Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ForgetItNet
Contributor

Do i need firewall rules in a hub and spoke BGP setup ?

Hi all,

 

I've taken on a site that has a hub and spoke setup of Fortinet routers using BGP and i've got 2 sites that link "through" the head office router. One of the sites has a CCTV DVR and the other has a CCTV screen (ethernet device) so i want the CCTV screen (let's say on 192.168.0.22) at Site B to connect to the CCTV DVR (let's say on 192.168.20.22) at site C and the router on 192.168.10.20 is at the head office at site A. I've put in the rules on Site B and C to allow the ports in (and set them as ALL for testing) but i can't even ping the DVR on site B from site C (nor the router IP at either site) so as it's going "through" the router at Site A will i need any rules to allow it through here as it's in effect a site to site VPN so i "thought" it would be transparent to the head office router and this would just let it through.

Hope that makes sense.

 

8 REPLIES 8
dbu
Staff
Staff

Hello @ForgetItNet , 

 

Thank you for reaching out. 

 

As per my understanding you have configured 

 

Please share more information regarding this issue : 

Do you have the remote networks on the routing table ?

Can you ping router A from Sites B and C ? 




 

 

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
ForgetItNet

I can ping everything on B and C from A but nothing B to C or Vice Versa

pgautam
Staff
Staff

Hi @ForgetItNet 

 

To answer your question to allow communication between spoke B and spoke C we would need end-to-end reachability via a hub. Policy and route suppose to be available on spoke A to send the traffic to hub and from hub to spoke C and vice-versa.

 

To avoid the manual configuration you can also plan for the ADVPN setup with dynamic routing.

 

Please follow below link for your reference:-

https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/853412/ipsec-vpn-wizard-hub-...

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

ForgetItNet

Thanks, i only want to allow these two devices between the sites at the moment so is a Policy route the way to go to direct traffic from C to B and B to C ?

pgautam

Hi @ForgetItNet 

 

Without a new tunnel between the spoke to spoke or a shortcut tunnel (in the case of ADVPN), the direct method will not be there.

 

With the spoke-hub-spoke case do we need route and policy at all the locations for end-to-end reachability.

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

 

 

 

ForgetItNet
Contributor

Sorry but when you say we need "route and policy" does this mean a policy route or is it a term for something else ?

Thanks

kvimaladevi

Hi @ForgetItNet ,

 

We need appropriate IPV4 policy and route pointing to the destination through the correct interface for it to work. This is applicable on both ends, Hub and spokes 

 

Regards,

Vimala

dbu
Staff
Staff

We need a policy route which allows you to specify an interface to route traffic.
If proper routing is in place and correct hub and spoke configuration your issue should be solved.

Please check this document as it might help with your understanding: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implement-Hub-and-Spoke-or-point-to-multip...

 

ADVPN with BGP

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/820072/advpn-with-bgp-as-the-routing-pr... 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors