- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FG100F not routing between subnets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG100F not routing between subnets
Basic functions not working and I cant figure out why. This is my first Fortigate firewall. Experienced with Palo Altos.
I have a remote industrial facility with 2 WANs and multiple LAN subnets all on a single LAN interface.
I have configured my subnets under Port 1 of the firewall with their respective VLAN IDs and IP/mask.
From each subnet, I can ping and access the Fortinet firewall on the respective IP.
However no traffic can make it from one subnet to another. The FG100F is not routing between the subnets.
I have traffic rules in place for the intra LAN traffic that should be allowed, with NAT disabled. And for diagnostic purposes I created an allow all rule from one subnet to another, and still nothing.
I was expecting the FG100F to automatically route between subnets as long as policy allows the traffic, but it appears these devices do not do that?
So I added static routes from one subnet to another. Still does not work.
The traffic logs are completely blank - no dropped traffic, no allowed traffic, nothing. I have all the log options turned on to log everything.
One thing I do like about this FG100F is it has a nice packet capture tool. I ran packet capture on one of the subnet interfaces while maintaining a standing ping from one subnet to another, but the packets for the ping do not show up.
What is the secret to get this thing to route from one subnet to another where policy allows?
Thanks
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jdw314
and welcome to the Fortinet family :).
To make sure I have a correct grasp of your FortiGate - you have a 100F, with multiple VLAN interfaces all on the same port, and are looking to have the FortiGate route traffic between the VLANs, correct?
The basic configuration you will need:
- routing information
-> FortiGate will know the connected routes of the VLAN interfaces, based on its own IP in there, but will need static or dynamic routing for any subnets beyond the connected ones
- policies from vlan interface to vlan interface (not the physical interface!), with action allow and optional security profiles, NAT, etc.
From your description, it sounds as if you already have these two things in place.
For troubleshooting, there are two very useful commands:
- the diag sniffer command, which is basically tcpdump and gives you the same information as the packet capture tool
dia sniff packet <interface|any> 'host x.x.x.x and/or host a.a.a.a and port (c or d)' 4 <number of packets> <a/l, for absolute (GMT) or local timestamp>end the output with Ctrl+C
-> this will show what interface a packet comes in on, and what interface it leaves the FortiGate on. In the case of VLAN interfaces, you should see the same packet twice - once on the physical interface, once on the VLAN interface (if you don't see it on the VLAN interface, this could mean a missing VLAN tag, for example)
- the dia de flow set of commands; this displays packet handling and routing lookup
dia de reset
dia de flow filter addr <x.x.x.x>
dia de flow filter proto <IP protocol, for example 1, meaning icmp, or 6, meaning tcp>
dia de flow filter port <a>
dia de flow filter [...]
dia de flow trace start <number of packets>
dia de enThis will start dumping packets in CLI and show what the FortiGate does with them, if this is for a new session setup.
If there is an existing traffic session, this set of commands might not show anything, as traffic would be offloaded to an ASIC and thus not visible to debug.
In that case, you might want to clear sessions first:
dia sys session filter src <x.x.x.x>
dia sys session list ## to see the sessions
dia sys session clear ## to clear the filtered sessions; if no filter is applied, this clears ALL sessions
#dia sys session filter clear ## to clear the session filter in placeTo end the debug:
dia de dis
dia de reset
These two commands should give you a starting point as to what FortiGate is doing with the traffic.
Regarding logging - your 100F does not have a disk, if I remember, meaning it logs to memory be default, and memory logging is restricted to severity warning or higher.
This can be changed via CLI:
config log memory filter
set severity info
endAlso, if for some reason the traffic is hitting implicit deny, you might need to enable logging in the implicit deny as well; this can be done in the policy table by clicking on the log setting in implicit deny and selecting 'All'.
I hope this helps you figure out what's going on :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Created on 11-23-2021 09:56 AM Edited on 11-23-2021 09:57 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Debbie_FTNT Thank you for your reply with good suggestions. I have tried them and unfortunately I am still unable to solve this problem.
I set up a continuous ping between two end point devices, one on VLAN 120 and the other on VLAN 180 which are both sub interfaces of Port 1. And I have a rule that allows all ICMP traffic from VLAN 120 to VLAN 180 and another rule that allows all ICMP VLAN 180 to VLAN 120.
