- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing Problem
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi LarryD,
Please be informed that If your FortiGate is sitting at the edge of the network, your next hop will be your ISP gateway. This provides internet access for your network.
Also the next-hop IP address i.e gateway should be reachable from the fortigate device and the arp should be learnt on fortigate. You can check the ARP table entry using command "get sys arp".
If the gateway is reachable then route will be active in the routing-table and the 8.8.8.8 should be accessible through fortigate.
Best Regards,
Parteek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Parteek! It's such a simple setup I must be missing something in the Routing assignments. I've linked screenshots. And even a trace I did earlier trying to see what I did wrong
https://drive.google.com/file/d/1TsidD-WoaqTI7h16Z78zYhXAaJ6-HQ5f/view?usp=sharing
https://drive.google.com/file/d/1t3Fs1B4X5uDFMOq4LIsTN0M2IMGVefA3/view?usp=sharing
https://drive.google.com/file/d/1yaOHMTHWBep62DXlonDcLKARsfVkLO6C/view?usp=sharing
https://drive.google.com/file/d/1fw4keShQfdNhTrGemFGdPWbJ5Ze2YUZt/view?usp=sharing
https://drive.google.com/file/d/1VowhU1bFU1H6kDM7eHriuRuX8vQSMPIy/view?usp=sharing
https://drive.google.com/file/d/1sfploRgL45YLA7CAiD-mQmOYLyVfnLhn/view?usp=sharing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Larry,
As per the screenshots, it seems you are able to ping 8.8.8.8 from Fortigate device using wan2 link. The ping is successful from Fortigate.
Best Regards,
Parteek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ohhh forgot, yes the next hop is the ISP (Frontier fiber)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear LarryD,
Please share the output of "#get router info routing-table all" command from the CLI. and a ping output for your gateways .
execute ping 192.168.23.1
execute ping <WAN-GW-IP>
Also on YouTube---
Please do Subscribe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On your Screenshots one can see that the two connected routes for lan and wan2 do not have a gateway which is actually correct. The only one that needs to have a gateway in your case is the default route and that does have a gateway.
The other screenshot shows log output that looks indeed like if you were able to ping.
Thus - for clients in your lan - you also have to have a policy (with sNAT enabled) to allow traffic into the internet.
Also you have to make sure that the default route on your clients in your lan has the FGT as gateway.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear LarryD,
please run the following debug :
diagnose debug reset
diagnose debug disable
diagnose debug flow filter proto 1
diagnose debug flow filter daddr 8.8.8.8
diag debug flow show function-name enable
diag debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
Please generate ping from your local PC to 8.8.8.8, collect the debug and then stop the debug :
diagnose debug disable