Hi,
My LAN Users are not able to reach the network behind DMZ Interface due to the route to the internet
0.0.0.0/0.0.0.0 to WAN. I added the route for DMZ Subnets but the users' machines are still taking the internet route. LAN Users' default gateway is the core switch and not the firewall.
LAN Users Subnet: 10.10.1.0/24
LAN Users Default GW: 10.10.1.1 (Core Switch)
Fortigate LAN Int: 10.10.1.2
Fortigate DMZ Int: 192.168.1.2
Fortigate DMZ GW: 192.168.1.1 (Cisco Router)
Once I disable the WAN Interface, users are able to reach the DMZ Subnets.
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Based on the information provided, it seems that the issue lies with the routing configuration on your network devices. Here are a few steps you can take to troubleshoot and resolve the problem:
1. Verify the default gateway on the LAN users' machines: Confirm that the default gateway configured on the LAN users' machines is set to the IP address of the core switch (10.10.1.1). If it is not set correctly, update the default gateway to the appropriate IP address.
2. Check the routing table on the core switch: Log in to the core switch and examine its routing table. Ensure that there is a route pointing to the Fortigate LAN interface (10.10.1.2) for the DMZ subnets (192.168.1.0/24). If the route is missing, add a static route on the core switch to direct traffic destined for the DMZ subnets to the Fortigate LAN interface.
3. Verify the routing on the Fortigate firewall: Log in to the Fortigate firewall and check its routing table. Ensure that there is a route pointing to the Cisco router (192.168.1.1) for the DMZ subnets (192.168.1.0/24). If the route is missing, add a static route on the Fortigate firewall to direct traffic destined for the DMZ subnets to the Cisco router.
4. Double-check the NAT policies: If you have NAT policies configured on the Fortigate firewall, make sure that they are not interfering with the traffic flow between the LAN users and the DMZ subnets. Verify that the NAT policies are correctly configured to allow traffic from the LAN users (10.10.1.0/24) to the DMZ subnets (192.168.1.0/24).
5. Review the firewall rules: Ensure that there are appropriate firewall rules on the Fortigate firewall to allow traffic from the LAN users to the DMZ subnets and vice versa. Check both the incoming and outgoing firewall rules on the Fortigate firewall for any restrictions or misconfigurations.
6. Consider VLAN configuration: If VLANs are being used in your network, verify that the VLAN configuration on the core switch, Fortigate firewall, and Cisco router is correctly set up to allow communication between the LAN and DMZ networks.
7. Monitor network traffic: Use network monitoring tools to capture and analyze the network traffic between the LAN users and the DMZ subnets. This can help identify any unexpected behavior or potential network issues.
If the issue persists after following these steps, it may be helpful to consult with your network administrator or contact the technical support for the specific devices involved (core switch, Fortigate firewall, and Cisco router) to further investigate and resolve the routing problem.
Although I checked everything before posting here, yet I will check again and revert.
Thanks.
Hi,
I connected a pc directly to the firewall and checked without the core switch but same problem. I am not able to reach the subnet behind the DMZ port. I created the static route and policy for the DMZ Network but when I am trying tracert from my PC, it is still taking the WAN route.
Any Suggestions?
When you directly connected a PC, did you make the FGT's IP, like 10.10.1.2 as the default GW, instead of 10.10.1.1?
Toshi
yes
Created on 07-17-2023 04:08 PM Edited on 07-17-2023 04:12 PM
When you test that again, try running a flow debug below to see how it decides a route and a policy.
diag debug reset
diag debug ena
diag debug flow filter clear
diag debug flow filter addr <the_pc's_ip>
diag debug flow trace start 10
Toshi
I have found the problem. I had two policies under policy routing for wan1 and wan2 access. After disabling them I am able to reach the DMZ Subnets. Is it necessary to have policy routing if we need to select different wan interfaces for different lan subnets connected behind the same LAN Interface?
I mean my LAN and WIFI Subnets are connected to the same LAN Port on the firewall and I want to use WAN1 for LAN users and WAN2 for Wifi Users.
Why did you think you needed those policy routes? If you need/want to failover wan1 to wan2, generally policy routes would prevent it from happening since policy routes are "sticky" in general. Only in case like one LAN subnet needs to go out wan1 and another LAN subnet needs to go to wan2, you have to set policy routes to nail them down.
Toshi
That was a misunderstanding. Thanks for your help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.