Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tarapapa80
New Contributor II

Routing for Proxy and bypass proxy

HI All, I have 4 interface as below: Port 13 = WAN 1 x.x.x.x Port 14 = WAN 2 x.x.x.x Port 15 = WAN 3 x.x.x.x Port 9 = Internal 192.168.1.1 I have 4 static routes as below: destination 0.0.0.0/0 gateway x.x.x.x (WAN 1) destination 0.0.0.0/0 gateway x.x.x.x (WAN 2) destination 0.0.0.0/0 gateway x.x.x.x (WAN 3) destination 192.168.1.0/24 gateway 192.168.1.2 192.168.1.2 is their proxy server. Computer that access internet need to point their gateway to the proxy server to access internet. This is working fine. Customer request that they want certain PC to bypass the proxy server and point directly to Fortigate. To bypass the proxy server, the computer needs to point their gateway to the firewall interface which is 192.168.1.1. The computer that bypass proxy have speed problems. How do i configure the routing for the computer that needs to bypass the proxy?
12 REPLIES 12
ede_pfau
SuperUser
SuperUser

Hi, and welcome to the forums! Route no. 4 is unnecessary and probably interferes with your host. The proxy setup involves more than a route, you have to place policies as well to prevent everyone to use .1.1 as their gateway and bypass the proxy. Just allow the proxy itself and an address group of ' priviledged' PCs to go from internal to wan. This way all other hosts are blocked from internet access EXCEPT FOR if they use the proxy.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
tarapapa80
New Contributor II

Hi Ede, Thank you for your help. Actually i need the route no.4 because i have more than 1 internal subnet. Below is the full static route table. 192.168.1.1 and 199.168.10.1 is the proxy actually. The 192.168.1.0 subnet is the network that has a few PC that needs to bypass proxy. Interface of the FW is 192.168.1.2 and 199.168.10.2. Thanks in advance, Fendi
ede_pfau
SuperUser
SuperUser

This is why there is a Routing Monitor tab - you have defined some routes but from the table of definitions you cannot tell which routes take precedence. Please post the routes in effect, from the Monitor. Regarding route no. 4: what does it do? Hosts from that subnet will not use the route anyway. They determine by looking at their own IP address and netmask that 192.168.1.2 (or any other host on that subnet) is LOCAL so they just arp for the layer 2 MAC address and communicate directly with the target. Routing only takes place from a different subnet. You will see in the active routing table (monitor) that there is already a directly connected route to 192.168.1.0 which takes precedence anyway.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
tarapapa80
New Contributor II

I see, in that case can i just remove the static route as below from the static route table? destination gateway Device 192.168.1.0/24 192.168.1.1 port 9 199.168.10.0/24 199.168.10.1 port10 Below is the routing monitor:
ede_pfau
SuperUser
SuperUser

Exactly. Both routes are redundant and can be deleted. What about the policies? Did you check them?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
tarapapa80
New Contributor II

Thanks Ede. I learn something really basic about routing today. Which i just realize after doing this for 2 years...haha. Below is the policy. The concern is on the LAN > WAN policy
tarapapa80

I just want to say thanks Ede because you really help me when the support people cannot or very slow to advice to. I think we already found the root cause why when bypass proxy the pc affected becomes very slow. Which is because i create a static route which is not needed. I understand fully now. Thank you very much :)
tarapapa80

The only thing they highlight to me is that when they do a continuous ping, it will timeout once every 10 replies. Currently i already ask them to test the connection but still they havent get back to me. The remote site is quite far from my place and i can only remote to the FW. TO test the connection, i have to ask the engineer there to verify
ede_pfau
SuperUser
SuperUser

Policies look OK this way. Assuming that policies #4 and #6 are only there for logging violation traffic, right? Otherwise superflous. Back to your original question: do the hosts from the ' Bypass' group still have problems? Ping times, losses, traceroutes? It does look sound now.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors