Hello, I have two different FortiGate's and I went to set up the static routing on one for the VLANs I created under the LAN port 1 interface. So they are both the same way. This already works with one of my Firewall's just fine - but errors out constantly on my 100E.
For example: Destination: 192.168.8.0/255.255.255.0 (This is a VLAN subnet that has a interface "under" the LAN PORT interface) LAN Port: port1 Gateway Address: 192.168.10.1 (IP of port 1 Interface) Error given: Gateway IP is the same as interface IP, please choose another IP. Example of one working: Destination: 172.10.2.0/255.255.255.0 (This is a VLAN subnet that has a interface "under" the LAN PORT interface) Lan Port: port 1 Gateway Address: 10.0.0.1 (IP of port 1 Interface) Am I doing something wrong? What is the difference between the two? They are both on the same firmware version and BOTH 100Es. I am lost at this point and would appreciate any help. I am attempting to setup intervlan communication for these VLANS.
Thanks,
Kirk R.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's not about FGT's static routing but any routers' static routing. Static routes are to pass those packets destined to an IP in a destination subnet (192.168.8.0/24 or 172.10.2.0/24) to the next hop router, which is one hop closer the destination. So the GW IP is the IP of the next hop router's. Not the FGT(originating router)'s IP.
If those destinations belong to (configured on an interface/sub-interface) the FGT, you don't need any additional route. They would show up as "directly connected" or "C" routes.
Yes, however - I can't ping inter-vlan. I have my IPv4 Policies up for Intervlan communication and ping is turned on the interfaces. But it will not working. If I am on a 192.168.10.x I cannot ping the gateway 192.168.8.1 which is on a VLAN that resides under port 1 LAN (192.168.10.1). I don't understand why it is not working. If Ping is turned on and the Policies are in place - I should be able to ping the other vlan's gateway IP. They only reason I can think not is that there isn't a route in place. Thanks, Kirk
Have you tried cross-pinging something behind the GW? If the policy is proper, you should be able to exchange packets across the FGT.
Also you should be able to ping those GW IPs from the FGT itself via CLI. Then the problem is likely trusthost config. Check if the source is included in them as in many posts in the forum. If it still doesn't work, you need to run "flow debug", which can be found in the forum or just internet search as well.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.