towards destination.

Thanks,

Mayur Padma

sliver001 · ‎07-14-2023

FG # show sys interface internal
config system interface
    edit "internal"
        set vdom "root"
        set ip 172.20.25.177 255.255.255.0
        set allowaccess ping https
        set type hard-switch
        set stp enable
        set device-identification enable
        set monitor-bandwidth enable
        set role lan
        set snmp-index 8
    next
end

FG # show sys interface
config system interface
    edit "wan1"
        set vdom "root"
        set ip 80.51.39.xxx 255.255.255.252
        set allowaccess ping https http
        set type physical
        set alias "Secondary"
        set role wan
        set snmp-index 1
    next
    edit "wan2"
        set vdom "root"
        set ip 80.50.141.xxx 255.255.255.252
        set allowaccess ping https http
        set type physical
        set alias "Main"
        set lldp-reception enable
        set monitor-bandwidth enable
        set role wan
        set snmp-index 2
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 213.76.179.xxx 255.255.255.255
                set allowaccess ping https http
            next
            edit 2
                set ip 213.76.179.xxx 255.255.255.255
                set allowaccess ping https http
            next
            edit 3
                set ip 213.76.179.xxx 255.255.255.255
                set allowaccess https http
            next
        end
    next 
    edit "dmz"
        set vdom "root"
        set ip 10.10.20.1 255.255.255.0
        set allowaccess ping https fgfm fabric
        set type physical
        set role dmz
        set snmp-index 3
    next 
    edit "internal1"
        set vdom "root"
        set type physical
        set snmp-index 10
    next 
    edit "internal2"
        set vdom "root"
        set type physical
        set snmp-index 11
    next 
    edit "internal3"
        set vdom "root"
        set type physical
        set snmp-index 12
    next 
    edit "internal4"
        set vdom "root"
        set type physical
        set snmp-index 13
    next 
    edit "internal5"
        set vdom "root"
        set allowaccess ping https http
        set type physical
        set alias "WIFI Pub port5"
        set lldp-reception disable
        set lldp-transmission disable
        set monitor-bandwidth enable
        set role lan
        set snmp-index 14
    next 
    edit "a"
        set vdom "root"
        set type physical
        set snmp-index 4
    next 
    edit "b"
        set vdom "root"
        set ip 46.170.119.xxx 255.255.255.248
        set allowaccess ping https
        set type physical
        set snmp-index 5
    next 
    edit "modem"
        set vdom "root"
        set mode pppoe
        set status down
        set type physical
        set snmp-index 6
    next 
    edit "naf.root"
        set vdom "root"
        set type tunnel
        set src-check disable
        set snmp-index 15
    next 
    edit "l2t.root"
        set vdom "root"
        set type tunnel
        set snmp-index 16
    next 
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 7
    next 
    edit "internal"
        set vdom "root"
        set ip 172.20.25.177 255.255.255.0
        set allowaccess ping https
        set type hard-switch
        set stp enable
        set device-identification enable
        set monitor-bandwidth enable
        set role lan
        set snmp-index 8
    next 
    edit "fortilink"
        set vdom "root"
        set fortilink enable
        set ip 169.254.1.1 255.255.255.0
        set allowaccess ping fabric
        set type aggregate
        set member "a"
        set lldp-reception enable
        set lldp-transmission enable
        set snmp-index 9
    next 
    edit "HQ-1.1"
        set vdom "root"
        set type tunnel
        set snmp-index 17
        set interface "wan1"
    next 
    edit "HQ-1.2"
        set vdom "root"
        set type tunnel
        set snmp-index 18
        set interface "wan2"
    next 
    edit "HQ-2.1"
        set vdom "root"
        set type tunnel
        set snmp-index 19
        set interface "wan1"
    next 
    edit "HQ-2.2"
        set vdom "root"
        set type tunnel
        set snmp-index 20
        set interface "wan2"
    next 
    edit "VLAN33"
        set vdom "root"
        set ip 192.168.16.1 255.255.255.0
        set status down
        set alias "OK_IPPOZ"
        set device-identification enable
        set role lan
        set snmp-index 23
        set interface "internal"
        set vlanid 33
    next 
    edit "VLAN34"
        set vdom "root"
        set ip 192.168.2.1 255.255.255.0
        set allowaccess ping https http
        set status down
        set alias "OK_CCTV"
        set device-identification enable
        set role lan
        set snmp-index 24
        set interface "internal"
        set vlanid 34
    next 
    edit "VLAN1000"
        set vdom "root"
        set ip 10.10.10.3 255.255.255.0
        set allowaccess ping https http
        set alias "Manage"
        set device-identification enable
        set role lan
        set snmp-index 25
        set interface "internal"
        set vlanid 1000
    next 
    edit "Loopback1111"
        set vdom "root"
        set ip 10.210.1.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 26
    next 
    edit "VPN_L"
        set vdom "root"
        set type tunnel
        set monitor-bandwidth enable
        set snmp-index 27
        set interface "wan1"
    next 
    edit "VLAN20"
        set vdom "root"
        set ip 195.130.25.177 255.255.255.0
        set alias "WiFi_Public_Sekretariat"
        set device-identification enable
        set role lan
        set snmp-index 21
        set interface "internal"
        set vlanid 20
    next 
    edit "WIFI_VLAN35"
        set vdom "root"
        set ip 192.168.35.1 255.255.255.0
        set allowaccess ping https http
        set alias "WIFI_Public35"
        set device-identification enable
        set role lan
        set snmp-index 22
        set interface "internal5"
        set vlanid 35
    next 
end