With that test setup in place, I tried to use the tools you suggested. I did Set Severity INFO, but that made no difference - no traffic was logged in the traffic logs. I thought maybe I needed to save the config after setting severity info, but when I tried to save it it said no changes.
I tried the sniff packet tool, and as you stated it is basically the same as the packet capture. One possibly vital clue is that the sniff packet/packet capture report does not show the continuous ping on any interface - its not on VLAN 120, its not on Port 1, its not on VLAN 180, etc. The FG doesnt seem to believe that it has received those ping packets. Which likely explains why it is not routing them, but the real question is where did they go? From the end point devices, I can ping the FG100F on their respective subnets for VLAN 120 and VLAN 180 without any difficulty.
I was not able to make the debug flow tool work. I copied what you pasted above, except for the line
dia de flow filter [...]
which I believe was placeholder for additional filter criteria. But I got no output at all. Nothing displayed when I did dia de en. I'm clearly doing something wrong when I use that tool but I'm not sure what. Although there should be no sessions offloaded to the ASIC right now since the only traffic right now is my continuous ICMP ping, nevertheless I tried clearing sessions anyway but that resets my connection to the CLI. So if it causes any output to be generated, I don't get to see it.
From the CLI, if I do execute ping with source in AUTO I can successfully ping both of the end points on VLAN 120 and VLAN 180. But if I set the source to the IP of the FG on one of the subnets, then I can only ping the endpoint on that same layer 2 subnet. It wont route its own pings to the other subnet.
Any further suggestions? Is there any way to get live help on something like this through Fortinet? One difficulty we have as contract engineers is that we don't purchase the devices directly, nor do we hold the licenses to them, and we have no input on what support packages the client purchases. Our role is only to integrate the device into the overall network and configure it. For this reason we try to steer our clients to OEMs who provide at least basic support to anyone operating the device.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @jdw314,
live support is only possible through a support ticket.
If the device has even a basic support package, that should include online support, which is all that is required to get a call or remote session with a support engineer.
The FortiGate's serial number is usually sufficient to open a ticket; if you do not have access to the support account the FortiGate is in, that could complicate matters a little, though. In that case, you might want to speak to whoever registered the device in their support account to have your own email added to their account to get access to the support page for things like downloading firmware to upgrade, and opening support tickets.
As for other things to troubleshoot:
If traffic is not hitting the FortiGate, try to determine where it is going instead.
Perhaps run a traceroute command on your VLAN clients to see what hops it goes through?
@ESCHAN_FTNTsuggestion is also a good idea - check the routing settings on your hosts.
Let us know how it goes :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jdw314
When device in VLAN120 trying to ping device in VLAN180, normally the traffic would go to default gateway (unless you have specified a static route configured on the device). In this case, I am thinking the device you trying to ping from VLAN120 default gateway is set to somewhere else (not FGT). This explains that when you try to ping to VLAN180, the ping do not even reach the FGT (but sending to the configured default gateway), but on the same device you can ping FGT IP in VLAN180 because they are in the same subnet. Please do check the default gateway setting (or static route) for both the device in VLAN120 and also VLAN180 (You need to check on VLAN180 also for return traffic).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If both VLAN subnets are configured on the same port1, and the IP on the both VLANs are configured (or pulled via DHCP) as GW on the ping source and destination devices, those are connected networks and no need for any extra routing.
As long as the ping packets are coming in, and a policy exists between two VLAN interfaces, nothing should block the packets to come though the FGT.
When you sniff, you might need to diable asic offloading ("set auto-asic-offload disable") on the policy to see all. Otherwise, you would see only first a couple of ping packets before the session is offloaded.
My guess is it's not even hitting the FGT. Just run sniffing after disabling offload on the incoming vlan interface, or use "any" then add "4" option in Debbie_FTNT's port.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to make sure, one policy can cover only one direction. You need a set of policies to allow both directions of pinging.
Related Posts
- Traffic is not forwards to another... 109 Views
- SD-WAN Traffic Routing 87 Views
- Support inter-VLAN routing by managed FortiSwitch... 96 Views
- Swapping Firewalls VPN Setup Command Line 245 Views
- Implementing FGSP with OSPF ECMP based... 142 Views
Labels
-
FortiGate
6,741 -
FortiClient
1,341 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
FortiCloud Products
85 -
IPsec
83 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
68 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
32 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Logging
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.