Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lk777
New Contributor

FortiGate(WiFi) static routes problems

FortiWiFi 60E v7.2.3

 

Configuration:

Hardware Switch: "internal" (7 ports)

Software Switch: "lan" ("internal" + wfi SSID)

 

7 VLANs on the interface "internal"

 

lan: 10.10.5.2/24

 

Static routes that do not work for me like the following:

Destination: 10.0.3.0/24

Gateway 10.10.5.15

Interface: lan

 

and others that have similar configuration with the Gateway IP: 10.10.5.15

 

10.10.5.15 is the linux server with the lxc containers on it:

lxc bridge IP:  10.0.3.1

10.0.3.20 -  IP of one of the lxd/lxc containers

 

10.0.3.20 is reachable only from the 10.10.5.0 subnet and not from any other VLANs.

inter-VLAN routing works where I allowed it to work.

 

This static route works on the pfSense router/firewall and Ubiquiti EdgeRouter.

 

I am, basically, replicating the pfSense configuration to FortiWiFi. It seems everything works besides those static routes with the 10.10.5.15 gateway.

 

What am I missing in my setup?

 

Thanks.

 

 

 

 

 

7 REPLIES 7
gfleming
Staff
Staff

Do you have firewall policies allowing the inter-VLAN routing?

Cheers,
Graham
lk777
New Contributor

Hi Graham,

 

All VLANs see each other ( for the troubleshooting purposes, I have temporarily disabled some rules which blocked inter-VLAN routing for some VLANs). As of now, all VLANs have rules which allow access from any incoming interface and from all sources.

gfleming

I think your problem is the VLANs are assigned to your hardware switch when in reality you need to have them assigned to your software switch. Can you try with VLAN assigned to software switch instead?

 

You can also try breaking your software switch if you don't need your wireless interface bridged to your hardware switch.

Cheers,
Graham
lk777
New Contributor

Probably you are right. This software/hardware concept is something new to me.

But the following policy worked for me:

Incoming interface: any

Outgoing interface: lan

Source (I set up a custom address "Trusted networks")

Destination: all

....

So this is basically a pass-through policy.

 

But I am not sure if this is the right way to configure on Fortigate, but at least it works now.

What do you think?

gfleming

Well yes that's what I meant when I asked if you had the policies enabled for inter-VLAN routing.

 

Any traffic that needs to be forwarded between interfaces on the Fortigate requires a policy explicitly allowing it.

 

The only right way to do this is what makes sense for your environment and the restrictions you need to enable.

 

If you just want passthrough for your VLANs you can  put them all into a Zone. Once they are in a zone, all traffic will pass through between the interfaces without requiring a policy.

Cheers,
Graham
lk777
New Contributor

Without that policy all VLANs were able to communicate with each other and with the native lan. That was a confusing part of this setup. This passthrough policy helped with those static routes.

gfleming

Well i have no idea what VLAN the 10.0.3.20 host is in or what VLAN you need to transit to get to it but that IP address would have to be included as a destination in the policy that allows traffic out the VLAN that it exists in or transits to it.

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors