Port 1: gw.xx.xx.81/29 (WAN)
Port 2: lan.xx.xx.99/24 (DHCP)
Policy IPv4: Port 2 to Port 1 (all to all, NAT enabled)
I've tested at Port 1 that internet is accessible using static IP.
When connected to Port 2 with a LAN IP via DHCP, internet is inaccessible.
What should I create to instruct Port 1 to allow internet access from Port 2, i.e. Port 1 is like a gateway to Port 2? Just upstream traffic would is fine. Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @sgClarence
You may want to check the flow of the traffic to see what's happening. Try getting the following output while having a test client to test the traffic:
diag deb flow filter saddr <src_IP>
diag deb flow filter daddr 8.8.8.8
diag deb flow filter proto 1
diag deb flow sh function-name en
diag deb flow sh iprope en
diag deb flow trace start 20
diag deb en
Once the above has been entered on the CLI/Putty, navigate to your test client and ping 8.8.8.8. We can examine why is the traffic is not reaching to the Internet.
Created on 08-23-2022 08:01 PM Edited on 08-23-2022 09:04 PM
Hi Kayzie,
We've modified the ports and run the flow debug.
Port 5: isp.xx.169.229
Port 6: wan.xx.38.81
port 7: lan.168.8.99
Static Routes: 0.0.0.0/0 -> isp.xx.169.229 (port 5)
Policy IPv4: Port5->Port6 (downstream), Port6->Port5(upstream) and port7->port6(lan to internet via port 5 as gateway using public IP of port 5, NAT enabled)
The results:
id=20085 trace_id=1 func=print_pkt_detail line=4489 msg="vd-root received a packet(proto=1, 192.168.8.100:1->8.8.8.8:8) from port7. code=8, type=0, id=1, seq=21."
id=20085 trace_id=1 func=init_ip_session_common line=4645 msg="allocate a new session-0000c5d2"
id=20085 trace_id=1 func=iprope_dnat_check line=4633 msg="in-[port7], out-[]"
id=20085 trace_id=1 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=1 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-isp.xx.169.229 via port5"
id=20085 trace_id=1 func=iprope_fwd_check line=630 msg="in-[port7], out-[port5], skb_flags-00800000, vid-0"
id=20085 trace_id=1 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-2, ret-no-match, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2014 msg="policy-0 is matched, act-drop"
id=20085 trace_id=1 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=1 func=fw_forward_handler line=567 msg="Denied by forward policy check (policy 0)"
So, as expected, the default static route is used.
I wonder what policy/rule to create to make wan.xx.38.81 at Port 5 act as our default internet gateway for LAN users?
Hi @sgClarence
From the debug flow, the traffic is not being SNATTED. But it does finds that port5 is the outgoing interface. Can you post your firewall policy configuration for port7 -> port5 with the following command:
config firewall policy
edit <policy id>
sh fu
end
Hi Kayzie,
Thanks for looking into case, using the Fortigate web-gui, most defaults were used, except those described initially.
The following is Port7->Port6 instead, because Port 5 is the ISP gateway.
I'm trying to set wan.xx.38.81(our given range of public IP) as the internet gateway so LAN users(DHCP) will see the public facing IP as xx.xx.38.81.
set uuid xxx. xxx.xxx
set srcintf "port7"
set dstintf "port6"
set srcaddr "all"
set dstaddr "all"
set rtp-nat disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "ALL"
set utm-status disable
set logtraffic utm
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set wanopt disable
set webcache disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set label ''
set global-label ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set delay-tcp-npu-session disable
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
set nat enable
set permit-any-host disable
set permit-stun-host disable
set ippool disable
set central-nat disable
Hi @sgClarence
I believe this is due to the fact that your default route is actually configured on port5. From forward routing perspective, the destination is reachable via port5, but not port6. Hence, if you would like to allow traffic to traverse from port7 to WAN interface (port6), you will need to fulfill 2 criteria:
1. There is an active route in your routing table to use port6 as the outgoing interface. This can be check with the command "get router info routing-table all"
2. You will need a policy to allow traffic from port7 to port6 and NAT enabled.
Following is a document to use dual Internet link with ECMP concept:
If you only have specific traffic going through port5, and wanted LAN users to travel through port6 to reach Internet, you may want to create more specific route for port5, while using port6 for the default route.
Alternatively, policy route would also be your choice to steer traffic to port6.
Hi Kayzie,
I did a drag and drop to arrange the policies, rebooted Fortigate and still unable to ping as a LAN user(DHCP).
I read somewhere that it's much harder to configure a /29 segment from ISP, compared to getting a 5 IP package from ISP who provided an edgerouter at customer side, i.e. gateway IP in customer's public IP segment.
Hi @sgClarence
It should not be related to the subnet of the public IP that ISP provided to you. It should have worked even if the ISP provided you only 1 public IP. As mentioned in my earlier post, I would suspect that this is due to the fact that you have the default route pointing to port5, hence, your FortiGate would only sees that it's able to reach the Internet via port5. I would suggest to also dd port6 into the default route to see if your user is able to reach to the Internet.
Hi Kayzie,
I attempted to add wan.xx.38.81(Port5) as another default gateway and got invalid gateway address. Do I need to create a definition else where first?
Hi @sgClarence
That is because the Gateway that you entered here in the configuration is indeed the interface IP of port6. You should configure the upstream device IP instead, for example, 118.189.38.80. The gateway information should be obtained from your ISP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.