- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate 90D routing problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 90D routing problem
Hi Guys,
I'm facing a problem replacing my old Cisco 1921 to Fortigate 90D.
I have a public IP range from ISP, i.e.: 76.252.105.128/26. I divided this range to multiple subnets. Between Fortigate and ISP router there is 76.252.105.128/28 subnet (ISP router 76.252.105.129 and fortigate WAN: 76.252.105.130). The rest of public IPs were divided into small 4 IP subnets and assigned to LAN interfaces, i.e. LAN_1 76.252.105.176/30. The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.
I also have a private LAN_2 (192.168.1.0) which is overloaded to 76.252.105.130 and it works great!
I don't have ideas why public IP routing doesn't want to work. On old Cisco everything works great. Do you have any ideas?
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - you should do some basic testing - -run a constant ping between two IP addresses and then run a sniffer trace from the Fortigate CLI on the interfaces such as:
diag sniffer packet Lan_1 'host x.x.x.x and host x.x.x.x'
Does the packet arrive at the LAN_1 interface?
Then:
diag sniffer packet wan1 'host x.x.x.x and host x.x.x.x'
Does the packet leave the wan1 interface and do you get a response back from the upstream router?
That would be a good starting point - -if that does not help then do a debug flow such as:
diag debug enable
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr x.x.x.x
diag debug flow show console enable
diag debug flow trace start 50
See if that gives you some clues.
Moby.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>>>The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.
Since the IP of internet servers is a public one, ISP should always has route back, so firewall policy is good, no nat no VIP required. please check the routing-table on FGT by 'get router info routing-table all'
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - you should do some basic testing - -run a constant ping between two IP addresses and then run a sniffer trace from the Fortigate CLI on the interfaces such as:
diag sniffer packet Lan_1 'host x.x.x.x and host x.x.x.x'
Does the packet arrive at the LAN_1 interface?
Then:
diag sniffer packet wan1 'host x.x.x.x and host x.x.x.x'
Does the packet leave the wan1 interface and do you get a response back from the upstream router?
That would be a good starting point - -if that does not help then do a debug flow such as:
diag debug enable
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr x.x.x.x
diag debug flow show console enable
diag debug flow trace start 50
See if that gives you some clues.
Moby.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two issues here.
1) All outbound policies need to have NAT enabled for traffic to pass to the Internet.
2) Inbound traffic: I'm not too familiar with how the Cisco works, but I do know that your ISP has to pass the traffic for the inbound servers to one firewall or another. This has to managed manually (unless you are using a routing protocol). You need to see from the outside where the traffic is being pushed to. If it is the Fortigate, then you have to make sure your Virtual IP (VIP) mappings are set up correctly and that the policies are in place to allow that traffic.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>>>The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.
Since the IP of internet servers is a public one, ISP should always has route back, so firewall policy is good, no nat no VIP required. please check the routing-table on FGT by 'get router info routing-table all'
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Guys,
Thanks for your advices!
@moby, I did a testing and it helped me to figure out what's the problem.
@Jzhang_FTNT you were right. The problem is located in route table in ISP router.
To be more specific:
The ISP router interface should be configured with IP: 76.252.105.129/28. To the rest of public IPs (76.252.105.144-76.252.105.191) there should be IP route via our router interface (76.252.105.130).
However I discovered that when I'm trying to ping.one of my public IPs 76.252.105.178 ISP router sends ARP broadcast requesting mac of 76.252.105.178 instead of sending packet via our router interface. I've asked ISP to check this router configuration and they confirmed that router interface has IP 76.252.105.129/26 instead of 76.252.105.129/28. That's the error! Old Cisco took care of it somehow and Fortinet can't do it.
ISP will reconfigure their router and it will solve problem.
Thanks again!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I prefer, in situations like this, to get a /30 for the WAN interface of the Gate. That can be the external address and they can then route the /26 or /28 or whatever pool of addresses to the WAN interface of the Gate. From there you have clean control via VIPs etc.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Related Posts
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 89 Views
- BGP modify the mask of a... 81 Views
- Fortigate 60d boot device failing 105 Views
- Forward traffic from Fortigate not showing... 98 Views
- FortiClient Azure SSO VPN issues 63 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.