Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hiteco-Srl
New Contributor

Ping WAN IP from LAN

Hi,

I can't ping WAN IPs from the LAN. The only IP address I can ping is the one configured on the WAN interface.

 

ES:
WAN interface - 192.168.10.1/29
LAN interface - 192.168.1.1/24

From the LAN if I ping the IP address 192.168.10.1 I will reach it. However, if I try to ping the IP addresses 192.168.10.2, 192.168.10.3, 192.168.10.4, 192.168.10.5 and 192.168.10.6, I cannot reach them

 

Have i nice day

Andrea

2 Solutions
maulishshah
Staff
Staff

Hi @Hiteco-Srl ,

 

You are unable to ping the remaining addresses that are part of the WAN subnet due to the absence of ARP entries for a specific IP address in the firewall. Consequently, the firewall fails to route the packet.

 

To successfully ping an IP address, it is necessary to configure a secondary IP within the relevant interface. This configuration enables you to ping the rest of the network.

 

Here is the article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-a-secondary-IP-on-a-FortiGate-interfac...

Maulish Shah

View solution in original post

AEK
Honored Contributor II

Hi Andrea

In addition to @maulishshah advice, in case you don't want to add it as secondary address for some reason or because you use them as VIP, you still can use these public IPs as VIPs to forward ping requests to some internal server if that's what you need.

AEK

View solution in original post

AEK
6 REPLIES 6
mle2802
Staff
Staff

Hi @Hiteco-Srl,

Can you try "execute ping-option source  192.168.10.1" and then "execute ping 192.168.10.2". Please make sure those device able to reply ping.

Hiteco-Srl

From the firewall I can ping all the IP addresses of the subnet both with the execute ping-option source command and without

mle2802

Did you have a policy from Lan to Wan to allow traffic? Also is NAT enabled on the policy?

 

maulishshah
Staff
Staff

Hi @Hiteco-Srl ,

 

You are unable to ping the remaining addresses that are part of the WAN subnet due to the absence of ARP entries for a specific IP address in the firewall. Consequently, the firewall fails to route the packet.

 

To successfully ping an IP address, it is necessary to configure a secondary IP within the relevant interface. This configuration enables you to ping the rest of the network.

 

Here is the article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-a-secondary-IP-on-a-FortiGate-interfac...

Maulish Shah
AEK
Honored Contributor II

Hi Andrea

In addition to @maulishshah advice, in case you don't want to add it as secondary address for some reason or because you use them as VIP, you still can use these public IPs as VIPs to forward ping requests to some internal server if that's what you need.

AEK
AEK
Hiteco-Srl
New Contributor

Hi guys,

Thank you so much for your super help.

 

Good day!!!

Labels
Top Kudoed Authors