hello there.
need help please.
I've setup fortigate fg-60F.
each port has their own setting (act as interface).
we have 2 internet provider. WAN1 is pppoe, WAN2 is dhcp from internet building.
we've setup:
1) int2 (port no.2),
have IP 1.0.0.10.
netmask 255.255.255.0
dhcp off
2) int3,
have ip 1.0.1.10.
netmask 255.255.255.0.
dhcp off
3) int4,
have ip 192.168.100.100
dhcp on
purpose:
* int2 for LAN1,
- only work local (intranet).
- can communicate with int3
- can't access internet
* int3 for LAN2,
can communicate with LAN1.
can access internet, and will use WAN1
* int4 for internet only (for public),
- can access internet use wan2
- can't communicate with any other port
on fortigate, already created policy:
1) firewall policy 1
source: int2
ip: 1.0.0.0/24
destination: int3
ip: 1.0.1.0/24
services: all
antivirus : enable
others securities: disable
2) firewall policy 2
source:int3
ip: 1.0.1.0/24
destination:int2
ip: 1.0.0.0/24
services: all
antivirus : enable
others securities: disable
3) firewall policy 3
source:int3
ip: 1.0.1.0/24
destination:wan1
ip: all
services: all
4) firewall policy 4
source: int4
ip: 192.168.100.0/24
destination:wan2
ip: all
services: all
5) policy route 1:
incoming interface: int3
source: (blank)
destination: (all blank)
protocol: any
forward traffic : wan1
gateway addresS: 0.0.0.0
5) policy route 2:
incoming interface: int4
source: (blank)
destination: (all blank)
protocol: any
forward traffic : wan2
gateway addresS: 0.0.0.0
here the problem:
- device under int3, can communicate with int2, but can't access internet.
- Ethernet on device under int3, has following setting:
IP : 1.0.1.12
netmask: 255.255.255.0
gateway: 1.0.1.10
dns server: (dns given by ISP wan1)
kindly please need help.
thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
FortiGate is the only way!
I'm happy to try and help you are you able to show provide a screenshot of your firewall policy created for devices sourced from Internal3 > WAN1 as well as the routes currently setup so I can see what is configured?
I would work my way from the bottom up i.e. ensure device has correct IP, ensure that it can ping the default gateway etc. If the device can ping the default gateway that means it is reaching the firewall if so, try doing an nslookup and see if you can resolve DNS it could be that you have a DNS issue or perhaps the NAT option isn't selected in your policy. I'd also run some ping/DNS tests from the firewalls WAN1 interface to ensure your external circuit is operating properly.
If you can run those tests and show me the CLI output or screenshot of the policy in the GUI as well as routes that'll be helpful in understanding what is currently configured and how the firewall will handle traffic.
Regards,
Dan.
Also you posted the following:
- Ethernet on device under int3, has following setting:
IP : 1.0.1.12
netmask: 255.255.255.0
gateway: 1.0.1.12
dns server: (dns given by ISP wan1)
Not sure if this is a typo, but the IP and gateway are the same address. As mentioned, I'd go through those tests first confirming IP details are required, running pings/nslookups to test connectivity to gateway, internet etc. This should hopefully shed some light.
yes correct, it was typo.
however, now I've set IP on device:
IP: 1.0.1.12
gateway: 1.0.1.10
dns serveR: 1.0.1.10
from device:
- ping to gateway 1.0.1.10 -> replied 100%
- ping to gateway isp -> replied 100%
- ping to google.com -> could not find the host....
hello,
thanks for answer.
after I check:
1. for NAT and IP Pool has been set as you said.
2. from device connected to int3,
- ping to 1.0.1.10 -> replied (not RTO)
- ping to gateway ISP -> replied
3.from CLI, set interface to int3 (use ping-option souurce)
- ping to 1.0.1.10 -> replied (not RTO)
- ping to gateway ISP -> lost 100%
4. from CLI, set interface wan1 (use ping-option souurce)
- ping to gateway ISP -> replied
- ping to google.com -> replied
attached screenshot firewall policy from int3 to wan1.
thanks.
Hello,
I will try also to shed some light if you don't mind.
Did you tried also to ping 8.8.8.8??? I am asking this because if you managed to do so, then maybe there is a problem with your DNS and not with connection overall.
Also, I know it is a generic question, but you IP routes are configured correctly??? Because in your above screenshot I cannot detect anything wrong. (Maybe I would change the Inspection Mode to Flow just for testing).
Regards
thanks for share.
tried to ping 8.8.8.8 from:
device -> RTO
fortigate, use ping option-source 1.0.1.10 then exec ping 8.8.8.8 -> RTO
what I wonder is, when I ping gateway ISP from device, it return Reply.
but when I ping from fortigate use source 1.0.1.10, packet loss (RTO)
I've tried switch policy int3 to WAN1, become flow mode. still can't ping outside.
switch from proxy mode to flow mode, will effect instant, correct?
by the way, fortios use version 7.2.4
thanks
I am in agreement with elsantas, this is definitely an issue with either DNS or routing. Since you can resolve DNS and ping ISP from the WAN interface I would hazard a guess that this is a routing issue. Can you show us the routes you currently have setup?
3.from CLI, set interface to int3 (use ping-option souurce)
- ping to 1.0.1.10 -> replied (not RTO)
- ping to gateway ISP -> lost 100%
4. from CLI, set interface wan1 (use ping-option souurce)
- ping to gateway ISP -> replied
- ping to google.com -> replied
You can run a traceroute from that source IP to see where it fails, which will help identify the issue. Can you also shed some light on the topology you have set up, I'm noticing that you're using public addressing is this a transit network?
Created on 07-11-2023 01:58 AM Edited on 07-11-2023 02:02 AM
hello..
here tracert to gateway isp x.x.x.x from device under int3:
Tracing route to X.X.X.X over a maximum of 30 hops
1 2 ms 1 ms 1 ms 1.0.1.10
2 2 ms 2 ms 1 ms X.X.X.X
static route:
only have entries for vpn ipsec.
update policy route, now only:
source interface: int4
action : forward traffc
gateway address: 0.0.0.0
outgoing interface: wan2
Hi papapuff,
If you do not have any static routes setup, how are you routing traffic to the outside?
Unless you're using WAN interfaces as DHCP clients, then the ISP may push the IP and a default route, in that case you don't need to configure static routes. If not, static routes will be required which in your case may look something like this:
Destination: 0.0.0.0/0.0.0.0
Gateway: WAN1 Gateway
Interface: Port3
Administrative Distance: 10
Priority: 1
Destination: 0.0.0.0/0.0.0.0
Gateway: WAN2 Gateway
Interface: Port4
Administrative Distance: 10
Priority: 1
Regards,
Dan.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1661 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.