Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jadeltoro
New Contributor III

Created on ‎11-20-2023 09:31 PM Edited on ‎02-26-2024 05:51 AM By Community Manager

Routing internal interfaces between 2 subnets 

Hello good morning.
Please, I wanted to ask the following question.
I have a router connected to port 5 on my Fortigate in the following IP range: 192.168.30.100/24.
On the other hand, I have on port 3 (configured as an interface) an output to a switch in the range 192.168.1.0/24.
I am trying to communicate each subnet with the other by establishing a firewall policy that has port 3 as output and port 5 as input, but I cannot access it.
What am I doing wrong?
Thank you.
Labels:
1691
0 Kudos
1 Solution
jadeltoro
New Contributor III

Created on ‎11-22-2023 03:49 AM

Hi,
I'm sorry for the delay and inconvenience caused.
In the end, everything was configured correctly, the only thing left to do was configure the 192.168.30.100 gateway on the side of ports 3 and 5.
Thank you all for your collaboration. A cordial greeting.

View solution in original post

1453
0 Kudos
19 REPLIES 19
srajeswaran
Staff
Staff

Created on ‎11-20-2023 10:00 PM

1. Can both subnet device atleast ping the Fortigate interface IPs?
2. Check the ARP table on Fortigate "get system arp" and see if the destination IPs are learned

If the above 2 are working, we need to re-evaluate the policy config else there is something else outside Firewall config.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

878
jadeltoro
New Contributor III
In response to srajeswaran

Created on ‎11-20-2023 10:54 PM

Hello, thank you for your quick response.
I cannot ping, neither from the 192.168.1.0 network to the computers on the 192.168.30.100 network, nor the other way around.
In the ARP table, it only shows the gateway IP address of the router connected to port5: 192.168.30.101 0 "mac" port5.
There are more devices connected, at other addresses on the same subnet: 192.168.30.x, but they do not appear in the ARP table.

866
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to jadeltoro

Created on ‎11-20-2023 11:01 PM

@srajeswaranis asking you to ping from the FGT in CLI to the connected device, then check the ARP table. If you still don't see the device you pinged in the table, there is a L2 connection problem over the switch(es).

 

Toshi

860
srajeswaran
Staff
Staff
In response to jadeltoro

Created on ‎11-20-2023 11:01 PM


Below given is what I understood from the shared data,
192.168.1.0/24----Switch-----(port3)Fortigate(port5)--------Router(192.168.30.101)

You have mentioned , there are more devices on 192.168.30.x subnet, how are they connected? Is there a switch between Fortigate and Router?
Is the switches operate in L2 mode ?

Can you share a topology diagram with the devices/address.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

860
jadeltoro
New Contributor III
In response to srajeswaran

Created on ‎11-20-2023 11:37 PM Edited on ‎11-20-2023 11:54 PM

Excuse me for my limited knowledge in the use of Fortigate, as well as in the design of the diagram with the topology.
I hope the following drawing can answer the questions:

Topologia_Camaras.JPG

844
0 Kudos
srajeswaran
Staff
Staff
In response to jadeltoro

Created on ‎11-20-2023 11:56 PM

Can you share the port3 and port5 configuration from Fortigate.

show system interface port3
show system interface port5

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

836
jadeltoro
New Contributor III
In response to srajeswaran

Created on ‎11-21-2023 12:12 AM

config system interface
edit "port3"
set vdom "root"
set ip 192.168.1.160 255.255.255.0
set allowaccess ping https ssh snmp fgfm radius-acct fabric ftm
set type physical
set alias "INTERFAZ OFICINA"
set device-identification enable
set role lan
set snmp-index 9
next
end

 

config system interface
edit "port5"
set vdom "root"
set ip 192.168.30.100 255.255.255.0
set allowaccess ping https http fabric
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 11
next
end

830
0 Kudos
smaruvala
Staff
Staff
In response to jadeltoro

Created on ‎11-21-2023 03:03 AM

Hi,

 

- Can you please let us know if you are able to ping from port5 to the destination?
- When you are trying to ping from the source to the destination do you see the logs in the traffic logs of the Firewall?
- Have you tried to check the sniffer/packet capture on the firewall when performing the testing?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
- Is the upstream a router or a layer2 device? Because from the diagram it looks the router is not splitting the broadcast domain.

 

Regards,

Shiva

787
thoufik786
New Contributor II

Created on ‎11-21-2023 03:28 AM Edited on ‎11-21-2023 03:30 AM

Hi @jadeltoro,

 

Please share the output of the below commands from FGT.

 

execute ping-options source 192.168.30.100  

execute ping 192.168.1.160

execute ping 192.168.30.101

 

execute ping-options source 192.168.1.160   

execute ping 192.168.30.100

execute ping 192.168.1.2

 

Regards,

Thoufik.

Thoufik
Thoufik
780
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.