Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
snakekick
New Contributor

Created on ‎05-25-2018 05:47 AM

Policy routing trouble

Hello,

i have some trouble with policy routing.

I have try to paint my setup to the picture.

Virtual IP and nat and policy all working when i use static route but when i change to policy routing it doesn't

work and i didnt see my fault.

 

here my Policy routing config, static roules are deleted:

 

 

edit 4

set input-device "port24"

set dst "10.0.0.1/255.255.255.255"

set protocol 6

set start-port 80

set end-port 80

set output-device "VLAN1"

edit 5 set input-device "port18"

set dst "10.0.0.2/255.255.255.255"

set protocol 6

set start-port 22

set end-port 22

set output-device "VLAN1"

 

 

 

i hope someone can help me

Preview file
39 KB
10618
0 Kudos
10 REPLIES 10
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-25-2018 09:00 AM

Policy route can be used when multiple destination interfaces exists for the given destination IP and you want to specify one of them based on other parameters other than the destination IP.

In your case, both go to "VLAN1" vlan-subinterface(?), you don't need any policy route but a route that includes both 10.0.0.1 and 10.0.0.2 like 10.0.0.0/30 toward "VLAN1".

4486
0 Kudos
emnoc
Esteemed Contributor III
In response to Toshi_Esumi

Created on ‎05-25-2018 10:36 AM

I would caught against  due to the  DST-port and SRC  ( addr interfaces ) are not the same. Typically with policy route you should set the next-hop

 

config router policy
    
edit 0
        
set input-device "port24"
        
set src 0.0.0.0/0
        
set dst 10.0.0.1 255.255.255.255
        
set protocol 6
        
set start-port 80
        
set end-port 80
        
set gateway x.x.x.x
        
set output-device "vlan1"
next
edit 0 

set input-device "port18"

set src 0.0.0.0/0 

set dst 10.0.0.2 255.255.255.255 

set protocol 6 

set start-port 22 

set end-port 22

set gateway x.x.x.x 

set output-device "vlan1" 
next

end

NOw I see VIPs are these VIP on Fortigate? If yes,  than you do NOT need a PolicyRoute.


PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4486
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to emnoc

Created on ‎05-25-2018 11:18 AM

The "VLAN1" interface at the FGT must have an IP within the subnet shared with the servers, like 10.0.0.254/24, and those servers should have IP:10.0.0.1/24, 10.0.0.2/24. Then you don't need a static route. It's directly "connected".

4486
0 Kudos
snakekick
New Contributor
In response to Toshi_Esumi

Created on ‎05-25-2018 11:26 AM

my problem was that traffic that come from vlan1 go sometimes out off interface24 and sometimes go to interface18

thats why i play with policy routing

when i start a http request to interface24 to address 172.21.22.30 mapped to vip 10.0.0.1 and go to vlan1

when the paket go back they must go the same way but i think they didnd do that every time. sometimes the answer go out to interface18

 **sorry for my english** ;)

4486
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to snakekick

Created on ‎05-25-2018 01:32 PM

For the outgoing direction, you might need a set of policy routes to specify which port to go out. I thought it would follow the incoming path since FGT remembers in the sessions. And those services are always initiated by outside parties.

4486
0 Kudos
snakekick
New Contributor
In response to Toshi_Esumi

Created on ‎05-28-2018 12:23 AM

i am a litte bit confuse do i need a policy route or not. and when i need a policy route what is wrong with my example ?

4486
0 Kudos
snakekick
New Contributor
In response to Toshi_Esumi

Created on ‎05-25-2018 10:45 AM

hello, thank you for the answer. yes the vip‘s are on the fortigate. ok then i only need static route and forbid http traffic on interface 18 and only allow port 22 and on interface 24 allow port 80 http and deni port 22
4486
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-28-2018 08:37 AM

You said now your problem was not incoming from outside. But outgoing toward the internet use two interfaces randomly. To force each traffic toward a specific interface, the policy routes need to be set for outgoing direction. Your original policy routes are for incoming direction. Try flip input and output then specify only src and ports. I'm assuming you have two default routes to two interfaces already.

 

But it still doesn't make sense to me. You have a VIP for port 80 on port28 and port 22 on port18, not on both. Then you use them on separate inbound policies and limit the services to each specific 80 or 22, right?

4486
0 Kudos
snakekick
New Contributor
In response to Toshi_Esumi

Created on ‎05-31-2018 06:45 AM

so real live ip are a little bit different but still the same problem the debug show me this:

 

 

id=20085 trace_id=193 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43524->172.21.92.163:80) from port24. flag , seq 3478864741, ack 0, win 29200"
id=20085 trace_id=193 func=init_ip_session_common line=5470 msg="allocate a new session-08431629"
id=20085 trace_id=193 func=fw_pre_route_handler line=185 msg="VIP-10.0.1.20:80, outdev-port24"
id=20085 trace_id=193 func=__ip_session_run_tuple line=3223 msg="DNAT 172.21.92.163:80->10.0.1.20:80"
id=20085 trace_id=193 func=vf_ip_route_input_common line=2567 msg="Match policy routing: to 10.0.1.20 via ifindex-55"
id=20085 trace_id=193 func=ip_route_input_slow line=2242 msg="reverse path check fail, drop"
id=20085 trace_id=193 func=ip_session_handle_no_dst line=5545 msg="trace"

 

it´s works to when i create a static route with administrative distance 1 and 0.0.0.0/0 and correct gw to port 24

but then all traffic without correct route go to this interface

 

id=20085 trace_id=194 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43526->172.21.92.163:80) from port24. flag , seq 3115073653, ack 0, win 29200"
id=20085 trace_id=194 func=init_ip_session_common line=5470 msg="allocate a new session-0843f627"
id=20085 trace_id=194 func=fw_pre_route_handler line=185 msg="VIP-10.0.1.20:80, outdev-port24"
id=20085 trace_id=194 func=__ip_session_run_tuple line=3223 msg="DNAT 172.21.92.163:80->10.0.1.20:80"
id=20085 trace_id=194 func=vf_ip_route_input_common line=2567 msg="Match policy routing: to 10.0.1.20 via ifindex-55"
id=20085 trace_id=194 func=vf_ip_route_input_common line=2576 msg="find a route: flag=00000000 gw-10.0.1.20 via VLAN1"
id=20085 trace_id=194 func=fw_forward_handler line=743 msg="Allowed by Policy-3: SNAT"
id=20085 trace_id=194 func=__ip_session_run_tuple line=3209 msg="SNAT 172.19.135.205->10.0.0.2:43526"
id=20085 trace_id=195 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43526->172.21.92.163:80) from port24. flag [.], seq 3115073654, ack 4054709629, win 229"

 

 

so the different for me is this line:

 

 

id=20085 trace_id=194 func=vf_ip_route_input_common line=2576 msg="find a route: flag=00000000 gw-10.0.1.20 via VLAN1"

 

 

with asym enable this line show me to. so i need a static? route to 10.0.1.20 via vlan1? or another policy route

 

thank you 

 

 

4486
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.