Hello,
i have some trouble with policy routing.
I have try to paint my setup to the picture.
Virtual IP and nat and policy all working when i use static route but when i change to policy routing it doesn't
work and i didnt see my fault.
here my Policy routing config, static roules are deleted:
edit 4
set input-device "port24"
set dst "10.0.0.1/255.255.255.255"
set protocol 6
set start-port 80
set end-port 80
set output-device "VLAN1"
edit 5 set input-device "port18"
set dst "10.0.0.2/255.255.255.255"
set protocol 6
set start-port 22
set end-port 22
set output-device "VLAN1"
i hope someone can help me
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Policy route can be used when multiple destination interfaces exists for the given destination IP and you want to specify one of them based on other parameters other than the destination IP.
In your case, both go to "VLAN1" vlan-subinterface(?), you don't need any policy route but a route that includes both 10.0.0.1 and 10.0.0.2 like 10.0.0.0/30 toward "VLAN1".
I would caught against due to the DST-port and SRC ( addr interfaces ) are not the same. Typically with policy route you should set the next-hop
config router policy
edit 0
set input-device "port24"
set src 0.0.0.0/0
set dst 10.0.0.1 255.255.255.255
set protocol 6
set start-port 80
set end-port 80
set gateway x.x.x.x
set output-device "vlan1"
next
edit 0
set input-device "port18"
set src 0.0.0.0/0
set dst 10.0.0.2 255.255.255.255
set protocol 6
set start-port 22
set end-port 22
set gateway x.x.x.x
set output-device "vlan1"
next
end
NOw I see VIPs are these VIP on Fortigate? If yes, than you do NOT need a PolicyRoute.
PCNSE
NSE
StrongSwan
The "VLAN1" interface at the FGT must have an IP within the subnet shared with the servers, like 10.0.0.254/24, and those servers should have IP:10.0.0.1/24, 10.0.0.2/24. Then you don't need a static route. It's directly "connected".
my problem was that traffic that come from vlan1 go sometimes out off interface24 and sometimes go to interface18
thats why i play with policy routing
when i start a http request to interface24 to address 172.21.22.30 mapped to vip 10.0.0.1 and go to vlan1
when the paket go back they must go the same way but i think they didnd do that every time. sometimes the answer go out to interface18
**sorry for my english** ;)
For the outgoing direction, you might need a set of policy routes to specify which port to go out. I thought it would follow the incoming path since FGT remembers in the sessions. And those services are always initiated by outside parties.
i am a litte bit confuse do i need a policy route or not. and when i need a policy route what is wrong with my example ?
You said now your problem was not incoming from outside. But outgoing toward the internet use two interfaces randomly. To force each traffic toward a specific interface, the policy routes need to be set for outgoing direction. Your original policy routes are for incoming direction. Try flip input and output then specify only src and ports. I'm assuming you have two default routes to two interfaces already.
But it still doesn't make sense to me. You have a VIP for port 80 on port28 and port 22 on port18, not on both. Then you use them on separate inbound policies and limit the services to each specific 80 or 22, right?
so real live ip are a little bit different but still the same problem the debug show me this:
id=20085 trace_id=193 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43524->172.21.92.163:80) from port24. flag , seq 3478864741, ack 0, win 29200"
id=20085 trace_id=193 func=init_ip_session_common line=5470 msg="allocate a new session-08431629"
id=20085 trace_id=193 func=fw_pre_route_handler line=185 msg="VIP-10.0.1.20:80, outdev-port24"
id=20085 trace_id=193 func=__ip_session_run_tuple line=3223 msg="DNAT 172.21.92.163:80->10.0.1.20:80"
id=20085 trace_id=193 func=vf_ip_route_input_common line=2567 msg="Match policy routing: to 10.0.1.20 via ifindex-55"
id=20085 trace_id=193 func=ip_route_input_slow line=2242 msg="reverse path check fail, drop"
id=20085 trace_id=193 func=ip_session_handle_no_dst line=5545 msg="trace"
it´s works to when i create a static route with administrative distance 1 and 0.0.0.0/0 and correct gw to port 24
but then all traffic without correct route go to this interface
id=20085 trace_id=194 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43526->172.21.92.163:80) from port24. flag , seq 3115073653, ack 0, win 29200"
id=20085 trace_id=194 func=init_ip_session_common line=5470 msg="allocate a new session-0843f627"
id=20085 trace_id=194 func=fw_pre_route_handler line=185 msg="VIP-10.0.1.20:80, outdev-port24"
id=20085 trace_id=194 func=__ip_session_run_tuple line=3223 msg="DNAT 172.21.92.163:80->10.0.1.20:80"
id=20085 trace_id=194 func=vf_ip_route_input_common line=2567 msg="Match policy routing: to 10.0.1.20 via ifindex-55"
id=20085 trace_id=194 func=vf_ip_route_input_common line=2576 msg="find a route: flag=00000000 gw-10.0.1.20 via VLAN1"
id=20085 trace_id=194 func=fw_forward_handler line=743 msg="Allowed by Policy-3: SNAT"
id=20085 trace_id=194 func=__ip_session_run_tuple line=3209 msg="SNAT 172.19.135.205->10.0.0.2:43526"
id=20085 trace_id=195 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 172.19.135.205:43526->172.21.92.163:80) from port24. flag [.], seq 3115073654, ack 4054709629, win 229"
so the different for me is this line:
id=20085 trace_id=194 func=vf_ip_route_input_common line=2576 msg="find a route: flag=00000000 gw-10.0.1.20 via VLAN1"
with asym enable this line show me to. so i need a static? route to 10.0.1.20 via vlan1? or another policy route
thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.