Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi LarryD,
Please be informed that If your FortiGate is sitting at the edge of the network, your next hop will be your ISP gateway. This provides internet access for your network.
Also the next-hop IP address i.e gateway should be reachable from the fortigate device and the arp should be learnt on fortigate. You can check the ARP table entry using command "get sys arp".
If the gateway is reachable then route will be active in the routing-table and the 8.8.8.8 should be accessible through fortigate.
Best Regards,
Parteek
Thanks Parteek! It's such a simple setup I must be missing something in the Routing assignments. I've linked screenshots. And even a trace I did earlier trying to see what I did wrong
https://drive.google.com/file/d/1TsidD-WoaqTI7h16Z78zYhXAaJ6-HQ5f/view?usp=sharing
https://drive.google.com/file/d/1t3Fs1B4X5uDFMOq4LIsTN0M2IMGVefA3/view?usp=sharing
https://drive.google.com/file/d/1yaOHMTHWBep62DXlonDcLKARsfVkLO6C/view?usp=sharing
https://drive.google.com/file/d/1fw4keShQfdNhTrGemFGdPWbJ5Ze2YUZt/view?usp=sharing
https://drive.google.com/file/d/1VowhU1bFU1H6kDM7eHriuRuX8vQSMPIy/view?usp=sharing
https://drive.google.com/file/d/1sfploRgL45YLA7CAiD-mQmOYLyVfnLhn/view?usp=sharing
Hi Larry,
As per the screenshots, it seems you are able to ping 8.8.8.8 from Fortigate device using wan2 link. The ping is successful from Fortigate.
Best Regards,
Parteek
Ohhh forgot, yes the next hop is the ISP (Frontier fiber)
Dear LarryD,
Please share the output of "#get router info routing-table all" command from the CLI. and a ping output for your gateways .
execute ping 192.168.23.1
execute ping <WAN-GW-IP>
On your Screenshots one can see that the two connected routes for lan and wan2 do not have a gateway which is actually correct. The only one that needs to have a gateway in your case is the default route and that does have a gateway.
The other screenshot shows log output that looks indeed like if you were able to ping.
Thus - for clients in your lan - you also have to have a policy (with sNAT enabled) to allow traffic into the internet.
Also you have to make sure that the default route on your clients in your lan has the FGT as gateway.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Dear LarryD,
please run the following debug :
diagnose debug reset
diagnose debug disable
diagnose debug flow filter proto 1
diagnose debug flow filter daddr 8.8.8.8
diag debug flow show function-name enable
diag debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
Please generate ping from your local PC to 8.8.8.8, collect the debug and then stop the debug :
diagnose debug disable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.