Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
snakekick
New Contributor

Policy routing trouble

Hello,

i have some trouble with policy routing.

I have try to paint my setup to the picture.

Virtual IP and nat and policy all working when i use static route but when i change to policy routing it doesn't

work and i didnt see my fault.

 

here my Policy routing config, static roules are deleted:

 

 

edit 4

set input-device "port24"

set dst "10.0.0.1/255.255.255.255"

set protocol 6

set start-port 80

set end-port 80

set output-device "VLAN1"

edit 5 set input-device "port18"

set dst "10.0.0.2/255.255.255.255"

set protocol 6

set start-port 22

set end-port 22

set output-device "VLAN1"

 

 

 

i hope someone can help me

10 REPLIES 10
Toshi_Esumi
SuperUser
SuperUser

Policy route can be used when multiple destination interfaces exists for the given destination IP and you want to specify one of them based on other parameters other than the destination IP.

In your case, both go to "VLAN1" vlan-subinterface(?), you don't need any policy route but a route that includes both 10.0.0.1 and 10.0.0.2 like 10.0.0.0/30 toward "VLAN1".

emnoc
Esteemed Contributor III

I would caught against  due to the  DST-port and SRC  ( addr interfaces ) are not the same. Typically with policy route you should set the next-hop

 

config router policy

edit 0

set input-device "port24"

set src 0.0.0.0/0

set dst 10.0.0.1 255.255.255.255

set protocol 6

set start-port 80

set end-port 80

set gateway x.x.x.x

set output-device "vlan1"
next
edit 0

set input-device "port18"

set src 0.0.0.0/0

set dst 10.0.0.2 255.255.255.255

set protocol 6

set start-port 22

set end-port 22

set gateway x.x.x.x

set output-device "vlan1"
next

end


NOw I see VIPs are these VIP on Fortigate? If yes, than you do NOT need a PolicyRoute.


PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi

The "VLAN1" interface at the FGT must have an IP within the subnet shared with the servers, like 10.0.0.254/24, and those servers should have IP:10.0.0.1/24, 10.0.0.2/24. Then you don't need a static route. It's directly "connected".

snakekick

my problem was that traffic that come from vlan1 go sometimes out off interface24 and sometimes go to interface18

thats why i play with policy routing

when i start a http request to interface24 to address 172.21.22.30 mapped to vip 10.0.0.1 and go to vlan1

when the paket go back they must go the same way but i think they didnd do that every time. sometimes the answer go out to interface18

 **sorry for my english** ;)

Toshi_Esumi

For the outgoing direction, you might need a set of policy routes to specify which port to go out. I thought it would follow the incoming path since FGT remembers in the sessions. And those services are always initiated by outside parties.

snakekick

i am a litte bit confuse do i need a policy route or not. and when i need a policy route what is wrong with my example ?

snakekick

hello, thank you for the answer. yes the vip‘s are on the fortigate. ok then i only need static route and forbid http traffic on interface 18 and only allow port 22 and on interface 24 allow port 80 http and deni port 22
Toshi_Esumi
SuperUser
SuperUser

You said now your problem was not incoming from outside. But outgoing toward the internet use two interfaces randomly. To force each traffic toward a specific interface, the policy routes need to be set for outgoing direction. Your original policy routes are for incoming direction. Try flip input and output then specify only src and ports. I'm assuming you have two default routes to two interfaces already.

 

But it still doesn't make sense to me. You have a VIP for port 80 on port28 and port 22 on port18, not on both. Then you use them on separate inbound policies and limit the services to each specific 80 or 22, right?

snakekick

so real live ip are a little bit different but still the same problem the debug show me this:

 

 

id=20085 trace_id=193 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43524->172.21.92.163:80) from port24. flag , seq 3478864741, ack 0, win 29200"
id=20085 trace_id=193 func=init_ip_session_common line=5470 msg="allocate a new session-08431629"
id=20085 trace_id=193 func=fw_pre_route_handler line=185 msg="VIP-10.0.1.20:80, outdev-port24"
id=20085 trace_id=193 func=__ip_session_run_tuple line=3223 msg="DNAT 172.21.92.163:80->10.0.1.20:80"
id=20085 trace_id=193 func=vf_ip_route_input_common line=2567 msg="Match policy routing: to 10.0.1.20 via ifindex-55"
id=20085 trace_id=193 func=ip_route_input_slow line=2242 msg="reverse path check fail, drop"
id=20085 trace_id=193 func=ip_session_handle_no_dst line=5545 msg="trace"

 

it´s works to when i create a static route with administrative distance 1 and 0.0.0.0/0 and correct gw to port 24

but then all traffic without correct route go to this interface

 

id=20085 trace_id=194 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43526->172.21.92.163:80) from port24. flag , seq 3115073653, ack 0, win 29200"
id=20085 trace_id=194 func=init_ip_session_common line=5470 msg="allocate a new session-0843f627"
id=20085 trace_id=194 func=fw_pre_route_handler line=185 msg="VIP-10.0.1.20:80, outdev-port24"
id=20085 trace_id=194 func=__ip_session_run_tuple line=3223 msg="DNAT 172.21.92.163:80->10.0.1.20:80"
id=20085 trace_id=194 func=vf_ip_route_input_common line=2567 msg="Match policy routing: to 10.0.1.20 via ifindex-55"
id=20085 trace_id=194 func=vf_ip_route_input_common line=2576 msg="find a route: flag=00000000 gw-10.0.1.20 via VLAN1"
id=20085 trace_id=194 func=fw_forward_handler line=743 msg="Allowed by Policy-3: SNAT"
id=20085 trace_id=194 func=__ip_session_run_tuple line=3209 msg="SNAT 172.19.135.205->10.0.0.2:43526"
id=20085 trace_id=195 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43526->172.21.92.163:80) from port24. flag [.], seq 3115073654, ack 4054709629, win 229"

 

 

so the different for me is this line:

 

 

id=20085 trace_id=194 func=vf_ip_route_input_common line=2576 msg="find a route: flag=00000000 gw-10.0.1.20 via VLAN1"

 

 

with asym enable this line show me to. so i need a static? route to 10.0.1.20 via vlan1? or another policy route

 

thank you 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors