Hello
I need help about internal routing between 2 subnets configured on one interface.
I have : 1 Fortigate 80C with Fortinet 5.0 Phisical Interfaces : WAN 1 and INTERNAL
WAN 1 Interface : HDSL to Internet with a public IP : 81.174.28.217
On the internal interface I have an IP/Net Mask : 192.168.33.1/255.255.255.0 (subnet 1)
and also a Secondary Address : 192.168.34.1/255.255.255.0 (subnet 2)
I would like to be able from one subnet to reach the second one.
At the moment, I can reach (as an administrator) all the IPs (on both subnets) because on my PC I’m using 2 IPs ( 192.168.33.222 and 192.168.34.222).
But Now I need that some PCs on the 192.168.33.xx network to be able to reach PCs on 192.168.34xx network without using the double IPs on the PC itself.
At the moment my default route address for the Internal Interface is Network 0.0.0.0 ( with gateway my IP internet address 81.174.28.217). Infact I can browse internet from both internal networks.
I thought, well, I need just a routing between subnet1 and subnet2 , .... I searched... found info and ...
I created 2 new firewall object address : one for subnet 1 (129.168.33.1-to-255) and one fo subnet 2 (129.168.34.1to255)
2 new policies between the 2 subnets (on both direction) without NAT, all as in the documents:
but it doesn’t work.
I tried also to create a new Policy Routes for all protocol with source subnet1, destination subnet 2 and gw le internal interface 192.168.341. But it doesn’t work.
What am I missing?
Any help will be appreciated :)
Pierluigi
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you able to create a new "vlan" interface for 192.168.34.1 that's a sub-interface for 192.168.33.1?
I've done that on a few fortigates (although with 5.2.x code). You would then connect a dot1q trunk switchport to the physical interface that is configured to pass the two vlans, and you should be able to route between both subnets.
Hi Jim , ... first ... Thanks you for your reply :)
I could create a new "vlan" interface for 192.168.34.1 that's a sub-interface for 192.168.33.1.
Then, I need to do something into the switch (vlan and routing) . I have HP V1810-48G.
But, IF it is possible, I prefer not to change Switch configuration.
Is it possible, just with a Fortigate configuration, "connect" the 2 subnets?
Pierluigi
Hi Pierluigi,
If you don't want use vlan interface,which is also I recommended, you need to do the following config:
PC in subnet1, set gateway to 192.168.33.1
PC in subnet2, set gateway to 192.168.34.1 On FGT, you need to create 2 firewall policys,
policy1:
srcintf and dstintf are internal, srcaddr is subnet1 dstaddr subnet2
policy2:
srcintf and dstintf are internal, srcaddr is subnet2 dstaddr subnet1
Regards,
Jining
OP,
Using vlans is going to require you to do some edits on your switch configuration. If you are wanting to use physical ports as their own interface you can break them out of the hardware/software switch and plug each one into the switch. Either way, they are going to have to be VLAN'd off switch wise to keep them logically separate.
Mike Pruett
Hi Mike,
Thanks for your replay .
As I wrote above, I prefered using only the fortigate configuration because I need to reach 1 PC, from one subnet to the other. So not a big overload on the firewall interface.
Am I correct or there is something I don't catch up?
It seems that you and Jim would prefer using the Vlan instead.
Pierluigi
Hi Jining,
I tried your suggestion and it works
One thing ... , as you wrote, I needed to check that the " .... set the Gateway in the Pc .....
Let me explain.
I have all the PC on the 33.xx subnet. I have only some "particular" equipments on subnet 34.xx ( like 2 webcams and just one specific PC that is inside a mechanical machine ). I didn't configured this pc ... it was done by the company who installed this mechanical machine. At that time they asked me only an IP address. So it was missing the GW Ip.
With your 2 policies and the correct GW IP, all works fine.
I just need to reach thi specific PC sometimes, so not a big overload on the firewall.
Many thanks for your help.
Pierluigi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.