Hello Rick, thanks for reply. But it is not, what you concerned: I did not connect two LANs directly, the outside connection is a router and the outside LAN is connected via VPN by this router...

You explanation is confusing and the same for your initial dialog. The outside interface of the 3rd party router is not even required if you want to setup a L2 transparent firewall What you need todo; 1: take one interface on the firewall and let' s call that internal-lan-out, connect it to your router internal-lan interface 2: take one port on the firewall and let' s called that internal-lan-in, connect it to your switch or whatever port that the router was connected to. Next craft you fwpolices on the firewalls win regards to in-2-out for the 172.24.0.0/255.255.252.0 I would also create a LOCAL_LAN or LAN address object for that address space e.g config firewall address edit LAN set subnet 172.24.0.0/255.255.252.0 next And for all /32 hosts i.e edit mail-host set subnet 172.24.0.10/32 next edit dns-serv set subnet 172.24.0.11/32 next end This would ease management of fwpolicies

Well here' s exactly what I did: FGT60C: Interface Internal is connected to our internal Switch, where the subnet 172.24.0.0/255.255.252.0 is connected Wan1 is connected to the internal interface of a third party router, which has an IP 172.24.0.100 on this internal Interface, this router holds a VPN to a remote Subnet 172.24.4.0/255.255.252.0 The other interfaces which may not be used (DMZ, WAN2) have been turned " down" in Web GUI -> Network -> Interfaces The FGT60C is in transparent mode and has a management IP 172.24.0.101/255.255.252.0 I set up the following Adresses: LAN_INT 172.24.0.0/255.255.252.0 LAN_EXT 172.24.4.0/255.255.252.0 The Firewall ruleset is as follows (easy first, testing purposes): internal LAN_INT -> WAN1 LAN_EXT always any accept WAN1 LAN_EXT -> internal LAN_INT always any accept That' s all that happened, and with this configuration the errors appear... This is of course not my very first setup, so I thought I' m quite familar with Fortis, I never had those experiences like above!

Will that looks right and assuming you have no vlan tagging & a one flat layer2net work , hence no forwarding domains. I' m guess you do have the unit in TP mode? config system settings set opmode transparent end ( I know it' s stupid to ask but I' ve had clients who did do this step :) ) So can you tell what' s flooding your lan? Review the session table and packet sniffer between" LAN_INT" and " LAN_EXT" interfaces. If traffic is present, than it should be in the session table of the unit and you can quick id the traffic type(s). Also on the switch+router, are you sure no other security mechanism where in place for these devices? Port-security or some types of filtering?

Have a good look at your interface IPs! You may not assign a " x.y.z.0" to a host - this is the broadcast address. This will probably cause your LAN confusion.

Perhaps you are familiar with Fortigates but my guess is, all in NAT/ROUTE mode not in TP (transparent). There is no routing in TP mode, every interface in the TP mode vdom or unit if not in vdom mode is bridged so in fact a switch. So how would you expect 172.24.0.0/23 lan to connect to a 172.24.4.0/23 network on the other side? From my point of view reading through the info you don' t need a transparent setup but a nat/routed one. Cheers, Eric

@Eric: a 255.255.252.0 netmask is a /22, not a /23. But your comment (miraculously) still holds true :-) @wcente: It comprises 4 Class C (/24) subnets. So, subnet 172.24.[0-3].x is covered but I cannot see how you can contact the router in the 172.24.4.x subnet - are you 100% sure about the netmask and addresses? And besides, the " .0" cannot be a host address - did you have a look at this?

You may not assign a " x.y.z.0" to a host - this is the broadcast address. This will probably cause your LAN confusion.

Not true at all. For the mask he has identified, 0+255s are valid for the 255.255.252.0 in his case the range fore example is 172.24.0.1-172.24.3.254 for valid ip_address. 172.24.0.0 = network 172.24.3.255 = broadcast or 1022 useable address. http://tuxgraphics.org/toolbox/network_address_calculator_add.html Now I don' t know why we are harping on that now, since nowhere has he spoken of using a broadcast/network address on a interface of a host. What he needs to do is to validate his topo and if he is still having problems, run diag cmds looking at packet sniffer and interface errors ( duplex-mismatch or crc errors ) I would even go as far as to change the interfaces on the FGT to 2 different interfaces that are not part of a internal-switch for the L2-TP in/out interfaces i.e wan1/wan2