Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

Policy Route not working with connected route.

 

Hi all,

 

I edit my previous message. I have 2 paths to same network:

1º)One path using a static route to network A.

2º)One path to network A cause, im directly connected.

 

In some cases I would like to route traffic using the static route, but if I try to route traffic to network A using Policy Route (so that it not goes trough the directly connected interface), the Policy route not works. I think it not works cause the connected route take preference over the estatic route and its administrative distance . I think the policy routes only works when you have 2 equal routes to the same destination (same administrative distance and same priority).

 

I can't change the connected route AD and I can't change de AD of static route to 0. 

 

How can I route traffic to network A, trough the static route, If I'm connected to network A. Could you help me?

Thanks

 

 

 

 

 

14 REPLIES 14
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
srajeswaran
Staff
Staff

Can you try splitting the static route? For example, if it is a /24 route split into two /25 subnets and that way these routes will be active (more specific than /24).

 

192.168.0.0/24 can be 192.168.0.0/25 and 192.168.0.128/25.

 

The idea is to get more specific routes , if it is only few IPs, then add them as /32 routes or more smaller subnets.

 

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

fortimaster

Thanks for your help srajeswaran. Yes, is the only way I can think of to control it. I don't see a way to do it with PBR since from the tests I've done, PBR is only valid when there are 2 equal routes to a destination... 

srajeswaran
Staff
Staff

Can you share some more details on the requirement, for example which traffic should select the connected route and which one should select the alternate route? Is it specific to source or any specific service/application?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

gfleming
Staff
Staff

I can think of a few other ways of doing this. Really depends on why you want to do this though. Can you shed some more light onto the reason behind this?

 

One example of how you could accomplish this is setting up some DNAT entries and have traffic to network A use a different IP address. Depends again on your use case. If you are doing this because you need extra inspection for specific hosts, this might be a good way of doing it.

 

The other way is sticking the Network A in a VDOM and then route the VDOM  either using your alternate path as option 1 or route to it direclty using the NPU VDOM link (connected route) as option 2.

 

Lots of ways to skin a cat. Give us some more insight into your use case and we can be more helpful.

Cheers,
Graham
fortimaster

Thanks for your help ¡¡

I'm in a migration process. Actually I have a static route to can reach network A and its routers.

I need some routers from network A, to continue sending traffic and receiving traffic to the FW trough the current static route and, when I go to connect the firewall to network A directly, I need this to keep happening for some IPs on that network.

Firewall needs to:

-Route some traffic to network A hosts, using a static route and port X.

-Route some traffic to network A hosts, trought his connected port Y to network A.

 

Network A is /24 subnet.

 

Thanks.

gfleming

Can you perhaps show a topology diagram as well?

 

It seems to me the most sensible thing to do here is keep your router inline with the endpoints and the Firewall until the migration is complete? If you need some endpoints to route through the firewall then the policy routing should happen on the router.

Cheers,
Graham
Muhammad_Haiqal

hi @fortimaster ,

 

Please be informed, Policy route will override normal routing table.
I will give you the general idea.
Static route:

192.168.1.0/24 GW A

192.168.2.0/24 GW B
192.168.3.0/24 GW C

Traffic will route accordingly to the GW A,B or C.

Policy route

192.168.1.0/24(destination) GW D
Means, forced this subnet to go to GW D only.

If traffic arrive to Fortigate on GW A, Fortigate respond using GW D.

Coming GW A, Respond back GW D.
This create asymmetric routing issue and traffic will not work.



You can specify "source" and "destination" to make it more strict routing.
However, policy route mostly use because of network design issue.
if the network design is correct, policy route should be avoided.

 

 

haiqal
srajeswaran
Staff
Staff

How are we differentiating the traffic that is supposed to go via portX from traffic expected to go out via portY.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Labels
Top Kudoed Authors