Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Etiennet
New Contributor II

Fortigate Policy route AP

We would like to create a policy route to allow all users connected to an AP to route their internet traffic over a specific WAN port.

 

The AP is an aruba instant on connected to the same interal port as all clients, DHCP will be handled by the fortigate

 

How would we configure this? any help would be appreciated. 

7 REPLIES 7
jhussain_FTNT

Hi,

 

Does the wireless user receive a separate subnet IP address from the DHCP server? If yes, you can setup a policy route that specifies the source wifi user subnet and outgoing interface to the WAN interface, as shown in the following document.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

Regards

Jamal Hussain

Etiennet
New Contributor II

Thanks for your reply, on the Aruba we did test with NAT the Aruba then gives out a separate IP, the Aruba does not have a proper DHCP Server. its the Instant on Models.

 

This worked but the issue then is the Ipsec for these users don't work they are not able to access Hq via IPsec..  Not sure how to solve that. 

hbac

Hi @Etiennet,

 

What does your policy route look like. It might be routing all traffic via WAN as policy route take precedence over static route. You can create another policy route to route traffic over IPsec tunnel if it matches HQ subnet.

 

Regards, 

Etiennet
New Contributor II

Hi @hbac 

 

Thanks for your reply.

 

I have attached my Policy. in the Source addresses I added a test laptop and the Aruba AP. 

 

The Aruba is now Natting the Devices that are connected to it.  How would we allow those devices now to be able to access HQ via the IPsec?

 

Remote Site IP range 10.10.61.x

Devices connected to Aruba AO 10.10.65.x

 

Would really appreciate any help.

 
 

Screenshot 2024-07-04 083808.jpg

 

hbac

Hi @Etiennet,

 

You can create another policy route with destination=10.10.61.x and outgoing interface=IPsec tunnel. 

 

Regards, 

Etiennet
New Contributor II

Thanks, but the 10.10.61.x range can already access the IPsec.

 

The issue is the NAT on the Aruba the 10.10.65.x range... They need to access the IPsec?

akumar02
Staff
Staff

Hello Etiennet,

Kindly use the following article for this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

In this article, Port6 is your Desired WAN interface. Make sure you add the gateway address of the WAN interface in it. 

Best Regards,
. . . . . . . . . . . . . . . . . . . . . . . .
Arun Kumar | TAC Engineer II
FORTINET TAC - America EAST
NSE Certified: FCA, FCF, FCP-NS, FCSS-NS
Office Hours: 9AM-6PM EST (Tue-Sat)
Contact: https://fortinet.com/support-and-training/support/contact.html
Community Forum: https://community.fortinet.com
# Is there anything Fortinet could have assisted with further, better, or differently?
# Simply request a Manager follow-up
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors