Hello Guys
I am starting to study fortigate and I have simulated some labs in GNS3 with good results, but now I am trying the following configuration
From the Core I have a response from the IP 192.168.0.17 of vlan 117 and vice versa.
From the PC the IP 192.168.0.17 of the FW responds, so add the segment 10.214.1.0/24 192.168.0.18 as a static route in the FW.
My problem is that the PC does not have internet access, the FW only has vlan 117 because I want to test if it is possible to go to the Internet with this configuration, because in another laboratory I had no problems when I created vlan and dhcp in fortinet, they went to internet without errors, but in this case I have not been able to achieve it
I have tried creating the segment 10.214.1.0/24 in fortigate, created a policy that everything that comes from vlan 117 goes out and still the same problem of not being able to access the wan from the lan.
Thanks for your comment
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi santunez_cl
is your vlan 117 attached to aggragte interface?
if no, first you have to attach vlan 117 to aggregate interface
than, you can create policy from vlan 117 interface to internet interface, add 10.214.1.0/24 as source.
best regard
You need to run:
diag sniffer packet any 'host 8.8.8.8 and icmp' 4
instead. Otherwise, the source IP 10.214.1.10 is SNATed before hitting port1. So you can't see if it's hit port1 or not.
But these "unreachable" messages mean the FGT can't reach 8.8.8.8 and either the destination, which is unlikely, or something inbetween is returning "ICMP unreachable" packets back to the FGT. When you adjust the sniffing filter, you can see what (IP) is returning the messages.
<edit>
Actually it's right there 192.168.0.17, which is the FGT returning them. Does the default route exist on the FGT? When you run flow debuging you can see the reason.
Toshi
Hi santunez_cl
is your vlan 117 attached to aggragte interface?
if no, first you have to attach vlan 117 to aggregate interface
than, you can create policy from vlan 117 interface to internet interface, add 10.214.1.0/24 as source.
best regard
Hello
Thanks for your comment
The vlan is attached in aggregate
Now I create Network called VLAN 101 and add the segment with interface vlan117
Create a policy
Incoming - VLAN 117
Outgoing - Port1 (Port to Internet)
Source - AddressVLAN101
Destination: All
Schedule: Always
Service: All
NAT: Enable
But the issue persist :(
Thanks
Before messing up your config, you need to isolate where the problem lies.
First I would run sniffing with "any" interface and Level "4" option and start sending ping packets to a specific Internet IP, like 1.1.1.1, 8.8.8.8, etc., which you should set the filter in sniffing.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
If you see it's coming in VLAN117 but not going out Port1, that's when switching the debug method to "flow debugging":
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow
Toshi
Hello
This the message when running
diagnose sniffer packet any "host 10.214.1.10 and icmp" 4
170.353201 lacp-core out 192.168.0.17 -> 10.214.1.10: icmp: net 8.8.8.8 unreachable
170.353202 port7 out 192.168.0.17 -> 10.214.161.10: icmp: net 8.8.8.8 unreachable
171.353106 vlan117 in 10.214.161.10 -> 8.8.8.8: icmp: echo request
171.353203 vlan117 out 192.168.0.17 -> 10.214.1.10: icmp: net 8.8.8.8 unreachable
The port7 is the fortinet port connected to Switch LACP Port 21
Thanks
Sebastian
You need to run:
diag sniffer packet any 'host 8.8.8.8 and icmp' 4
instead. Otherwise, the source IP 10.214.1.10 is SNATed before hitting port1. So you can't see if it's hit port1 or not.
But these "unreachable" messages mean the FGT can't reach 8.8.8.8 and either the destination, which is unlikely, or something inbetween is returning "ICMP unreachable" packets back to the FGT. When you adjust the sniffing filter, you can see what (IP) is returning the messages.
<edit>
Actually it's right there 192.168.0.17, which is the FGT returning them. Does the default route exist on the FGT? When you run flow debuging you can see the reason.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.