Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Etiennet
New Contributor II

Created on ‎07-03-2024 03:22 AM

Fortigate Policy route AP

We would like to create a policy route to allow all users connected to an AP to route their internet traffic over a specific WAN port.

 

The AP is an aruba instant on connected to the same interal port as all clients, DHCP will be handled by the fortigate

 

How would we configure this? any help would be appreciated. 

Labels:
1396
0 Kudos
7 REPLIES 7
jhussain_FTNT
Staff
Staff

Created on ‎07-03-2024 04:13 AM

Hi,

 

Does the wireless user receive a separate subnet IP address from the DHCP server? If yes, you can setup a policy route that specifies the source wifi user subnet and outgoing interface to the WAN interface, as shown in the following document.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

Regards

Jamal Hussain

1379
Etiennet
New Contributor II

Created on ‎07-03-2024 04:43 AM

Thanks for your reply, on the Aruba we did test with NAT the Aruba then gives out a separate IP, the Aruba does not have a proper DHCP Server. its the Instant on Models.

 

This worked but the issue then is the Ipsec for these users don't work they are not able to access Hq via IPsec..  Not sure how to solve that. 

1376
0 Kudos
hbac
Staff
Staff
In response to Etiennet

Created on ‎07-03-2024 06:50 AM

Hi @Etiennet,

 

What does your policy route look like. It might be routing all traffic via WAN as policy route take precedence over static route. You can create another policy route to route traffic over IPsec tunnel if it matches HQ subnet.

 

Regards, 

1339
Etiennet
New Contributor II
In response to hbac

Created on ‎07-03-2024 11:41 PM

Hi @hbac 

 

Thanks for your reply.

 

I have attached my Policy. in the Source addresses I added a test laptop and the Aruba AP. 

 

The Aruba is now Natting the Devices that are connected to it.  How would we allow those devices now to be able to access HQ via the IPsec?

 

Remote Site IP range 10.10.61.x

Devices connected to Aruba AO 10.10.65.x

 

Would really appreciate any help.

 
 

Screenshot 2024-07-04 083808.jpg

 

1308
hbac
Staff
Staff
In response to Etiennet

Created on ‎07-04-2024 08:56 AM

Hi @Etiennet,

 

You can create another policy route with destination=10.10.61.x and outgoing interface=IPsec tunnel. 

 

Regards, 

1285
Etiennet
New Contributor II
In response to hbac

Created on ‎07-04-2024 10:30 PM

Thanks, but the 10.10.61.x range can already access the IPsec.

 

The issue is the NAT on the Aruba the 10.10.65.x range... They need to access the IPsec?

1236
akumar02
Staff
Staff

Created on ‎07-04-2024 09:22 AM

Hello Etiennet,

Kindly use the following article for this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

In this article, Port6 is your Desired WAN interface. Make sure you add the gateway address of the WAN interface in it. 

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
1272
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.