Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
toku
New Contributor II

Created on ‎02-01-2023 08:36 PM

Routing issue on Fortigate setup.

Hello!

I'm new to FortiGate and experienced a roadblock during my setup.

I was trying to reach the VM from the public IP(my PC), but there was no response from the VM. Attached are the diagram and packet capture results from FortiGate.

diagram.JPG

Note:

  1. The default route is going to an ASR router, but I want all incoming and outgoing traffic to go via the same specific interface on the firewall. (highlighted orange)

  2. Static route cannot be used because the source IP can be anything.

  3. Tried the policy route, but it didn't work :(

 

Kindly advise what could be the root cause.
If you need additional information, feel free to let me know!
Appreciate the comments!

Labels:
4428
0 Kudos
1 Solution
toku
New Contributor II

Created on ‎02-13-2023 08:22 PM

The issue is resolved!
I followed this article.
https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementatio...

View solution in original post

4288
0 Kudos
8 REPLIES 8
srajeswaran
Staff
Staff

Created on ‎02-01-2023 09:19 PM

Can you enable Source NAT on the policy towards VM and test?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
4418
0 Kudos
toku
New Contributor II
In response to srajeswaran

Created on ‎02-06-2023 07:17 PM

While i was doing trace, i found the following error:
id=20085 trace_id=19 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop
Any idea what this means?
Thanks!
4365
0 Kudos
gfleming
Staff
Staff
In response to toku

Created on ‎02-06-2023 09:39 PM

This means the FortiGate is dropping the packet because the Source IP for the packet is not in a subnet that it has a route to on the interface it is coming in on.

 

In other words, if the packet has a source IP of 10.0.0.1 and it's coming in on the interface 'lan', the FortiGate will not forward it if it does not have a route to 10.0.0.0/24 via the 'lan' interface. This is reverse path forwarding and is a method of preventing IP spoofing.

 

Since you only pasted a snippet of the trace we do not know the whole story so it's hard to say. But chances are you have no route pointing Provider A for your PC's public IP address.

Cheers,
Graham
4354
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-01-2023 10:37 PM

If you're coming from the internet, unless you advertise the public subnet where the VM sits in only through Provider A side toward the internet, instead of advertising via the default internet provider, your access to the VM's public IP always comes from the default internet provider (right side in your diagram). Never comes via Provider A unlike your inbound orange arrow.

 

The returning direction will follow the reverse direction of the inbound/original direction based on the session. You won't be able to change that.

 

Toshi

4411
0 Kudos
toku
New Contributor II
In response to Toshi_Esumi

Created on ‎02-06-2023 07:18 PM

I guess you're talking about this?

While i was doing trace, i found the following error:
id=20085 trace_id=19 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop
 
No alternative solution?
4365
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to toku

Created on ‎02-06-2023 07:39 PM Edited on ‎02-06-2023 07:41 PM

Which provider, the default internet provider or Provider A, provides the public IP the VM has? Or do you own the public subnet the VM is in?

If it's from the default internet provider, you have no control for the incoming path but always come through the provider.

You can see it when you traceroute from outside to the VM's public IP.

 

Only if you own the subnet VM is in, you can advertise the subnet with BGP through either or both of the default internet provider and Provider A to control the inbound path.

 

Toshi

4361
0 Kudos
seshuganesh
Staff
Staff
In response to toku

Created on ‎02-07-2023 02:00 AM

Reverse path check means, firewall is expecting that source IP to come from one interface but the packet is coming from different interface.

For example, execute this command:

get router info routing-table details <source-ip>

 

You will get to know from which interface firewall is expecting to come traffic from for this source IP.

If there is no route for the interface on which traffic is coming, create one static route for that source IP towards that interface on which traffic is coming

4343
0 Kudos
toku
New Contributor II

Created on ‎02-13-2023 08:22 PM

The issue is resolved!
I followed this article.
https://community.fortinet.com/t5/FortiGate/Technical-Note-Reverse-Path-Forwarding-RPF-implementatio...

4289
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.