Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bebab
New Contributor

Policy based routing questions

First off network architecture explanation.

Two sites exist one in a colo in atlanta with a public range, And my house where a fortigate 60F exists on the latest firmware.

An ipsec tunnel exists between the two sites and routes are exchanged via OSPF.

Colo site has given me a /29 of public ip addresses and are routing them over the ipsec tunnel to me.

However I have a default route out my own wan and the return traffic coming to these public IPs must go back out the ipsec tunnel.

I have assigned this public range to a vlan interface so it can go down into my lan for servers.

I want all traffic sourced from this vlan interface to go out the ipsec tunnel interface.

However since this is a session based firewall I suspect I am in a split horizon routing scenario at present and the policy route I put in place was getting hit but when running a diagnostic it shows pings being dropped due to no return route being found.

Quite confused and could use some help thanks in advance!

https://xender.vip/
4 REPLIES 4
sahmed_FTNT
Staff
Staff

Hello, you can see below kb for policy base routing configuration:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

Further is you are seeing no return route which simply means traffic is not returning back from expected interface. Most probably it will be a routing issue.

Security all we want
syao
Staff
Staff

I suggest running a debug flow and a packet sniffer to verify if the traffic is hitting your PBR rule, also make sure to turn off the offloading at the policy level to see them when you're debugging:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/392369/disabling-np-offload...


Toshi_Esumi
SuperUser
SuperUser

Why do you need a policy route? Your DC have a /29 public subnet that you need to route over the IPSec tunnel from your FGT while your general internet goes out through wan1 interface, right? Then you just need to set a static route for the /29 toward the tunnel interface with a static route. If it's OSFP, it should have been automatically taken care of.

 

Of course you have to adjust phase2 selector to allow the /29 destined traffic to the other side of the tunnel if the current selector is not 0/0<->0/0, But I assume you've already know that very well while you're handling other IPSecs.

I think you're overthinking.

Toshi

hbac
Staff
Staff

Hi @bebab,

 

I don't quite understand your network architecture. Why are you assigning public range to your VLAN interface? Can you provide a network diagram? 

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors