As seen in the diagram is such a network setup possible? The port forwarding works just fine when I try it from an internet connection from somewhere outside my office but says timeout when trying it from the 6.0 network.
I am also using policy route to force the 6.0 traffic through wan1. I tried various ways to access the 5.0 network through internal routing itself but that did not work out too. Not sure what i am missing. appreciate all help, thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Both ways should be possible.
To reach LAN2 from LAN1, you need
- the route automatically added by FortiOS for the subnet behind LAN2
- a policy allowing traffic from LAN1 to LAN2
The policy route will be effective before FOS looks at the regular route. If you force ALL traffic out WAN1 then you won't be able to go this way. Try to exempt traffic destinated to LAN2 from the policy route (e.g. by putting a second policy route on top of it, forcing traffic to LAN2 to ... well, LAN2).
Even if this doesn't lead to a successful connection, traffic should be able to reach WAN2 via your ISPs. Then you would need a policy allowing traffic from LAN1 to WAN1, and incoming traffic from WAN2 to LAN2. Please check that for the first (outbound) policy NAT is enabled!
ede_pfau wrote:Both ways should be possible.
To reach LAN2 from LAN1, you need
- the route automatically added by FortiOS for the subnet behind LAN2
- a policy allowing traffic from LAN1 to LAN2
The policy route will be effective before FOS looks at the regular route. If you force ALL traffic out WAN1 then you won't be able to go this way. Try to exempt traffic destinated to LAN2 from the policy route (e.g. by putting a second policy route on top of it, forcing traffic to LAN2 to ... well, LAN2).
Even if this doesn't lead to a successful connection, traffic should be able to reach WAN2 via your ISPs. Then you would need a policy allowing traffic from LAN1 to WAN1, and incoming traffic from WAN2 to LAN2. Please check that for the first (outbound) policy NAT is enabled!
Hi Thanks for the response.
Yes the policy route forcing traffic from 6.0 to wan1 doesn't allow traffic to LAN2.
And I need all machines on the 6 subnet to be able to access the the 5.101 ip address either through port forwarding or directly.
So should i put a policy route with dstn 5.101 and drag it above the route for wan1?
yes.
Or follow my second suggestion.
ede_pfau wrote:yes.
Or follow my second suggestion.
Adding a pol route for 5.101 WAS the 2nd solution right. The first not possible since im using pol route for 6subnet -> wan1.
ede_pfau wrote:I tried this method:yes.
Or follow my second suggestion.
created firewall policies from lan1-lan2(all -> 5.101) and lan2-lan1(5.101 -> all)
and policy routes
6.0 to destination 5.101 and pushing it out through lan2's interface with gw as 0/0.
I still can't ping or access the 5.101 server from the lan1 subnet.
Created on 09-21-2015 06:44 AM
You won't be able to PING the VIP through the WAN2 unless it's a NON port-forwarded VIP.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:You won't be able to PING the VIP through the WAN2 unless it's a NON port-forwarded VIP.
Hi I am not trying to ping it through the VIP but through my LAN itself. As i said in my last comment I enabled policies and routing for 5.101 from lan1 so i should be able to ping it right.
A port-forwarding VIP won't let ICMP pass to the internal server as ICMP is not port-based.
Switch to a non-port forwarding VIP to test if you can ping the server, or connect to the server with the protocol you have allowed.
This is true for all versions except v5.2.4 where Fortinet changed this behavior: ICMP is now implicitely allowed through a port-forwarding VIP.
ede_pfau wrote:A port-forwarding VIP won't let ICMP pass to the internal server as ICMP is not port-based.
Switch to a non-port forwarding VIP to test if you can ping the server, or connect to the server with the protocol you have allowed.
This is true for all versions except v5.2.4 where Fortinet changed this behavior: ICMP is now implicitely allowed through a port-forwarding VIP.
hi i am trying to ping between to interfaces by making to and reverse policies and policy routing. I am not getting what does pinging a VIP mean? Are you thinking i am trying to ping with "ping public-ip:port" ?
i have both subnets on the fgt which use different wan connections. The 192.168.5.101 server is the one i need to access from the 6 subnet. It is accessible through the internet on wan:8888 -> 192.168.5.101 using VIP but doesn't work from the 6 subnet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.