FG # get router info routing-table details 192.168.48.0

Routing table for VRF=0
Routing entry for 0.0.0.0/0
  Known via "static", distance 1, metric 0, best
  * 80.50.141.xxx, via wan2
  * 80.51.39.xxx, via wan1

2023-07-14 14:40:48.270869 internal in 192.168.48.12.47293 -> 192.168.48.255.8192: udp 92
2023-07-14 14:40:48.356633 internal in 172.20.25.181 -> 192.168.48.12: icmp: echo request
2023-07-14 14:40:48.356780 wan2 out 80.50.141.226 -> 192.168.48.12: icmp: echo request
2023-07-14 14:40:48.370878 internal in 192.168.48.12.47293 -> 192.168.48.255.8192: udp 92

FG # dia sniffer packet any "host 172.20.25.181"  4 0 l
2023-07-14 15:01:01.791324 internal in 172.20.25.181.61893 -> 172.20.25.177.443: ack 4028158496 
2023-07-14 15:01:01.948883 internal in 172.20.25.181.61908 -> 192.168.48.12.445: syn 2589385065 
2023-07-14 15:01:02.000945 internal in 172.20.25.181.61915 -> 192.168.48.12.139: syn 2747022179 
2023-07-14 15:01:02.801431 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028158496 ack 3704093274 
2023-07-14 15:01:02.801798 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028158634 ack 3704093274 
2023-07-14 15:01:02.806277 internal in 172.20.25.181.61893 -> 172.20.25.177.443: ack 4028159182 
2023-07-14 15:01:03.000655 internal in 172.20.25.181.61915 -> 192.168.48.12.139: syn 2747022179 
2023-07-14 15:01:03.811429 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028159182 ack 3704093274 
2023-07-14 15:01:03.811801 internal out 172.20.25.177.443 -> 172.20.25.181.61893: psh 4028159320 ack 3704093274 
2023-07-14 15:01:03.814614 internal in 172.20.25.181.61893 -> 172.20.25.177.443: ack 4028159656 
2023-07-14 15:01:03.963135 internal in 172.20.25.181.61908 -> 192.168.48.12.445: syn 2589385065 
2023-07-14 15:01:04.134652 internal in 172.20.25.181.58968 -> 172.20.25.177.443: psh 419884683 ack 3635243115 
2023-07-14 15:01:04.134696 internal out 172.20.25.177.443 -> 172.20.25.181.58968: ack 419884771 
2023-07-14 15:01:04.143096 internal out 172.20.25.177.443 -> 172.20.25.181.58968: psh 3635243115 ack 419884771 
2023-07-14 15:01:04.143805 internal out 172.20.25.177.443 -> 172.20.25.181.58968: psh 3635243664 ack 419884771 
2023-07-14 15:01:04.147924 internal in 172.20.25.181.58968 -> 172.20.25.177.443: ack 3635243695 
2023-07-14 15:01:04.149249 internal in 172.20.25.181.58968 -> 172.20.25.177.443: psh 419884771 ack 3635243695

