Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tarapapa80
New Contributor II

Created on ‎04-05-2011 07:29 PM

Routing for Proxy and bypass proxy

HI All, I have 4 interface as below: Port 13 = WAN 1 x.x.x.x Port 14 = WAN 2 x.x.x.x Port 15 = WAN 3 x.x.x.x Port 9 = Internal 192.168.1.1 I have 4 static routes as below: destination 0.0.0.0/0 gateway x.x.x.x (WAN 1) destination 0.0.0.0/0 gateway x.x.x.x (WAN 2) destination 0.0.0.0/0 gateway x.x.x.x (WAN 3) destination 192.168.1.0/24 gateway 192.168.1.2 192.168.1.2 is their proxy server. Computer that access internet need to point their gateway to the proxy server to access internet. This is working fine. Customer request that they want certain PC to bypass the proxy server and point directly to Fortigate. To bypass the proxy server, the computer needs to point their gateway to the firewall interface which is 192.168.1.1. The computer that bypass proxy have speed problems. How do i configure the routing for the computer that needs to bypass the proxy?
6394
0 Kudos
12 REPLIES 12
ede_pfau
SuperUser
SuperUser

Created on ‎04-05-2011 11:25 PM

Hi, and welcome to the forums! Route no. 4 is unnecessary and probably interferes with your host. The proxy setup involves more than a route, you have to place policies as well to prevent everyone to use .1.1 as their gateway and bypass the proxy. Just allow the proxy itself and an address group of ' priviledged' PCs to go from internal to wan. This way all other hosts are blocked from internet access EXCEPT FOR if they use the proxy.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4946
tarapapa80
New Contributor II
In response to ede_pfau

Created on ‎04-06-2011 12:03 AM

Hi Ede, Thank you for your help. Actually i need the route no.4 because i have more than 1 internal subnet. Below is the full static route table. 192.168.1.1 and 199.168.10.1 is the proxy actually. The 192.168.1.0 subnet is the network that has a few PC that needs to bypass proxy. Interface of the FW is 192.168.1.2 and 199.168.10.2. Thanks in advance, Fendi
4947
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-06-2011 12:24 AM

This is why there is a Routing Monitor tab - you have defined some routes but from the table of definitions you cannot tell which routes take precedence. Please post the routes in effect, from the Monitor. Regarding route no. 4: what does it do? Hosts from that subnet will not use the route anyway. They determine by looking at their own IP address and netmask that 192.168.1.2 (or any other host on that subnet) is LOCAL so they just arp for the layer 2 MAC address and communicate directly with the target. Routing only takes place from a different subnet. You will see in the active routing table (monitor) that there is already a directly connected route to 192.168.1.0 which takes precedence anyway.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4947
tarapapa80
New Contributor II
In response to ede_pfau

Created on ‎04-06-2011 12:59 AM

I see, in that case can i just remove the static route as below from the static route table? destination gateway Device 192.168.1.0/24 192.168.1.1 port 9 199.168.10.0/24 199.168.10.1 port10 Below is the routing monitor:
Preview file
90 KB
4947
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-06-2011 01:10 AM

Exactly. Both routes are redundant and can be deleted. What about the policies? Did you check them?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4947
tarapapa80
New Contributor II
In response to ede_pfau

Created on ‎04-06-2011 01:18 AM

Thanks Ede. I learn something really basic about routing today. Which i just realize after doing this for 2 years...haha. Below is the policy. The concern is on the LAN > WAN policy
Preview file
89 KB
4947
0 Kudos
tarapapa80
New Contributor II
In response to tarapapa80

Created on ‎04-06-2011 01:32 AM

I just want to say thanks Ede because you really help me when the support people cannot or very slow to advice to. I think we already found the root cause why when bypass proxy the pc affected becomes very slow. Which is because i create a static route which is not needed. I understand fully now. Thank you very much :)
4947
tarapapa80
New Contributor II
In response to tarapapa80

Created on ‎04-06-2011 01:34 AM

The only thing they highlight to me is that when they do a continuous ping, it will timeout once every 10 replies. Currently i already ask them to test the connection but still they havent get back to me. The remote site is quite far from my place and i can only remote to the FW. TO test the connection, i have to ask the engineer there to verify
4947
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎04-06-2011 01:29 AM

Policies look OK this way. Assuming that policies #4 and #6 are only there for logging violation traffic, right? Otherwise superflous. Back to your original question: do the hosts from the ' Bypass' group still have problems? Ping times, losses, traceroutes? It does look sound now.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4947
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.