Hi All,
I am setup a WIFI access for a branch office, per my attached network diagram I have setup two SSID for two VLAN.
SSID 1 : VLAN 2 for 172.16.130.0/24 ( Direct access to internet) ,
SSID 2 : VLAN 3 for 172.16.131.0/24 (Access to MPLS network , gateway : 192.168.0.2)
In my fortigate 100D, I have created two sub VLAN interface under LAN interface, and then I have setup a policy routing to route VLAN 2 traffic to public internet , and those client connect to SSID 1 , they can access to Internet without any problem.
Then I have created a policy routing for VLAN 3 , for client connect to SSID 2 for accessing to MPLS network.
My policy routing for VLAN 3 :
Incoming interface : VLAN 3 interface
Incoming network : 172.16.131.0/255.255.255.0
Outgoing interface : LAN
Outgoing network : 0.0.0.0/0.0.0.0
Gateway : 192.168.0.2
BTW, I have create policy to allow 172.16.131.0 network to access 192.168.0.2, also 192.168.0.0/24 able to access VLAN 2 and VLAN 3 network.
However, when client connect to SSID 2 (VLAN 3) , seem they are unable to access MPLS network.
So is there any misconfiguration ? And how do I routing VLAN 3 traffic via MPLS gateway ?
The reason for those WIFI network differ from LAN subnet, I would like to isolate wireless client against to LAN subnet.
Thank you for your help.
Just to verify your policy for MPLS is currently set to
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 192.168.0.2
?
If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.
Mike Pruett
MikePruett wrote:Just to verify your policy for MPLS is currently set to
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 192.168.0.2
?
If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.
Hi Mike,
Thanks for your quick reply, for what I have configured is "
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 0.0.0.0/0.0.0.0
Gateway : 192.168.0.2 (MPLS gateway)
Hi,
Could you post the output of :
#> get router info routing-table database
You need both active route through Internet & MPLS.
Also, I advice you to create a "Stop Policy Routing" for any RFC1918 ip address, before your existing PBR.
This will restore a normal behavior/routing for InterVlan traffic.
BR,
Max
That looks like the way that you configured your policy route. Your firewall policy itself needs to allow the traffic to traverse as well.
MPLS also needs to have a route to get back to your inside network. Couple of factors
kenfung wrote:MikePruett wrote:Just to verify your policy for MPLS is currently set to
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 192.168.0.2
?
If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.
Hi Mike,
Thanks for your quick reply, for what I have configured is "
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 0.0.0.0/0.0.0.0
Gateway : 192.168.0.2 (MPLS gateway)
Mike Pruett
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.