GNS3 lab with 2 PCs and 1 Fortigate (as a gateway) The PCs cant ping each other

Christophoros · ‎05-23-2025

I made a GNS3 lab with 1 Fortigate (as a gateway) and 2 PCs:

Structure:
1. PC1 -> Fortigate (Port1).
2. PC2 -> Fortigate (Port2).

Configurations:

Fortigate:

config system interface
edit "port1"
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
next
end

config system interface
edit "port2"
set mode static
set ip 11.0.0.1 255.255.255.0
set allowaccess ping https ssh
next
end

config firewall policy
edit 1
set name “PC1-to-PC2”
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next

edit 2
set name “PC2-to-PC1”
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

PCs ip: 10.0.0.2/24, 11.0.0.2/24 and the gateway the fortigate.

PCs firewall are disable.

The PCs can ping the fortigate but cant ping each other.

What i am doing wrong?

funkylicious · ‎05-23-2025

try disabling NAT and check that you have a default or specific route on each PC with the GW.

"jack of all trades, master of none"

Christophoros · ‎05-23-2025

I run the command "set nat disable" but when i run the "show firewall policy" it doenst appears. It is any way to see if my fortigate use NAT?
On my PCs it seams okay the router table correct. They have as 0.0.0.0 the fortigates ip.
Port 1 where the PC1 (with ip 192.168.0.2/24) is connect has the IP:192.168.0.1/24 and Port 2 where the PC2 (with ip 192.168.1.2/24) is connect has the IP: 192.168.1.1/24

funkylicious · ‎05-23-2025

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-check-session-status-and-session-li...

i would double check the Windows Firewall just to make sure that's disabled for all profiles.

try checking directly from the FGT by pinging each PC just to confirm that they actually respond to ICMP.

"jack of all trades, master of none"

Christophoros · ‎05-23-2025

i turn off windows firewall.
if run the commands "execute ping 192.168.0.2" and 192.168.1.2 they replies.
But what i notice is if i run the command

"

FW # execute ping-options source 192.168.0.3

FW # execute ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
--- 192.168.0.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

"
So if i ping from fortigate as 92.168.0.3 no one of the windows replies.

funkylicious · ‎05-23-2025

as expected, 192.168.0.3 is not configured on the firewall, you have 0.1 and 1.1 .

if you ping with source 1.1 the pc with 0.2 , does it work ?

"jack of all trades, master of none"

Christophoros · ‎05-23-2025

yes

funkylicious · ‎05-23-2025

i would then start a debug while pinging from one pc to another.

diag debug enable

diag debug flow filter saddr SRCIP

diag debug flow filter daddr DSTIP

diagnose debug flow show function-name enable

diagnose debug flow trace start 100

and check what does the firewall 'sees'

"jack of all trades, master of none"

Christophoros · ‎05-23-2025

now i start pinging from PC2 to PC1.

Christophoros · ‎05-23-2025

I run the commands you send me, while i was pinging "ping 192.168.0.2 -t" from PC1 to PC2. But nothing.

GNS3 lab with 2 PCs and 1 Fortigate (as a gateway) The PCs cant ping each other

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website