- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy Ignored - Inter VLAN Routing
Hi,
I can't get a reverse rule to trigger for VLAN communication. VLAN 30 is able to ping VLAN 100, but 100 can't ping 30.
- VLAN 30 Laptop[10.0.30.2] can ping 10.0.100.200, and 10.0.100.1, and 10.0.30.1
- VLAN 100 Laptop[10.0.100.200] can't ping 10.0.30.2, but can ping 10.0.100.1 and 10.0.30.1
- FG and Laptops are connected to 8 ports switch. FG is trunk port. Laptops are VLAN Access Ports 30 and 100 respectively.
- 0 bytes go across 100 -> 30 rule, unless I do Policy Match, then its the 40bytes FG tests with
- I am going to re-start the FG after posting this...just in the event something rules wise effect its. I have about 50 rules, and nothing worked as expected, so I cut down to 3 rules and smaller test setup. The other rules not included are 30 -> Wan (working fine) and Implicit Deny.
Here are screen shots from the Firewall:
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like an idiot...I just figured it out...the Laptop was connected to an Open WiFi. Disabled WiFi and pings started working over the USB NIC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Shane-NP ,
Could you please provide the output of the below command to suggest your next steps:
diag sniffer packet any "host 10.0.100.200 and 10.0.30.2 and icmp" 4 0 a
Also, replace it with a working IP and get the output of the above command to understand the working flow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here was the output...I had to remove the second host to get anything:
Firewall-201F # diag sniffer packet any "host 10.0.100.200 and 10.0.30.2 and icmp" 4 0 a
interfaces=[any]
filters=[host 10.0.100.200 and 10.0.30.2 and icmp]
^C
0 packets received by filter
0 packets dropped by kernel
Firewall-201F # diag sniffer packet any "host 10.0.30.2 and 10.0.100.200 and icmp" 4 0 a
interfaces=[any]
filters=[host 10.0.30.2 and 10.0.100.200 and icmp]
^C
0 packets received by filter
0 packets dropped by kernel
Firewall-201F # diag sniffer packet any "host 10.0.30.2 and icmp" 4 0 a
interfaces=[any]
filters=[host 10.0.30.2 and icmp]
2024-08-28 15:47:45.028090 Staff[30] in 10.0.30.2 -> 10.0.100.200: icmp: echo request
2024-08-28 15:47:45.028116 Cameras[100] out 10.0.30.2 -> 10.0.100.200: icmp: echo request
2024-08-28 15:47:45.028117 lan out 10.0.30.2 -> 10.0.100.200: icmp: echo request
2024-08-28 15:47:45.028472 Cameras[100] in 10.0.100.200 -> 10.0.30.2: icmp: echo reply
2024-08-28 15:47:45.028478 Staff[30] out 10.0.100.200 -> 10.0.30.2: icmp: echo reply
2024-08-28 15:47:45.028479 lan out 10.0.100.200 -> 10.0.30.2: icmp: echo reply
2024-08-28 15:47:46.033527 Staff[30] in 10.0.30.2 -> 10.0.100.200: icmp: echo request
2024-08-28 15:47:46.033539 Cameras[100] out 10.0.30.2 -> 10.0.100.200: icmp: echo request
2024-08-28 15:47:46.033540 lan out 10.0.30.2 -> 10.0.100.200: icmp: echo request
2024-08-28 15:47:46.033876 Cameras[100] in 10.0.100.200 -> 10.0.30.2: icmp: echo reply
2024-08-28 15:47:46.033880 Staff[30] out 10.0.100.200 -> 10.0.30.2: icmp: echo reply
2024-08-28 15:47:46.033881 lan out 10.0.100.200 -> 10.0.30.2: icmp: echo reply
^C
12 packets received by filter
0 packets dropped by kernel
Firewall-201F # diag sniffer packet any "host 10.0.100.200 and icmp" 4 0 a
interfaces=[any]
filters=[host 10.0.100.200 and icmp]
2024-08-28 15:48:28.834792 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:28.834803 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:28.834805 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:29.839872 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:29.839884 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:29.839886 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:30.844665 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:30.844678 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:30.844680 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:31.849746 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:31.849756 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:31.849758 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:32.853009 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:32.853021 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:32.853022 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:33.858078 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:33.858090 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:33.858091 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:34.863178 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:34.863189 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:34.863190 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:35.868252 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:35.868266 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:35.868268 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:36.872110 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:36.872121 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:36.872123 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:37.877272 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:37.877283 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:37.877285 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:38.882468 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 15:48:38.882479 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 15:48:38.882480 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
^C
33 packets received by filter
0 packets dropped by kernel
Firewall-201F #
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just an FYI on the laptop 10.0.100.200, I had 3 Terminal Tabs, each running persistent PINGs, first to 10.0.100.1, second 10.0.30.2, third 10.0.30.1. Tabs 1 & 3 ping fine, but nothing shows up when doing the sniffer with just host 10.0.100.200 and using 10.0.30.1 or 30.2. 100.1 shows in the sniffer.
Firewall-201F # diag sniffer packet any "host 10.0.100.200 and 10.0.100.1 and icmp" 4 0 a
interfaces=[any]
filters=[host 10.0.100.200 and 10.0.100.1 and icmp]
2024-08-28 16:18:36.129665 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 16:18:36.129866 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 16:18:36.129867 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 16:18:37.134814 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 16:18:37.134830 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 16:18:37.134832 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 16:18:38.139942 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 16:18:38.139953 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 16:18:38.139954 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 16:18:39.142142 Cameras[100] in 10.0.100.200 -> 10.0.100.1: icmp: echo request
2024-08-28 16:18:39.142154 Cameras[100] out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
2024-08-28 16:18:39.142155 lan out 10.0.100.1 -> 10.0.100.200: icmp: echo reply
^C
15 packets received by filter
0 packets dropped by kernel
Firewall-201F #
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like an idiot...I just figured it out...the Laptop was connected to an Open WiFi. Disabled WiFi and pings started working over the USB NIC.