Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wcente
New Contributor

Transparent Mode kills LAN

Hello dear Forum Members, I' ve thought I' ve got a quite easy Setup of a Fortigate 60C (FOS4MR3Patch11): I have an internal LAN with 172.24.0.0/255.255.252.0 I have an outside LAN connected by a third party router: 172.24.4.0/255.255.252.0 The Forti is set up in transparent mode between the Router to the outside LAN (not managed by us) and the inside LAN Outside LAN is connected on WAN1 and the inside LAN is connected on INTERNAL The management IP is set to 172.24.1.200 (inside LAN) Forwarding the Packets between inside LAN and outside LAN via Firewall is functioning correctly. BUT: After setting up the Fortigate Unit some internal Hosts pop up saying duplicate IPs have been detected, some servers quited service and everthing is spinning around. Disconnecting the Fortigate and restarting inside LAN Services afterwards solves the problem. So what is the Fortigate doing? I am so confused about this! I even tried setting up management on a separate VDOM, but problem still persists... Any hints?
9 REPLIES 9
Rick_H
New Contributor III

It sounds like you are attempting to use transparent mode, but you are connecting your FortiGate between two separate subnets. If this is correct then this is likely your problem. In transparent mode you can deploy the FortiGate on either the inside or outside of your firewall/router, but not both at the same time. Typically you' ll have one interface of the FortiGate plugged directly into your firewall/router and the other interface plugged into your LAN so that all traffic is forced to traverse it. Which side you choose to deploy it is up to you and based completely on your needs. Also, when using transparent mode, you don' t need to use the dedicated Management interface. Just set the management IP address to something valid within the network the FortiGate sits in and enable the desired management protocols on the interface facing your inside network. EDIT: If you are using VDOMs then make sure you set the management VDOM to whichever VDOM needs to accept management traffic.
wcente
New Contributor

Hello Rick, thanks for reply. But it is not, what you concerned: I did not connect two LANs directly, the outside connection is a router and the outside LAN is connected via VPN by this router...
emnoc
Esteemed Contributor III

You explanation is confusing and the same for your initial dialog. The outside interface of the 3rd party router is not even required if you want to setup a L2 transparent firewall What you need todo; 1: take one interface on the firewall and let' s call that internal-lan-out, connect it to your router internal-lan interface 2: take one port on the firewall and let' s called that internal-lan-in, connect it to your switch or whatever port that the router was connected to. Next craft you fwpolices on the firewalls win regards to in-2-out for the 172.24.0.0/255.255.252.0 I would also create a LOCAL_LAN or LAN address object for that address space e.g config firewall address edit LAN set subnet 172.24.0.0/255.255.252.0 next And for all /32 hosts i.e edit mail-host set subnet 172.24.0.10/32 next edit dns-serv set subnet 172.24.0.11/32 next end This would ease management of fwpolicies

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
wcente
New Contributor

Well here' s exactly what I did: FGT60C: Interface Internal is connected to our internal Switch, where the subnet 172.24.0.0/255.255.252.0 is connected Wan1 is connected to the internal interface of a third party router, which has an IP 172.24.0.100 on this internal Interface, this router holds a VPN to a remote Subnet 172.24.4.0/255.255.252.0 The other interfaces which may not be used (DMZ, WAN2) have been turned " down" in Web GUI -> Network -> Interfaces The FGT60C is in transparent mode and has a management IP 172.24.0.101/255.255.252.0 I set up the following Adresses: LAN_INT 172.24.0.0/255.255.252.0 LAN_EXT 172.24.4.0/255.255.252.0 The Firewall ruleset is as follows (easy first, testing purposes): internal LAN_INT -> WAN1 LAN_EXT always any accept WAN1 LAN_EXT -> internal LAN_INT always any accept That' s all that happened, and with this configuration the errors appear... This is of course not my very first setup, so I thought I' m quite familar with Fortis, I never had those experiences like above!
emnoc
Esteemed Contributor III

Will that looks right and assuming you have no vlan tagging & a one flat layer2net work , hence no forwarding domains. I' m guess you do have the unit in TP mode? config system settings set opmode transparent end ( I know it' s stupid to ask but I' ve had clients who did do this step :) ) So can you tell what' s flooding your lan? Review the session table and packet sniffer between" LAN_INT" and " LAN_EXT" interfaces. If traffic is present, than it should be in the session table of the unit and you can quick id the traffic type(s). Also on the switch+router, are you sure no other security mechanism where in place for these devices? Port-security or some types of filtering?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

Have a good look at your interface IPs! You may not assign a " x.y.z.0" to a host - this is the broadcast address. This will probably cause your LAN confusion.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
FortiRack_Eric
New Contributor III

Perhaps you are familiar with Fortigates but my guess is, all in NAT/ROUTE mode not in TP (transparent). There is no routing in TP mode, every interface in the TP mode vdom or unit if not in vdom mode is bridged so in fact a switch. So how would you expect 172.24.0.0/23 lan to connect to a 172.24.4.0/23 network on the other side? From my point of view reading through the info you don' t need a transparent setup but a nat/routed one. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
ede_pfau
SuperUser
SuperUser

@Eric: a 255.255.252.0 netmask is a /22, not a /23. But your comment (miraculously) still holds true :-) @wcente: It comprises 4 Class C (/24) subnets. So, subnet 172.24.[0-3].x is covered but I cannot see how you can contact the router in the 172.24.4.x subnet - are you 100% sure about the netmask and addresses? And besides, the " .0" cannot be a host address - did you have a look at this?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

You may not assign a " x.y.z.0" to a host - this is the broadcast address. This will probably cause your LAN confusion.
Not true at all. For the mask he has identified, 0+255s are valid for the 255.255.252.0 in his case the range fore example is 172.24.0.1-172.24.3.254 for valid ip_address. 172.24.0.0 = network 172.24.3.255 = broadcast or 1022 useable address. http://tuxgraphics.org/toolbox/network_address_calculator_add.html Now I don' t know why we are harping on that now, since nowhere has he spoken of using a broadcast/network address on a interface of a host. What he needs to do is to validate his topo and if he is still having problems, run diag cmds looking at packet sniffer and interface errors ( duplex-mismatch or crc errors ) I would even go as far as to change the interfaces on the FGT to 2 different interfaces that are not part of a internal-switch for the L2-TP in/out interfaces i.e wan1/wan2

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors