Hi everyone,
PC use ISP2 access Internet.
PC how to use ISP2 to access VIP??
Here are my debug output:
Normal situation:
FW # id=20085 trace_id=60 func=print_pkt_detail line=5622 msg="vd-VDOM1:0 received a packet(proto=6, Public-IP:24789->ISP1:443) from port6. flag , seq 217229777, ack 0, win 64240" id=20085 trace_id=60 func=init_ip_session_common line=5792 msg="allocate a new session-2109884f" id=20085 trace_id=60 func=fw_pre_route_handler line=181 msg="VIP-Server:443, outdev-port6" id=20085 trace_id=60 func=__ip_session_run_tuple line=3412 msg="DNAT ISP1:443->Server:443" id=20085 trace_id=60 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-Server via Corp VLAN10" id=20085 trace_id=60 func=fw_forward_handler line=777 msg="Allowed by Policy-36:" id=20085 trace_id=60 func=np6_hif_nturbo_build_vtag line=996 msg="np6_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 140, vtag->vid 10 vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0 vtag->sport 0, vtag->mtu 1500, vtag->flags 10, vtag->np6_index 961"
Abnormal situation:
id=20085 trace_id=75 func=print_pkt_detail line=5622 msg="vd-VDOM1:0 received a packet(proto=6, PC:51088->ISP1:443) from Guest VLAN5. flag , seq 4275213868, ack 0, win 64240" id=20085 trace_id=75 func=init_ip_session_common line=5792 msg="allocate a new session-210a6b39" id=20085 trace_id=75 func=fw_pre_route_handler line=181 msg="VIP-Server:443, outdev-unknown" id=20085 trace_id=75 func=__ip_session_run_tuple line=3412 msg="DNAT ISP1:443->Server:443" id=20085 trace_id=75 func=vf_ip_route_input_common line=2580 msg="Match policy routing id=1: to ISP2 via ifindex-9" id=20085 trace_id=75 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-ISP2 via port1" id=20085 trace_id=75 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"
Thank you for any answers..
Regards,
Tim
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
why do you want to go over theinternet if both is at the same firewall?
All you need is a policy that allows traffic from PC to the server.
As the firewall has in interface in both subnets the routing is implicitely alredy there.
You would only need vip if you wanted to be able to connect coming from the internet.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi sw2090,
PC cannot access server directly, it must go through the ISP, because they are two separte networks..
I have already created vip, but I use PC access VIP from ISP2, it fail..
but when I use another PC from Internet , It can access Server through ISP1
yes they are but if you picture is correct they are still connected to the same firewall.
So if both use the Firewall as default gateway the can connect via the Firewall and just need a policy.
The firewall does know a route to both subnets.
No need to go through ISP with VIP.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
That's simply not going to happen because the firewall is going to receive the packet destined for the server on the other interface, see that there's no policy allowing that traffic and drop it.
The only way I could imagine around this is for the PC and ISP2 to be in a different VDOM (or at least a different VRF) than the server and ISP1.
But as Sebastian said, I don't know why you'd want to introduce additional hops and latency for this traffic when it's connected to the same firewall and can simply be handled in policy.
Correct, and I do not see how that could even remotely work and your going to get the same error deny due tp reverse path lookup. It's a firewall and that is what a firewall does check uRPF
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.