Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ari_mis
New Contributor

FGFW Behind Home WiFi Router

Hello all! Long time reader, first time poster. I apologize if this is already discussed or should possibly be in the Routing area. My googling has let me down. Thanks in advance!

 

An unusual setup: Essentially what I need to do is give a FGFW 30E to an employee for home use to limit and control access on a single host computer. We want to keep the home network untouched, so we plan to have the person plug the FGFW's WAN into an available port on their existing WiFi router (which is then plugged into a standard cable modem). Computer is plugged into LAN1. I've created a LAN zone that includes LAN1 interface. (I deleted the default Hardware Switch that comes preconfigured.)

 

I'm testing this at my home and here's what I've run into.

 

If I create a policy allowing all traffic from LAN to WAN, the host computer operates just fine, can browse all the interwebs.

 

However, if I modify that same policy to only allow traffic from that single Host IP to specified FQDNs (and the DNS IPs the host is using (8.8.8.8,8.8.4.4)), I get an unwanted experience on the host. The FQDNs take 5+ minutes to load, Chrome browser takes 5+ minutes to load...

 

No other policies are in place. No static routes.

 

Obviously I must be missing some simple setting or additional policy on my FGFW if it works fine when I do not limit the Destination addresses of the policy.

 

Do I need another policy of some sort? Some kind of static route?

 

Let me know what configs or settings you might need to see.

 

WAN Interface is set to DHCP (which picks up a private IP from the WiFi router); and the FGFW sees the real public IP as the "WAN IP" in the Dashboard>Status>System Info

13 REPLIES 13
ari_mis

Oddly, when I put the Policy locked down to the desired IP (even FQDN) and DNS IPs, and try to hit that desire IP from my host computer, the Flow Diag doesn't even show that it's trying. No record of the host computer attempting to connect. It does show a flood of other random operating system IPs that it is getting rightfully denied... Eventually, after about 5 minutes, my host finally connects to that desired IP so it does finally make it through albeit extremely slow...

 

 

 

ari_mis

Here's a Flow Debug of the Host hitting the desired FQDN when my IPv4 policy is set to Allow "All" for the Destination. The CLI output is empty when I change the Policy's Destination to this FQDN. I also have the DNS IPs in the Destination and the Host resolves the FQDN in a network lookup.

 

2020-07-21 15:56:15 id=20085 trace_id=10132 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:55877->193.203.82.154:443) from lan1. flag [R.], seq 2189509940, ack 2154602185, win 2047"
2020-07-21 15:56:15 id=20085 trace_id=10132 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040defc, original direction"
2020-07-21 15:56:15 id=20085 trace_id=10132 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-21 15:56:15 id=20085 trace_id=10132 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:55877"
2020-07-21 15:56:15 id=20085 trace_id=10133 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:56269->193.203.82.154:443) from lan1. flag , seq 3750226638, ack 0, win 65535"
2020-07-21 15:56:15 id=20085 trace_id=10133 func=init_ip_session_common line=5788 msg="allocate a new session-0040e6bf"
2020-07-21 15:56:15 id=20085 trace_id=10133 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
2020-07-21 15:56:15 id=20085 trace_id=10133 func=fw_forward_handler line=771 msg="Allowed by Policy-3: SNAT"
2020-07-21 15:56:15 id=20085 trace_id=10133 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:56269"
2020-07-21 15:56:15 id=20085 trace_id=10134 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:56269) from wan. flag [S.], seq 1051637247, ack 3750226639, win 28960"
2020-07-21 15:56:15 id=20085 trace_id=10134 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, reply direction"
2020-07-21 15:56:15 id=20085 trace_id=10134 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:56269->10.10.10.2:56269"
2020-07-21 15:56:15 id=20085 trace_id=10134 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-10.10.10.2 via lan1"
2020-07-21 15:56:15 id=20085 trace_id=10135 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:56269->193.203.82.154:443) from lan1. flag [.], seq 3750226639, ack 1051637248, win 2058"
2020-07-21 15:56:15 id=20085 trace_id=10135 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, original direction"
2020-07-21 15:56:15 id=20085 trace_id=10135 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:56269"
2020-07-21 15:56:15 id=20085 trace_id=10136 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:56269->193.203.82.154:443) from lan1. flag [.], seq 3750226639, ack 1051637248, win 2058"
2020-07-21 15:56:15 id=20085 trace_id=10136 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, original direction"
2020-07-21 15:56:15 id=20085 trace_id=10136 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:56269"
2020-07-21 15:56:15 id=20085 trace_id=10137 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:56269) from wan. flag [.], seq 1051637248, ack 3750227156, win 235"
2020-07-21 15:56:15 id=20085 trace_id=10137 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, reply direction"
2020-07-21 15:56:15 id=20085 trace_id=10137 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:56269->10.10.10.2:56269"
ari_mis

To help clarify, when I limit the IPv4 Policy for LAN>WAN to Fortigate's DNS and my restricted FQDNs, my Host (using Fortigate's DNS) successfully performs DNS Lookup (for any URL I throw at it) and Traceroute commands (to my restricted FQDNs). Yet, when I browse to one of the FQDNs, it takes over 5-10 minutes of spinning and then the page finally loads.

 

I don't have any other settings configured on the Firewall, all default from initializing.

 

I must need to include something else in my LAN>WAN policy's list of Destinations or set up some manual routing? Maybe a policy for WAN back to LAN?

 

Reminder, this Fortigate is set up behind an existing wifi router which is then plugged into the ISP's modem; Fortigate's WAN is plugged into one of the router's client ports and gets a private IP from the router. If I do not restrict the Destination, hosts on the Fortigate access the internet just peachy...

XxKevinxX

Hey guys. Did you ever find a solution to this issue? I’m going threw the same thing. I have my firewall behind a wireless router that’s connected to a isp modem. I’m having the same issue going on as described in the thread. My wan port is connected to one of the routers lan ports. My wan port has a subnet 192.168.1.227/255.255.255.0 and yet the fortigate wan port can see my public ip address. I have my lan hardware switch connected to port 1 on a different subnet than default to administer the unit. That subnet is 192.168.2.99 and it seems that the fortigate can’t reach a dns server. I’ve tried both googles and fortigates with no luck. I have some ipv4 policies in place and enabled and disabled them with the same results. Any help is appreciated. I know this thread is more than a few months old, but I had to give it a try. Also, how do I run the flow base command in the console? I can google that as well. Thank you
Labels
Top Kudoed Authors