Good evening,
Experiencing an issue with FG Routing can anyone assist,
I have the following setup on a Proxmox node:
1. Ubuntu (Client)
2. Foritgate Firewall
The Client has two interfaces attached with the following networks:
1. 192.168.61.X for management
2. 192.168.10.x (shared network to reach the Fortigate) LAN
The Fortigate has three interfaces attached with the following networks:
1. 192.168.61.X for management
2. 192.168.10.x (shared network to reach the client ) LAN
3. 192.168.100.x (WAN Interface to reach wan router)
I cannot get internet on the client through the FG. I can ping between both the client and the FG on the 192.168.10.0 network but if i try to ping an external network from the client with the FG as the gateway there is no reply.
After running sniffers and debug flow i can see the packet reaching the Fortigate with the following output:
FortiOS-VM64-KVM # diag deb en
FortiOS-VM64-KVM # diag sniffer packet any 'host 192.168.10.2'
Using Original Sniffing Mode interfaces=[any]
filters=[host 192.168.10.2] 0.262386 192.168.10.2 -> 8.8.8.8: icmp: echo request
1.286294 192.168.10.2 -> 8.8.8.8: icmp: echo request
2.310243 192.168.10.2 -> 8.8.8.8: icmp: echo request
FortiOS-VM64-KVM # diag deb en
FortiOS-VM64-KVM # diag deb flow filter saddr 192.168.10.2
FortiOS-VM64-KVM # diag debug flow trace start 100
FortiOS-VM64-KVM # id=20085 trace_id=1 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.10.2:7->8.8.8.8:2048) from port2. type=8, code=0, id=7, seq=89."
id=20085 trace_id=1 func=init_ip_session_common line=5913 msg="allocate a new session-0000047c"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-192.168.100.1 via port1"
id=20085 trace_id=2 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.10.2:7->8.8.8.8:2048) from port2. type=8, code=0, id=7, seq=90."
id=20085 trace_id=2 func=init_ip_session_common line=5913 msg="allocate a new session-0000047d"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-192.168.100.1 via port1"
id=20085 trace_id=3 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.10.2:7->8.8.8.8:2048) from port2. type=8, code=0, id=7, seq=91."
id=20085 trace_id=3 func=init_ip_session_common line=5913 msg="allocate a new session-0000047e"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-192.168.100.1 via port1"
there is a statiic route on the Fortigate using the WAN interface and from the FG i can ping anything on the internet so there is internet access on the firewall:
FortiOS-VM64-KVM # exe ping www.google.com
PING www.google.com (142.251.35.228): 56 data bytes 64 bytes from 142.251.35.228:
icmp_seq=0 ttl=113 time=46.6 ms 64 bytes from 142.251.35.228:
FortiOS-VM64-KVM # get router info routing-table all C
candidate default Routing table for VRF=0 S*
C 0.0.0.0/0 [5/0] via 192.168.100.1, port1
C 192.168.10.0/24 is directly connected, port2
C 192.168.61.0/24 is directly connected, mgmt
192.168.100.0/24 is directly connected, port1
Based on the debugs it seems fortigate cannot find a route once the intial packet comes from the LAN network but has no trouble if the traffic initiates from itself.
can anyone assist in troubleshooting issue.
thanks for your assistance.
regards,
#fortigate, #proxmox
UPDATE:
So the issue was that SNAT was enabled and what i did was enable central NAT and create a rule for the central NAT to use the outgoing interface address:
unfortunately im now faced with the following error ->
FortiOS-VM64-KVM #
FortiOS-VM64-KVM # diag deb en
FortiOS-VM64-KVM # diag deb flow filer sadd
command parse error before 'filer'
FortiOS-VM64-KVM # diag deb flow filter saddr 192.168.3.2
FortiOS-VM64-KVM # diag deb flow trace start 100
FortiOS-VM64-KVM # id=20085 trace_id=1 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:3->8.8.8.8:2048) from port3. type=8, code=0, id=3, seq=98."
id=20085 trace_id=1 func=init_ip_session_common line=5913 msg="allocate a new session-000004c9"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-192.168.100.1 via port2"
id=20085 trace_id=2 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 192.168.3.2:45296->192.168.3.1:53) from port3. flag [S], seq 1988030723, ack 0, win 64240"
id=20085 trace_id=2 func=init_ip_session_common line=5913 msg="allocate a new session-000004ca"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2621 msg="find a route: flag=84000000 gw-192.168.3.1 via root"
id=20085 trace_id=2 func=fw_local_in_handler line=435 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=3 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:3->8.8.8.8:2048) from port3. type=8, code=0, id=3, seq=99."
id=20085 trace_id=3 func=init_ip_session_common line=5913 msg="allocate a new session-000004cb"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-192.168.100.1 via port2"
id=20085 trace_id=4 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:3->8.8.8.8:2048) from port3. type=8, code=0, id=3, seq=100."
id=20085 trace_id=4 func=init_ip_session_common line=5913 msg="allocate a new session-000004cc"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-192.168.100.1 via port2"
id=20085 trace_id=5 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:3->8.8.8.8:2048) from port3. type=8, code=0, id=3, seq=101."
id=20085 trace_id=5 func=init_ip_session_common line=5913 msg="allocate a new session-000004cd"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-192.168.100.1 via port2"
can anyone assist in the debugging ?
thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.