Hello good morning.
Please, I wanted to ask the following question.
I have a router connected to port 5 on my Fortigate in the following IP range: 192.168.30.100/24.
On the other hand, I have on port 3 (configured as an interface) an output to a switch in the range 192.168.1.0/24.
I am trying to communicate each subnet with the other by establishing a firewall policy that has port 3 as output and port 5 as input, but I cannot access it.
What am I doing wrong?
Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
I'm sorry for the delay and inconvenience caused.
In the end, everything was configured correctly, the only thing left to do was configure the 192.168.30.100 gateway on the side of ports 3 and 5.
Thank you all for your collaboration. A cordial greeting.
FortigateWAN # execute ping-options source 192.168.30.100
FortigateWAN # execute ping 192.168.1.160
PING 192.168.1.160 (192.168.1.160): 56 data bytes
64 bytes from 192.168.1.160: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 192.168.1.160: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.168.1.160: icmp_seq=2 ttl=255 time=0.2 ms
64 bytes from 192.168.1.160: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.168.1.160: icmp_seq=4 ttl=255 time=0.2 ms
--- 192.168.1.160 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms
FortigateWAN # execute ping 192.168.30.101
PING 192.168.30.101 (192.168.30.101): 56 data bytes
64 bytes from 192.168.30.101: icmp_seq=0 ttl=64 time=0.5 ms
64 bytes from 192.168.30.101: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 192.168.30.101: icmp_seq=2 ttl=64 time=0.3 ms
64 bytes from 192.168.30.101: icmp_seq=3 ttl=64 time=0.3 ms
64 bytes from 192.168.30.101: icmp_seq=4 ttl=64 time=0.3 ms
--- 192.168.30.101 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.5 ms
FortigateWAN # execute ping-options source 192.168.1.160
FortigateWAN # execute ping 192.168.30.100
PING 192.168.30.100 (192.168.30.100): 56 data bytes
64 bytes from 192.168.30.100: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=4 ttl=255 time=0.1 ms
--- 192.168.30.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms
FortigateWAN # execute ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 192.168.1.5: icmp_seq=1 ttl=128 time=0.5 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=128 time=0.4 ms
64 bytes from 192.168.1.5: icmp_seq=3 ttl=128 time=0.5 ms
64 bytes from 192.168.1.5: icmp_seq=4 ttl=128 time=0.6 ms
--- 192.168.1.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms
The IP 192.168.1.5 was the first IP assigned to a computer.
Thanks in advance.
Hi,
- From the above ping tests it looks the communication from the firewall egress IP to the destination is good.
- When you are trying to ping from the source to the destination do you see the logs in the traffic logs of the Firewall?
- Have you tried to check the sniffer/packet capture on the firewall when performing the testing?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
- In the security policy which is allowing the communication is the source NAT enabled? If not you can try to enable the same so that the traffic gets translated to egress interface IP. This will help if the destination is not having the correct route back to the source Subnet.
Regards,
Shiva
Hi,
1) When you are trying to ping from the source to the destination do you see the logs in the traffic logs of the Firewall? NO
- Have you tried to check the sniffer/packet capture on the firewall when performing the testing?
This is what i get:
FortigateWAN # diagnose sniffer packet any "host 192.168.30.100 and host 192.168.30.101" 4
interfaces=[any]
filters=[host 192.168.30.100 and host 192.168.30.101]
1.398958 port5 out 192.168.30.100.51146 -> 192.168.30.101.53: udp 43
1.399705 port5 in 192.168.30.101.53 -> 192.168.30.100.51146: udp 43
1.401106 port5 out 192.168.30.100.55826 -> 192.168.30.101.53: udp 43
1.401620 port5 in 192.168.30.101.53 -> 192.168.30.100.55826: udp 43
1.403624 port5 out 192.168.30.100.57621 -> 192.168.30.101.53: udp 39
11.412332 port5 out 192.168.30.100.57621 -> 192.168.30.101.53: udp 39
21.422864 port5 out 192.168.30.100.56371 -> 192.168.30.101.53: udp 43
21.423692 port5 in 192.168.30.101.53 -> 192.168.30.100.56371: udp 43
21.425835 port5 out 192.168.30.100.58336 -> 192.168.30.101.53: udp 43
21.426351 port5 in 192.168.30.101.53 -> 192.168.30.100.58336: udp 43
21.429018 port5 out 192.168.30.100.54654 -> 192.168.30.101.53: udp 39
31.436830 port5 out 192.168.30.100.54654 -> 192.168.30.101.53: udp 39
^C
12 packets received by filter
0 packets dropped by kernel
And this when i do ping from my computer (192.168.1.191) to IP 192.168.30.101
FortigateWAN # diagnose sniffer packet any "host 192.168.1.191 and host 192.168.30.101" 4
interfaces=[any]
filters=[host 192.168.1.191 and host 192.168.30.101]
^C
0 packets received by filter
0 packets dropped by kernel
ping 192.168.30.101
Haciendo ping a 192.168.30.101 con 32 bytes de datos:
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Estadísticas de ping para 192.168.30.101:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
- In the security policy which is allowing the communication is the source NAT enabled? YES
Thanks in advance. Stay forward for more help, please.
Is the router allowing mulitple IPs from the same 192.168.30.0/24 subnet on multiple ports? It's odd. I'm almost sure you can't ping 192.168.30.102, .301, and .302 from the FGT.
I would suggest you setup a separate /30 subnet like 192.168.31.0/30 then set .1 on the router port and .2 on the FGT port5, also move the DVR from the router port to the switch, which is more natural.
Toshi
Hi,
1) Is the router allowing mulitple IPs from the same 192.168.30.0/24 subnet on multiple ports? YES
2) It's odd. I'm almost sure you can't ping 192.168.30.102, .301, and .302 from the FGT.
I don't understand you well, from the commands that you indicated previously and that I showed the output, FGT can ping the IPs of the subnet 192.168.30.100, 192.168.30.101,
192.168.30.102...
3) I also don't quite understand why make a new subnet 192.168.31.x/24 and move the recorder to the switch.
The cameras have their own PPPoE protocol connected to their own switch and I want to have separate security connected to an independent port on FGT.
Thank you.
Created on 11-22-2023 08:36 AM Edited on 11-22-2023 08:37 AM
Ok, so there are more network components to the diagram you posted before. A regular routers like FGTs don't allow IPs from the same subnet to different port/interface used for routing unless those are bound to one routing interface, which likely your routers case. Likely those ports are switchports line a "LAN" (port 1 - 8 ) while "WAN" port exists.
Toshi
Created on 11-22-2023 12:47 AM Edited on 11-22-2023 04:45 AM
-
-
Hi team,
You can check that FortiGate has the necessary routes to reach both subnets. You may need static routes or a dynamic routing protocol configured to ensure proper routing between the subnets.
And also the firewall policy for internal to external that's is port3 to port5 should be configured for example
config firewall policy
edit 1
set srcintf "port3"
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
next
in this manner.
Hi,
I'm sorry for the delay and inconvenience caused.
In the end, everything was configured correctly, the only thing left to do was configure the 192.168.30.100 gateway on the side of ports 3 and 5.
Thank you all for your collaboration. A cordial greeting.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.