So today I began setting up a new Guest WiFi vlan, and I want an interface on my Fortigate 800D to be the default gateway. This will allow us to restrict traffic to our internal network but allow it out to the internet. Should be simple?!
I've been racking my brains and cannot get this new interface to work.
So its configured as follows:
config system interface
edit "port9"
set vdom "root"
set ip 10.0.0.254 255.255.255.0
set allowaccess ping
set type physical
set alias "Guest Wifi"
set role lan
set snmp-index 13
next
end
DHCP is configured:
edit 4
set default-gateway 10.0.0.254
set netmask 255.255.255.0
set interface "port9"
config ip-range
edit 1
set start-ip 10.0.0.1
set end-ip 10.0.0.253
next
end
set timezone-option default
set dns-server1 212.23.6.100
next
end
And I've created a policy rule to allow the traffic out to the internet. For testing purposes its source interface port9, destination interface wan2, any.
Port9 physically connects to a Cisco switch configured as:
switchport mode access
switchport access vlan 6
I connect a laptop to another port on the same switch, configured identically. With this config alone I believe I should be able to get a dhcp address in 10.0.0.1-10.0.0.253, ping the fortigate at 10.0.0.254, and browse the internet. I can't do any of those things.
diag sniffer packet 'port9' shows the broadcasts, so I believe they are arriving at the fortigate, but I never see any other than the initial broadcast. Same with a ping, I see ICMP arriving but nothing else.
I've configured a static ip address on the laptop and tried to ping, no dice.
I've got a DMZ network set up similarly to this, and the only difference I can see is under "Local-in Policy" (after enabling in Feature Select), I can see that ICMP and UDP 67 both exist in here against the DMZ network interface, but nothing for my new interface that I've set up. So I am guessing that the fortinet is just dropping the packets. I'll add that these local-in policies have not been added manually via CLI, this is the read only automatically created versions.
I'm running 2x FG800D in a A/P cluster, v5.4.2,build1100 (GA). I've set up new interfaces before and not seen this issue. Any ideas?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Have you limited the ip ranges from which admin users can connect?
If 10.0.0.0/24 is not in this range, pings will be blocked.
Does not explain why you won't get a DHCP lease. Have you tried connecting your laptop directly to the Fortigate:Port9?
We do use trusted hosts, but I've entered the subnet into the trusted hosts section anyway.
I've just connected laptop directly to port9 and no dhcp lease. Setting a static address I still can't ping.
FWIW; You don't need policys for the DHCP nor PING to work.
Your on a good path but I would enable diag on dhcp-server services for the DHCP issues
diag debug application dhcps -1
I would also run diag debug flow on the ping issues
I'm sure both of these will give insight to the problem(s)
ken
PCNSE
NSE
StrongSwan
OK so I've got to the bottom of it, it was indeed a lack of resource to be able to apply the config that I'd made. I ran:
diag sys top
hit m to sort by memory
process wad was consuming 2GB of memory and overall utilization was at 80%.
diag sys kill 11 <pid>
This has now dropped to 33% and almost instantly my device got an address.
Huzzah!
Any ideas why this would have happened?
I think this may be related to bug ID # 443019 that was fixed in 5.6.4. We're seeing this on FortiOS 5.6.0 on a FG-VM though we haven't noticed any tangible impact yet.
Bug description: "After running for some time, the FG-30E console keep printing memory leak error messages."
I suspect it may not just be related to the 30E... More info about it here: [link]https://forum.fortinet.com/tm.aspx?m=148257[/link]
I guess pinging the other way around Fortigate to Notebook doesn't work either?
Do the ping packets from the Fortigate go out on the correct interface, do they arrive at the notebook?
Is the 10.0.0.0/24 network visible in the routing table (as a 'connected' route)?
Some time ago I had an issue where this route was not added and I had to reconfigure the interface:
Reset all interface settings of port9 in the CLI (unset ..) and delete the DHCP server and related policies.
Then reconfigure with the GUI.
So diag debug enable, I'm seeing an error that doesn't look too pretty:
[__cmdb_bg_fork:670] fork( ) failed: 12(Cannot allocate memory)
[debug]dump HA master db: '/tmp/hasync/hasync.dhcpd/dhcpddb.sn=FG800D3916800609.o0uFal'
But I'm not seeing any DHCP requests in the debug. That first error, someone else has reported:
https://forum.fortinet.com/tm.aspx?m=148257
Could be this giving me grief?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.