- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Routing internal interfaces between 2 subnets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing internal interfaces between 2 subnets
Hello good morning.
Please, I wanted to ask the following question.
I have a router connected to port 5 on my Fortigate in the following IP range: 192.168.30.100/24.
On the other hand, I have on port 3 (configured as an interface) an output to a switch in the range 192.168.1.0/24.
I am trying to communicate each subnet with the other by establishing a firewall policy that has port 3 as output and port 5 as input, but I cannot access it.
What am I doing wrong?
Thank you.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm sorry for the delay and inconvenience caused.
In the end, everything was configured correctly, the only thing left to do was configure the 192.168.30.100 gateway on the side of ports 3 and 5.
Thank you all for your collaboration. A cordial greeting.
- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortigateWAN # execute ping-options source 192.168.30.100
FortigateWAN # execute ping 192.168.1.160
PING 192.168.1.160 (192.168.1.160): 56 data bytes
64 bytes from 192.168.1.160: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 192.168.1.160: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.168.1.160: icmp_seq=2 ttl=255 time=0.2 ms
64 bytes from 192.168.1.160: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.168.1.160: icmp_seq=4 ttl=255 time=0.2 ms
--- 192.168.1.160 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms
FortigateWAN # execute ping 192.168.30.101
PING 192.168.30.101 (192.168.30.101): 56 data bytes
64 bytes from 192.168.30.101: icmp_seq=0 ttl=64 time=0.5 ms
64 bytes from 192.168.30.101: icmp_seq=1 ttl=64 time=0.4 ms
64 bytes from 192.168.30.101: icmp_seq=2 ttl=64 time=0.3 ms
64 bytes from 192.168.30.101: icmp_seq=3 ttl=64 time=0.3 ms
64 bytes from 192.168.30.101: icmp_seq=4 ttl=64 time=0.3 ms
--- 192.168.30.101 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.5 ms
FortigateWAN # execute ping-options source 192.168.1.160
FortigateWAN # execute ping 192.168.30.100
PING 192.168.30.100 (192.168.30.100): 56 data bytes
64 bytes from 192.168.30.100: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 192.168.30.100: icmp_seq=4 ttl=255 time=0.1 ms
--- 192.168.30.100 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms
FortigateWAN # execute ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: icmp_seq=0 ttl=128 time=0.5 ms
64 bytes from 192.168.1.5: icmp_seq=1 ttl=128 time=0.5 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=128 time=0.4 ms
64 bytes from 192.168.1.5: icmp_seq=3 ttl=128 time=0.5 ms
64 bytes from 192.168.1.5: icmp_seq=4 ttl=128 time=0.6 ms
--- 192.168.1.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms
The IP 192.168.1.5 was the first IP assigned to a computer.
Thanks in advance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
- From the above ping tests it looks the communication from the firewall egress IP to the destination is good.
- When you are trying to ping from the source to the destination do you see the logs in the traffic logs of the Firewall?
- Have you tried to check the sniffer/packet capture on the firewall when performing the testing?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
- In the security policy which is allowing the communication is the source NAT enabled? If not you can try to enable the same so that the traffic gets translated to egress interface IP. This will help if the destination is not having the correct route back to the source Subnet.
Regards,
Shiva
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
1) When you are trying to ping from the source to the destination do you see the logs in the traffic logs of the Firewall? NO
- Have you tried to check the sniffer/packet capture on the firewall when performing the testing?
