Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sgClarence
New Contributor

Static Route, LAN unable to access internet

We've 8 static IP and tried to setup a WAN router using Fortigate 300 as follow...

Port 1: ISP gateway (isp.xx.xx.229/30)

Port 2: WAN Router (inet.xx.xx.81/29)

Port 3: 192.168.1.99/24 with DHCP enabled

 

Static Route: 0.0.0.0/0.0.0.0 using gateway isp.229 at port 1

Policy IPv4: Port 1 to Port 2(downstream), Port 2 to Port 1(upstream) and Port 3 to Port 2(LAN to internet)

 

Internet access on Fortigate console and using public IP connect to Port 2 are fine.

However, LAN user is not getting internet access.

 

We tried defining another static route 192.168.1.0/24 using gateway inet.xx.xx.81 but to no avail.

Any thing we missed defining so that LAN user internet traffic if route to gateway at inet.xx.xx.81?

Thanks.

 

 

Yeehar
Yeehar
6 REPLIES 6
sw2090
Honored Contributor


@sgClarence wrote:

 

Port 1: ISP gateway (isp.xx.xx.229/30)

Port 2: WAN Router (inet.xx.xx.81/29)

Port 3: 192.168.1.99/24 with DHCP enabled

 

Static Route: 0.0.0.0/0.0.0.0 using gateway isp.229 at port 1

Policy IPv4: Port 1 to Port 2(downstream), Port 2 to Port 1(upstream) and Port 3 to Port 2(LAN to internet)

 

So static Route goes to Port1. Your Lan to Intertnet Policy goes to port2. That doesn't seem to match.

Inet Traffic directly from FGT via Port1 works as you wrote so your default route is good. 

So route says trafic from anywhere to inet has to hit port1 but there is no policy matching that.

I'd guess that if you did a flow trace on cli it would have stated with "denied by forward policy check (policy #0)" or similar message.

 

You always have to keep in mind that the first thing that is looked at when a packet comes in is always the routing table because the route gives the way. After that the FGT looks for a matching policy and if there is no explicite one the traffic is always matched by policy #0 which is the implicite "deny everything to everything" policy.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sgClarence

So static Route goes to Port1. Your Lan to Intertnet Policy goes to port2. That doesn't seem to match.

 

We're not network trained and have difficulty understanding the meaning of 'that doesn't seem to match'. Does it mean to define Port 4 as inet.xx.xx.82/29 and do a Policy IPv4 that forward Port 3 to Port 4 instead?

 

What's the common practices for a setup described above?

 

Yeehar
Yeehar
sw2090
Honored Contributor

common practice is to connect your isp to the wan port(s) of your FGT.

Then have one or more default route(s) or use sdwan instead for loadbalancing if needed.

then create some policy.

 

You can imagine that basicially in this way somehow:

 

If you want to go from A to B you have to look at your map if there is a way from A to B.

Then you have to find out if you are allowed to use that way and if there are limitations.

 

What is the map for you is the routing table for your FGT.

And the policies rule if the packet may use that way and with which limitations.

 

The default route specifies where packages should go that hava destination that is not matched by any other route. Before this always comes routes that derive from interfaces (connected route) and static routes (in this order). So if there is no static or connected route the packet will hit the default route. And in your case the default route states the packet has to go to port1.

So next step the FGT does is to look at its policy package to find a policy matching source interface Port3 and source address Lan and destination interface port1 and destination "any".

Since there is no such explicite policy it will match policy #0 which is the implicite deny policy that matches anything that has not been matched by any other policy before. This results in the packet being denied.

So you have to have - accoarding to your default route - a policy from Port3 to Port1 (LAN to internet) with LAN Subnet as source and "any" as destination and destination NAT enabled.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sgClarence

It's a Fortigate 300, no dedicated WAN port and all user-definable ports, thus Port 1 is like WAN to ISP(upstream)

Port 2 is WAN to us(downstream). Port 3 is like a LAN with DHCP and the idea is to use Port 2 as the gateway for Internet access, as Port 2 is already 'functional' to access the Internet via public IP.

 

May we ask if u're suggesting that we should 'map' Port 3 to Port 1 instead of Port 2?

We beg your pardon, trying to setup the most simplistic to handle public IP usable by servers like web sever while able to access the Internet for LAN users via DHCP. Seems we've got the wrong firewall for a simple setup 8-(

Yeehar
Yeehar
fism
New Contributor

Can you rule out NAT? The firewall policy that goes from LAN to internet should have NAT enabled. 

sgClarence

The default of Fortigate is NAT mode, intact.

Yeehar
Yeehar
Top Kudoed Authors