- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy route to wan2 blocking connections to wan1 (FGT60D)
Hi,
I have two Wan interfaces, 1 and 2. Wan 1 is set for vlan 10 and Wan 2 for vlan 60.
To be able for computers on vlan 60 use the wan 2 internet, I created a Policy Route below:
The problem:
There is an http server in vlan 10 that hosts a website and it is listening in wan 1 IP (already set in Fortigate and on Http Server).
Computers on vlan 10 can open the website using the wan "1" IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.
When I disable the policy route created before, vlan 60 can open the website normally.
What is the problem?
Thank you.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ragno,
Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.
Regards,
Antonio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oheigl wrote:Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?
Currently now the virtual IP is set this way, isn't right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Ragno,
ragno wrote:Computers on vlan 10 can open the website using the wan "1" IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.
When I disable the policy route created before, vlan 60 can open the website normally.
What is the problem?
If you think about PBR goal this is the expected behavior since the policy route was defined with destination 0.0.0.0/0 (any) and any protocol ... Pbr replaces/override the normal routes lookup then traffic is forced to be forwarded to specified gateway (if up / present in the FIB)..
Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.
Regards,
Antonio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Antonio Milanese wrote:Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.
Antonio,
Should I do this setting by command line?
I can't find the suggested option to stop the policy routing on the menu, by going "Router > Static > Policy Routes"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ragno,
Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.
Regards,
Antonio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Antonio Milanese wrote:Worked!! Thank you!Hi Ragno,
Sorry I should have noted by the screeshot that the FOS versio it's 5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.
Regards,
Antonio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
In above scenario, i cant access with name (Ex: abcd.com) instead of IP address. Any suggestions.
Regards
Naveen.D
