Hello
I have 2 sites what need to be connected together temporarily until their re-structuring is finished. We are slowly fusioning both sites together but it's a bit on standby.
LAN1 (site1) - 192.168.100.2/255.255.252.0 (connected directly to fortigate 60c internal1)
LAN2 (site2)- 192.168.200.254/255.255.0.0 (connected via antenna directly to 60c internal2)
These are overlapping subnets, however with set allow-subnet-overlap enable I am able to have lan1/lan2 on the same subnet.
I only really need 2-3 machines from site1 to talk to site2 and visa versa, but I'm a bit confused on LAN-to-LAN policies when both sites have their own internet connec./firewall/dhcp etc etc. However we have no IP conflicts between the both sites.
How should I attack this? I was even thinking of maybe using WAN1 for site2 and keeping site1 on LAN1 and configure it like a 'firewall' but I'm not sure this is a good idea.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to run "flow debug". It would show you the reason if the FGT is dropping packets. By the way your internal3 subnet mask is not matching your original post.
I haven't used "allow-subnet-overlap" so I don't know how it would behave if a host in the smaller subnet resides on the other side. But LAN-to-LAN policies wouldn't have much difference from LAN-to-WAN other than GUI appearance. They're just separate interfaces so just internal1/2-to-internal2/1 policies.
This is what I thought as well, I'm running a 80E as my actual firewall and I've had no problems replacing all the policies etc from my old 60C.
edit "internal1"
set vdom "root"
set ip 192.168.100.238 255.255.252.0
set allowaccess ping https ssh http telnet capwap
set vlanforward enable
set type physical
set alias "domaine_"
set snmp-index 6
edit "internal3"
set vdom "root"
set ip 192.168.200.238 255.255.252.0
set allowaccess ping https http capwap
set vlanforward enable
set type physical
set alias "domaine_2"
set snmp-index 8
set dns-server-override disable
These are the 2 interfaces, from the cli in the firewall i can ping anything on both sites which is great, however impossible to get my machine ping a mobatime server on the other site2, I thought accepting all would help me debug, but nothing goes through. -
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
nat enable or nat disable has not helped me either. my 60C is my old firewall which was replaced by a 80E which means it has no more license/contract. Could this be causing problems?
Thanks alot
You need to run "flow debug". It would show you the reason if the FGT is dropping packets. By the way your internal3 subnet mask is not matching your original post.
Yes I realize now I mis-noted from my first post. I was copy/pasting from a file and I'd made a mistake. Right now my fortigate is connected via DHCP to site2 until I figure this out. I am no professional network manager that's for sure but I never realized I would have troubles letting traffic through 2 different ports!
I've left a machine pinging my fortigate from site2 and using debug flow I get this, 192.168.160.62 is the machine on site2 and 192.168.160.19 is my fortigate on site1.
2018-11-19 14:05:18 id=20085 trace_id=333 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 192.168.160.62:1->192.168.160.19:8) from internal3. code=8, type=0, id=1, seq=2594."
2018-11-19 14:05:18 id=20085 trace_id=333 func=init_ip_session_common line=4624 msg="allocate a new session-0030357e"
2018-11-19 14:05:18 id=20085 trace_id=333 func=fw_local_in_handler line=394 msg="iprope_in_check() check failed on policy 0, drop"
What can I be missing? A route?
get router info routing-table connected
C 192.168.0.0/16 is directly connected, internal3
C 192.168.100.0/22 is directly connected, internal1
get router info routing-table static
S* 0.0.0.0/0 [5/0] via 192.168.200.254, internal3
It's not finding a matching policy. Create a set of policies; internal1->internal6 and internal6->internal1 instead. Also probably it needs static routes like 192.168.160.19/32->internal6 and 192.168.160.62/32->internal1.
Wait. 192.168.160.x is not a part of either 192.168.100.0/22 or 192.168.200.0/22 but a part of 192.168.0.0/16. What are the actual subnets on both ports? Looks like your configuration is mismatching.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.