My setup is:
FG100E on 7.0.10
wan1 - 126.96.36.199/30 with additional IPs routed 188.8.131.52/27
wan2 - 184.108.40.206/30 with additional IPs routed 220.127.116.11/28
static route - 0.0.0.0/0 via 18.104.22.168 gateway - priority 10
static route - 0.0.0.0/0 via 22.214.171.124 gateway - priority 20
services setup as firewall policies using Virtual IPs on 126.96.36.199/27 just fine
Ever since this FG100E was setup, I have been suspicious of the additional IPs on 188.8.131.52/28 actually working.
The plan would be, if wan1 goes down for an extended period of time, outbound internet is fine as the link monitor disables the route to wan1, but we would then manually change DNS to point to IPs on 184.108.40.206/28, matching preconfigured firewall policies.
I wanted to setup a test, to prove I can use them.
Picked one test device. Configured a Policy Route to point its traffic out of wan2. Then a Firewall Policy to NAT its outbound traffic using IP 220.127.116.11. Public what is my IP pages show the correct IP.
Then I configured a Firewall Policy and Virtual IP pointing 18.104.22.168 to this device for port 3389 (something that I know works right now).
I can't get through.
Looking at diag sniffer and diag debug flow shows that the traffic is hitting the FGT, but gives me:
2023-03-20 16:46:22 id=20085 trace_id=1 func=init_ip_session_common line=6024 msg="allocate a new session-009ab520, tun_id=0.0.0.0"
2023-03-20 16:46:22 id=20085 trace_id=1 func=get_new_addr line=1225 msg="find DNAT: IP-10.1.1.107, port-0(fixed port)"
2023-03-20 16:46:22 id=20085 trace_id=1 func=fw_pre_route_handler line=181 msg="VIP-10.1.1.107:3389, outdev-wan2"
2023-03-20 16:46:22 id=20085 trace_id=1 func=__ip_session_run_tuple line=3489 msg="DNAT 22.214.171.124:3389->10.1.1.107:3389"
2023-03-20 16:46:22 id=20085 trace_id=1 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2023-03-20 16:46:22 id=20085 trace_id=1 func=ip_session_handle_no_dst line=6110 msg="trace"
And my online research tells me, it can be due to FGT not having a route back to the source.
And I don't, when checking get router info routing-table all. But I also don't for any IP in 126.96.36.199/27, and their traffic is working ok.
So, what should I do? Configure a route for the additional IPs to ... where?
This can't be routing to the destination 10.1.1.107, because it has one.
Or maybe this should be a question of, what is the proper/correct way to configure additional routed IPs into a FGT?