Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mattjackson
New Contributor

Created on ‎01-31-2025 07:31 AM

Fortigate VPN with overlapping subnets - Remote site Internet Access over VPN

I have followed the guide to setup a site to site VPN with overlapping subnets but I need to get the Branch sites internet traffic to route back over the VPN between FortiGate's but then go out of another router on that network. 

Can anyone help me get this working as I cannot get the branch office Internet to work. 

 

This is the guide I followed https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/426761/site-to-site-vpn-with...

 

This is the configuration I have

 

Site 1 - HQ

WAN Router - 192.168.0.1

LAN  -192.168.0.0/24

WAN router has static route to point traffic for 10.2.2.0/24 to 192.168.0.11

 

Fortigate 80F - Connected via  WAN 1 - to LAN above IP'd 192.168.0.11

WAN2 IP'd- 192.168.1.129/25 and connected to layer 2 link to Branch site

SNAT setup to convert 192.168.0.0/24 to 10.1.1.0/24

 

Site 2 - Branch

Fortigate 30G

LAN - 192.168.0.0/24

SNAT Virtual Subnet - 10.2.2.0/24

WAN IP'd- 192.168.1.131/25 and connected to layer 2 link to HQ site

 

Testing

HQ Fortigate 80F can access internet via HQ WAN Router

Users on HQ LAN can access internet via HQ WAN router

Users on HQ LAN can access devices on Branch LAN via 10.2.2.x IP address

Users on Branch LAN can access devices on HQ LAN

Users on Branch LAN can reach the HQ WAN Router on 192.168.0.1

Users on Branch LAN cannot reach anything external e.g 8.8.8.8

 

Labels:
154
0 Kudos
2 REPLIES 2
funkylicious
SuperUser
SuperUser

Created on ‎01-31-2025 07:43 AM Edited on ‎01-31-2025 07:45 AM

So if I get this correct, you would like the users in Branch ( real net 192.168.0.0 /24 , NAT'ed to 10.2.2.0/24 ) to access the Internet via HQ ?

If so, you would need

- a default route towards HQ from Branch ( in Branch : 0.0.0.0/0 with next-hop 192.168.1.129 and in HQ a route back to 10.2.2.0/24 next-hop 192.168.1.131 ) 

- a firewall rule that NATs the traffic from local ( Branch ) to remote ( HQ ) into 10.2.2.0/24 IP Pool

- in HQ a firewall rule from 10.2.2.0/24 network , src interface VPN-Branch and destination interface WAN and destination address all with NAT enabled.

"jack of all trades, master of none"
"jack of all trades, master of none"
147
0 Kudos
mattjackson
New Contributor

Created on ‎01-31-2025 08:32 AM

Thanks got it working now. I had the firewall policy set to remote original subnet to HQ virtual with NAT I changed this to remote original to all and its working now. 

125
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.