Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Neko_Chang
New Contributor II

Created on ‎08-28-2023 03:11 AM Edited on ‎08-28-2023 06:36 PM

LAN can not access server @ non-gateway DMZ(Fortigate 40F)

Hi All!

 

I have problem as title.

Follows illustration is current situation and work fine.Current.png

And unit test of addition network as follows illustration, (Reference: https://getlabsdone.com/how-to-configure-dmz-on-the-fortigate-firewall )

Ping/FTP access from Client(20.0.2.118) to FTP Server(10.1.0.2) @ FileZilla work fine.


New.png

Both merged as follows illustration..

Merged.png

And I added static route @ EdgeRouter 4 as follows

set protocols static route 10.1.0.0/24 next-hop 10.0.2.16 description 'Intranet to DMZ'
set protocols static route 10.1.0.0/24 next-hop 10.0.2.16 distance 253

 

Ping from Client (20.0.2.118) to FTP Server(10.1.0.2) work fine.

$ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=127 time=0.770 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=127 time=0.498 ms

 

But FTP won't work @ FileZilla as follows.

Status:   Connecting to 10.1.0.2:21...
Status:   Connection established, waiting for welcome message...

Netstat @ FTP Server (10.1.0.2) as follows.

TCP   10.1.0.2:21           10.0.2.118:51692      SYN_RECEIVED

Stall at SYN_RECEIVED state.

 

In this time. netstat result @ Client (10.0.2.118) as follows

$ netstat -an|grep 10.1.0
tcp       0     0 10.0.2.118:54432       10.1.0.2:21            ESTABLISHED

After several seconds, state changed as follows.

$ netstat -an|grep 10.1.0
tcp       0     1 10.0.2.118:54432       10.1.0.2:21            FIN_WAIT1

 

Result of traceroute @ Client (10.0.2.118) as follows.

$ traceroute 10.1.0.2
traceroute to 10.1.0.2 (10.1.0.2), 30 hops max, 60 byte packets
 1 _gateway (10.0.2.2) 0.252 ms 0.159 ms 0.155 ms
 2 10.0.2.16 (10.0.2.16) 0.608 ms 0.559 ms 0.510 ms
 3 * * *
 4 * * *

 

And I had tried to packet capture @ Fortigate 40F, I saw SYN and SYN+ACK existence, look good?

 

I no idea why won't work, missing something.

Client sent packet to EdgeRouter4 but received  packet from Fortigate 40F is invalid I assume.

But I no idea how to route received packet from Fortigate 40F -> EdgeRouter4 -> Client

 

Please help me to fix.

 

Thanks all very much.

Labels:
1338
0 Kudos
1 Solution
srajeswaran
Staff
Staff
In response to Neko_Chang

Created on ‎09-11-2023 10:13 PM

May be you can try adding the static route towards the FTP server on the linux as suggested in below discussion.

https://community.ui.com/questions/help-configuring-ICMP-redirects/5e1d45f0-0ab9-421c-ab5e-20ea04ea4...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

1050
12 REPLIES 12
srajeswaran
Staff
Staff

Created on ‎08-28-2023 04:14 AM

SYN -  Client-----SWITCH-----EDGE RTR------FGT----Server

SYN-ACK - Server-----FGT-----SWITCH-----Client  (Router won't get this packet as switch is aware about the source IP/MAC)
ACK - Client-----SWITCH-----EDGE RTR ------FGT------Server (Now the edge router is getting an ACK packet for a TCP handshake where there is no SYN-ACK). Can you check if the router is dropping this?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1029
Neko_Chang
New Contributor II
In response to srajeswaran

Created on ‎08-28-2023 07:24 PM

Thanks your reply quickly.

 

About SYN-ACK - Server-----FGT-----SWITCH-----Client
I had tried to add Static Route for return path (FGT --- EDGE RTR) as follows.

Screenshot from 2023-08-29 10-13-23.png

And firewall

Screenshot from 2023-08-29 10-16-17.png

Won't work still :p

 

About ACK, I will try to check.

 

Thanks a lot.

1006
0 Kudos
srajeswaran
Staff
Staff
In response to Neko_Chang

Created on ‎08-28-2023 10:28 PM

Static route on FGT won't help here , since the destination for SYN-ACK 10.0.2.118 is in same subnet as FGT IP. FGT will use the directly connected route instead of Static.

 

As Toshi suggested, you can try adding a route on the client machine and check.

route add 10.1.0.2 mask 255.255.255.255 10.0.2.16

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

989
Neko_Chang
New Contributor II
In response to srajeswaran

Created on ‎08-29-2023 07:18 PM

Hi @srajeswaran 

 

I tried Toshi suggested and work.

 

Thanks you a lot.

966
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-28-2023 08:59 PM Edited on ‎08-28-2023 09:11 PM

I would rather try, to just test, adding a static route to the client machine for the DMZ subnet to 10.0.2.16 because likely the problem is due to the fact the SYN hits the router first then forwarded to the FGT, while SYN-ACK tries to go directly to the client from the FGT, and I'm suspecting the FGT is dropping it.

Or, you could just sniff the traffic at the interface w/ 10.0.2.16 to see what's coming in and what's going out (nor not going out).

 

<edit>Or, the switch might be learning the destination MAC from the router-forwarded SYN packet, and intercepting the ACK packet and redirecting to the FGT instead of sending to the router. The sniffing the interface would tell something.

</edit>

 

Toshi

996
Neko_Chang
New Contributor II
In response to Toshi_Esumi

Created on ‎08-29-2023 08:09 PM Edited on ‎08-29-2023 08:10 PM

Hi @Toshi_Esumi 

 

I tried to packet capture @ FGT LAN and result, as  your explain

SYN

SYN.jpg

 

And SYN+ACK

SYN+ACK.jpgSYN+ACK tries to go directly to the client from the FGT.

SYN+ACK appear at LAN @ FGT, is FGT does not dropping it meant?

 

Thanks a lot,

Neko

961
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Neko_Chang

Created on ‎09-11-2023 08:37 AM

I think so. You probably need to check how your switch is handing next by like setting up port mirroring if the switch doesn't support packet capture like above 2xx models of FortiSwitch. Also run Wireshark on the client machine side at the same time to see if the SYN-ACK is reaching and if it's responding with ACK.

 

In any case putting the FGT in the same subnet/broadcast domain with the GW device would cause some unexpected/unwanted L2 frame routing behavior like this. With your topology, I would set up a /30 interconnect subnet between the GW router and the FGT instead. 

 

Toshi

818
0 Kudos
Neko_Chang
New Contributor II

Created on ‎09-11-2023 01:04 AM

Hi All

 

I had tried more but did not work.

Therefore move FTP server to EDGE RTR

 

Thanks many help very much.

Neko

836
0 Kudos
srajeswaran
Staff
Staff
In response to Neko_Chang

Created on ‎09-11-2023 01:14 AM

Hi Neko,

Can you check if the Edge router supports ICMP redirect and if so, can you enable it on LAN interface? I think this will be the ideal fix for your issue.

You can find more details on ICMP redirect on https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-ic...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

832
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.