Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Amr811
New Contributor II

Firewall in Transparent Mode - cant reach devices downstream when using OpenVPN

I am setting up a firewall FG-60F in transparent mode and this is my config :

Internet <-> LTE Router <-> Firewall <->  Local Switch1

Upstream the firewall there is an LTE router, dowstream the firewall there is a network switch 1. I have the firewall configured in transparent mode with management IP 10.10.10.1 and the LTE router is 10.10.10.250. When I connect locally to the network, I can ping all the devices on my network and also I have internet.

The problem is when I connect via the VPN.

The VPN setup is as follows, the router has an OpenVPN tunnel to an external server, and I connect to this VPN server via an OpenVPN client. When I am on the VPN, I get assigned IP on the network 11.36.255.13, and at this point I can ping the firewall on 11.36.3.1 and the router on 11.36.3.250, but I cannot ping anything downstream the firewall (switch1 and other devices). If I remove the firewall from my network and I connect to via VPN, I can ping the switch1 on Ip 11.36.3.10 (locally it is 10.10.10.10). 

Regarding firewall policies, I have only one allow-all policy, and regarding static routes I have one route for outgoing traffic and the second route is to try to get the VPN traffic to downstream devices. 

As it is right now I cannot ping downstream devices, any idea what I am doing wrong?

 

firewall policy

FirewallPolicies.png

 

static routes

StaticRoutes.png

Amp
Amp
1 Solution
Amr811
New Contributor II

I was missing a policy to allow traffic from wan1 to Internal, now it works. FirewallPolicies2.png

Amp

View solution in original post

Amp
3 REPLIES 3
Amr811
New Contributor II

I was missing a policy to allow traffic from wan1 to Internal, now it works. FirewallPolicies2.png

Amp
Amp
michaljacks51
New Contributor

Double-check your firewall configuration to ensure that VPN traffic is properly routed to downstream devices. You may need to adjust your static routes or firewall policies to allow VPN traffic to reach the runaway children intended destinations. Consider consulting with your network administrator or seeking assistance from your firewall vendor's support team for further troubleshooting.

 
 
 
Dankskittlez39
New Contributor

So this works but is it right? Aren't u just bypassing aur firewall all together with these rules? Fortinet just says int to out policy only.. and I can't get any connects what so ever that way.. so this can't be right for transparent mode.. ? Can it? 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors