Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pierluigi
New Contributor

Created on ‎02-20-2017 02:43 AM

Help about internal routing between 2 subnets configured on one interface.

Hello

I need help about internal routing between 2 subnets configured on one interface.

 

I have :   1 Fortigate 80C with Fortinet 5.0      Phisical Interfaces :   WAN 1  and INTERNAL

WAN 1 Interface : HDSL to Internet with a public IP : 81.174.28.217

On the internal interface I have an IP/Net Mask : 192.168.33.1/255.255.255.0 (subnet 1) 

and also a Secondary Address :  192.168.34.1/255.255.255.0 (subnet 2)

I would like to be able from one subnet to reach the second one.

At the moment, I can reach (as an administrator) all the IPs (on both subnets) because on my PC I’m using 2 IPs ( 192.168.33.222 and 192.168.34.222).

But Now I need that some PCs on the 192.168.33.xx network to be able to reach PCs on 192.168.34xx network without using the double IPs on the PC itself.

At the moment my default route address for the Internal Interface is Network 0.0.0.0 ( with gateway my IP internet address 81.174.28.217). Infact I can browse internet from both internal networks.

 

I thought, well, I need just a routing between subnet1 and subnet2 , .... I searched... found info and ...

I created 2 new firewall object address : one for subnet 1 (129.168.33.1-to-255) and one fo subnet 2 (129.168.34.1to255)

2 new policies between the 2 subnets (on both direction) without NAT,  all as in the documents:

http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_install-rou...

but it doesn’t work.

 

I tried also to create a new Policy Routes for all protocol with source subnet1, destination subnet 2 and gw le internal interface 192.168.341.  But it doesn’t work.

 

What am I missing?

Any help will be appreciated :)

Pierluigi

 

17821
0 Kudos
6 REPLIES 6
Jim_FH
New Contributor III

Created on ‎02-20-2017 05:52 AM

Are you able to create a new "vlan" interface for 192.168.34.1 that's a sub-interface for 192.168.33.1?  

 

I've done that on a few fortigates (although with 5.2.x code).  You would then connect a dot1q trunk switchport to the physical interface that is configured to pass the two vlans, and you should be able to route between both subnets.

5414
0 Kudos
Pierluigi
New Contributor
In response to Jim_FH

Created on ‎02-20-2017 06:51 AM

Hi Jim , ... first ... Thanks you for your reply :)

 

I could create a new "vlan" interface for 192.168.34.1 that's a sub-interface for 192.168.33.1.

Then, I need to do something into the switch (vlan and routing) . I have HP V1810-48G.

But,  IF it is possible, I prefer not to change Switch configuration.

 

Is it possible, just with a Fortigate configuration, "connect" the 2 subnets?

 

Pierluigi

5414
0 Kudos
jnliu_FTNT
Staff
Staff
In response to Pierluigi

Created on ‎02-20-2017 09:17 AM

Hi Pierluigi,

 

If you don't want use vlan interface,which is also I recommended, you need to do the following config:

PC in subnet1, set gateway to 192.168.33.1

PC in subnet2, set gateway to 192.168.34.1 On FGT, you need to create 2 firewall policys,

policy1:

srcintf and dstintf are internal, srcaddr is subnet1 dstaddr subnet2

policy2:

srcintf and dstintf are internal, srcaddr is subnet2 dstaddr subnet1

 

Regards,

Jining

5414
0 Kudos
MikePruett
Valued Contributor
In response to jnliu_FTNT

Created on ‎02-20-2017 10:06 AM

OP,

 

Using vlans is going to require you to do some edits on your switch configuration. If you are wanting to use physical ports as their own interface you can break them out of the hardware/software switch and plug each one into the switch. Either way, they are going to have to be VLAN'd off switch wise to keep them logically separate.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
5414
0 Kudos
Pierluigi
New Contributor
In response to MikePruett

Created on ‎02-21-2017 12:58 AM

Hi Mike,

 

Thanks for your replay .

As I wrote above, I prefered using only the fortigate configuration because I need to reach 1 PC, from one subnet to the other. So not a big overload on the firewall interface.

Am I correct or there is something I don't catch up?

It seems that you and Jim would prefer using the Vlan instead.

 

Pierluigi

 

 

 

 

 

 

 

 

5414
0 Kudos
Pierluigi
New Contributor
In response to jnliu_FTNT

Created on ‎02-21-2017 12:52 AM

Hi Jining,

 

I tried your suggestion and it works 

One thing ...  , as you wrote, I needed to check that the " .... set the Gateway in the Pc .....

Let me explain.

I have all the PC on the 33.xx subnet. I have only some "particular" equipments on subnet 34.xx ( like 2 webcams and just one specific PC that is inside a mechanical machine ). I didn't configured this pc ... it was done by the company who installed this mechanical machine. At that time they asked me only an IP address. So it was missing the GW Ip.

With your 2 policies and the correct GW IP, all works fine.

 

I just need to reach thi specific PC sometimes, so not a big overload on the firewall.

Many thanks for your help.

Pierluigi

5414
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.