This is what i get:
FortigateWAN # diagnose sniffer packet any "host 192.168.30.100 and host 192.168.30.101" 4
interfaces=[any]
filters=[host 192.168.30.100 and host 192.168.30.101]
1.398958 port5 out 192.168.30.100.51146 -> 192.168.30.101.53: udp 43
1.399705 port5 in 192.168.30.101.53 -> 192.168.30.100.51146: udp 43
1.401106 port5 out 192.168.30.100.55826 -> 192.168.30.101.53: udp 43
1.401620 port5 in 192.168.30.101.53 -> 192.168.30.100.55826: udp 43
1.403624 port5 out 192.168.30.100.57621 -> 192.168.30.101.53: udp 39
11.412332 port5 out 192.168.30.100.57621 -> 192.168.30.101.53: udp 39
21.422864 port5 out 192.168.30.100.56371 -> 192.168.30.101.53: udp 43
21.423692 port5 in 192.168.30.101.53 -> 192.168.30.100.56371: udp 43
21.425835 port5 out 192.168.30.100.58336 -> 192.168.30.101.53: udp 43
21.426351 port5 in 192.168.30.101.53 -> 192.168.30.100.58336: udp 43
21.429018 port5 out 192.168.30.100.54654 -> 192.168.30.101.53: udp 39
31.436830 port5 out 192.168.30.100.54654 -> 192.168.30.101.53: udp 39
^C
12 packets received by filter
0 packets dropped by kernel
And this when i do ping from my computer (192.168.1.191) to IP 192.168.30.101
FortigateWAN # diagnose sniffer packet any "host 192.168.1.191 and host 192.168.30.101" 4
interfaces=[any]
filters=[host 192.168.1.191 and host 192.168.30.101]
^C
0 packets received by filter
0 packets dropped by kernel
ping 192.168.30.101
Haciendo ping a 192.168.30.101 con 32 bytes de datos:
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Respuesta desde 192.168.30.200: Host de destino inaccesible.
Estadísticas de ping para 192.168.30.101:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
- In the security policy which is allowing the communication is the source NAT enabled? YES
Thanks in advance. Stay forward for more help, please.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the router allowing mulitple IPs from the same 192.168.30.0/24 subnet on multiple ports? It's odd. I'm almost sure you can't ping 192.168.30.102, .301, and .302 from the FGT.
I would suggest you setup a separate /30 subnet like 192.168.31.0/30 then set .1 on the router port and .2 on the FGT port5, also move the DVR from the router port to the switch, which is more natural.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
1) Is the router allowing mulitple IPs from the same 192.168.30.0/24 subnet on multiple ports? YES
2) It's odd. I'm almost sure you can't ping 192.168.30.102, .301, and .302 from the FGT.
I don't understand you well, from the commands that you indicated previously and that I showed the output, FGT can ping the IPs of the subnet 192.168.30.100, 192.168.30.101,
192.168.30.102...
3) I also don't quite understand why make a new subnet 192.168.31.x/24 and move the recorder to the switch.
The cameras have their own PPPoE protocol connected to their own switch and I want to have separate security connected to an independent port on FGT.
Thank you.
Created on 11-22-2023 08:36 AM Edited on 11-22-2023 08:37 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so there are more network components to the diagram you posted before. A regular routers like FGTs don't allow IPs from the same subnet to different port/interface used for routing unless those are bound to one routing interface, which likely your routers case. Likely those ports are switchports line a "LAN" (port 1 - 8 ) while "WAN" port exists.
Toshi
Created on 11-22-2023 12:47 AM Edited on 11-22-2023 04:45 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi team,
You can check that FortiGate has the necessary routes to reach both subnets. You may need static routes or a dynamic routing protocol configured to ensure proper routing between the subnets.
And also the firewall policy for internal to external that's is port3 to port5 should be configured for example
config firewall policy
edit 1
set srcintf "port3"
set dstintf "port5"
set srcaddr "all"
set dstaddr "all"
set action accept
next
in this manner.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm sorry for the delay and inconvenience caused.
In the end, everything was configured correctly, the only thing left to do was configure the 192.168.30.100 gateway on the side of ports 3 and 5.
Thank you all for your collaboration. A cordial greeting.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Duplicate a working Cisco Router config... 995 Views
- Management and internal 209 Views
- How to configure physical internal switch... 164 Views
- Can't ping VLAN interfaces through VPN 297 Views
- ipv6 - internal lan interface cannot... 450 Views
Labels
-
FortiGate
6,666 -
FortiClient
1,328 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
77 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
LDAP
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SSO
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.