msanjaypadma · ‎07-15-2023

Hi @sliver001 ,

As per the below logs, observing there is no reverse route for 192.168.48.0/24 . Due to which RPF check failing in your case.

FG # get router info routing-table details 192.168.48.0

Routing table for VRF=0
Routing entry for 0.0.0.0/0
  Known via "static", distance 1, metric 0, best
  * 80.50.141.xxx, via wan2
  * 80.51.39.xxx, via wan1

Add reverse static route for 192.168.48.0/24 towards "internal" interface.

Before that verify , is it directly connected to internal or behind internal interface any L3 device is connected.

If any L3 device connected , refer below example and same way need to added static route .

E.g:

[internet] ------------<<wan [FGT] internal : 172.16.1.1>>----------<<172.16.1.2 : port1 [L3 device] LAN>> 10.10.10.0/24

in this case, you will be adding static route as below in FGT

config router static

edit 0

set dst 10.10.10.0/24

set device internal

set gateway 172.16.1.2

end

If the setup is not like above scenario, could you please mention how's your network topology

Thanks,

Mayur Padma

sliver001 · ‎07-17-2023

FG # get router info routing-table details 192.168.48.0

Routing table for VRF=0
Routing entry for 192.168.48.0/24
  Known via "static", distance 10, metric 0, best
  * directly connected, internal

Thank you for your help. After adding the reverse static route, I got connected. Unfortunately, only some of the machines with which there is communication if I connect through the network card set to 192.168.48.0

What should the gateway be set to? My network topology.

msanjaypadma · ‎07-17-2023

Hi @sliver001 ,

As per the network diagram, PC3 configured with gateway ip address : 192.168.48.177

And Interface configuration in FortiGate firewall, don't have this network [192.168.48.0/24] as directly connected.

Could you confirm [192.168.48.177] ip address configured on switch ?

If yes, then configured Gateway Address as 192.168.48.177 in reverse static route.

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,

Mayur Padma

sliver001 · ‎07-19-2023

Hi @msanjaypadma ,

And Interface configuration in FortiGate firewall, don't have this network [192.168.48.0/24] as directly connected.

I don't understand. Do you mean "Network->Interfaces"? I don't have a network set there [192.168.48.0/24]

Could you confirm [192.168.48.177] ip address configured on switch ?
If yes, then configured Gateway Address as 192.168.48.177 in reverse static route.

I don't have an address configured on the switch.

msanjaypadma · ‎07-19-2023

Hi @sliver001 ,

If you don't have configured this ip address 192.168.48.177 on firewall or switch, how traffic from client is being getting forwarded to Gateway IP?

I hope you should have that IP address configure either on subinterface with VLAN set in firewall and vlan to be allowed in switch or else , if your switch is acting as L3 device then you can configure gateway ip address on switch interface.

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,

Mayur Padma

msanjaypadma · ‎07-19-2023

Hi @sliver001 ,

For VLAN based configuration, you can refer below article . I hope it will helpful.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,

Mayur Padma

Connect two subnets within same Fortigate

Nominate a Forum Post for Knowledge Article Creation