Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcm05
New Contributor

Routing between 2 subnets is it possible with a 300D

So I currently have a switch with IP 172.16.0.1/21 connect to Fortigate Lan port 2 172.16.0.220/21 and want to add a new subnet with a new switch IP 172.18.0.1/21 connected to Fortigate Lan port 3 172.18.0.220/21. Once connected they show up in the Router Monitor but I want to be able to communicate ping or other wise say from the old subnet to a computer/server on the new subnet. I added a rule that said all traffic from one lan interface to another with all servers and no NAT but still cannot get them to communicate past either switch. Spoke to the switch manufacture and they said all information on the switch is correct and both switches can ping the lan ports on the firewall just nothing passed so they said to contact fortigate. I called and spoke to a rep and the told me that routeing between two subnets on two different interfaces is not possible is that true.

7 REPLIES 7
Dave_Hall
Honored Contributor

L2 switches themselves do not route traffic by IP, so putting an IP on a switch would be for management purposes only IMO.  Communication between the Fortigate and the switchers should be via the trunk or uplink ports on the switches.  Default routes for each subnet should be to the Fortigate (172.x.0.220) and not the switch (172.x.0.1).

 

So in the routing table, you should see something like:

Network            gateway                          Interface 172.16.0.0     172.16.0.220  (or 0.0.0.0)     port2 172.18.0.0     172.18.0.220   (or 0.0.0.0)    port3 Someone correct me if this is not correct.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Toshi_Esumi
Esteemed Contributor III

The problem is all of the IPs above are in a big 172.16.0.0/21 (up to 172.23.x.x) subnet. They're NOT different subnets. That's why the rep said it's impossible. If they're /24s, yes, it's possible.

Toshi_Esumi
Esteemed Contributor III

scrap my comment. I was not thinking straight...sorry.

ede_pfau

If your policy is correct (you need two!) then it's due to incorrect routing.

 

Make sure your hosts have got the correct default route, like @Dave Hall has posted: one part of your hosts is in the 172.16 subnet, the other in the 172.18 subnet. Their IP config must have a default route of 172.16.0.220 and 172.18.0.220, respectively. The easiest way to make that happen is to configure DHCP servers on both ports and select "gateway: use interface address" in the setup.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
jcm05
New Contributor

So both switches are the default gateways on there subnet and both have a default route to there corresponding Fortigate interface. Switch 172.16.0.1 has a default route of 0.0.0.0 172.16.0.220 and switch 172.18.0.1 default 0.0.0.0 172.18.0.220. So if I execute a ping from switch 172.16.0.1 I can ping both interfaces 172.16.0.220 and 172.18.0.220 as well as switch 172.18.0.1 but nothing connected to switch 18. If I ping from the other switch 172.18.0.1 I can ping anything on the subnet of 172.16.0.0/21 but if I go to a computer on 172.18.0.0/21 I cannot ping anything on 172.16.0.0/21

sw2090
Honored Contributor

You did not understand! A Laywer 2 Switch can not be your default gateway for your subne for - as said before - they can not do any routing. Your Clients have to use the Fortigate with its corresponding LAN address als default Gateway.

On the FGt you have already done the routing by creating the interfaces. 

You just have to have policies to allow the traffic.

 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
jcm05
New Contributor

SW2090 you jogged my memory thanks. I had it in my notes to change dhcp and static address to the .200 lan interface for the gateways. The switches had been the default gateways for many years basically forwarding traffic on the subnet then when it feel out of range sending up to the default route which was a Microsoft TMG firewall. Once I replaced the Fortinet I planned on redoing the gateway proper but was on Medicaal leave and forgot I had wrote and pllaned all this out. Anyways changing the gateways did correct the issues now need to go correct change all other old gateways to confirm. Thanks again Fourm.

Labels
Top Kudoed Authors