Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Routing 2 subnets in 2 locations

Hi, I have a fortigate 80C with dual WAN and VPN to a branch office working perfectly. We have merged with another firm now to create a third office, I am connecting their network to ours, want your opinion on if I am on the right track. I have a VPLS circuit setup between the new office and mine, we both also will be keeping separate connections to the internet for now. With the different subnets, I need to do routing even though the VPLS allows me to basically have a common ethernet lan between the offices. We will move that way, just not yet. Router A is an 80C at my location, router B is also an 80C at the other location. Both are setup in interface mode, both local subnets are on port 1 on the respective routers. I should be able to connect each end of the VPLS circuit to the port 2, assign a third subnet and with the proper rules, route traffic between the subnets. Correct? I started looking at vlans but don' t think I need them with the 80C interfaces separated. Can' t think of any other way to get traffic between the sites, never thought having a direct link would be so much trouble to configure. Thanks in advance, Rod
6 REPLIES 6
rwpatterson
Valued Contributor III

Welcome to the forums. You have a private Ethernet handoff between the 2 offices, just create a transit LAN between the 2 and route the traffic. Use the DMZ port or the second WAN port to do the job. No voodoo here, just straight routing. Create policies allowing whatever traffic you need, and you should be good to go.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Thanks for the response Bob. The problem I am running into is the VPLS network acts just like a switch. Basically I would be plugging a cable from router A dmz port to a switch, another cable from the switch to the dmz port on router B. How do you route traffic from A to B? DMZ ports would have static IP' s, I can ping from my lan to the DMZ port on my local router address 192.168.123.10, just cannot ping the dmz port on the other end at 192.168.123.1. Same thing going the other way. Thanks in advance, Rod
Not applicable

Here is a picture (quickly drawn) of what I am working with. Both 80C routers have different gateways to the internet, it' s the dmz to dmz routing I can' t get. I know that if I put another router in the middle or even a PC with dual NICs I can make it work. I think it comes down to how to identify the dmz gateways properly, would that be in the static route? I am really at a loss here, I understand how to route between offices using a vpn over the internet (doing it on router A W2 to branch office), just can' t figure out how to route a subnet of traffic over a different subnet between 2 ports on 2 routers. Thanks in advance, Rod
ede_pfau
SuperUser
SuperUser

Thanks for the clarifying diagram. Let' s see it this way: the VPLS acts just like a straight cable. How do you route over a cable? You specify the next hop router at the other end of the cable. It doesn' t matter what subnet both cable ends are in as long as it' s separate from all other used subnets. If a host on LAN A pings some host on LAN B: 1. the packet will follow the default route UNLESS there is a route pointing to FGT-B, port2' s IP address 2. to find FGT-B, port2 FGT-A will arp on it' s port2 interface which is in the same subnet as FGT-B, port2 3. after getting the MAC address traffic will be sent to FGT-B port2 4. the routing table on FGT-B has an entry to LAN B as it is directly connected and forwards traffic to FGT-B port1 for the reply traffic: 5. host on LAN B port1 replies to an address on LAN A - traffic will follow the default route UNLESS there is a route pointing to FGT-A, port2' s IP address 6. FGT-B port2 already knows FGT-A port2' s MAC address and sends the traffic to it 7. the routing table on FGT-A has an entry to LAN A as it is directly connected, and forward the traffic to FGT-A port1 So you need 2 static routes because the subnets you' re trying to reach are one router hop away. If you had the same subnets on both sides you wouldn' t need routes at all. What puzzles me (and you) is that you cannot ping the other side' s IP address. For that to happen to need - to have a transit subnet big enough for 2 adresses (netmask < /32) - it must not be used anywhere else - to enable PING on the interface (System>Network>Interface>Admin.) - to create policies allowing traffic from port1 to port2 and vice versa This has to work first before you can take it a step further to reach the remote subnet behind port1.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rwpatterson
Valued Contributor III

Do you have the policies in place, and where are you PINGing from? (The FGT or the LAN?)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Got it. I went over Ede' s post, wrote everything out to make sure I had it correct. It was exactly what I had done and thought....except for one small detail. I had the subnet mask of my transition lan wrong. No wonder I couldn' t ping the other side, it couldn' t see it. Thank you for all your help, traffic routing fine. Rod
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors