- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Unable to connect to devices on same subnet
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to connect to devices on same subnet
I have a strange predicament. This is the lowdown:
Fortinet Setup:
Internal - 192.168.40.1
DMZ sub-interface- 172.16.4.1
On any PC in the internal subnet (192.168.40.x) I can ping the Fortigate at either 172.16.4.1 or 192.168.4.1.
When I try to connect to two other devices (one is a wireless switch, the other is the core network switch) at 172.16.4.250 and 172.16.4.254 I can' t. ICMP responds with ' destination host unreachable' . I' ve tried from PC' s on the local network, and also from the Fortigate itself.
The HP switch also has an internal address that I can connect to (192.168.40.254). There are VLANs setup on the HP switch but all the ports have the same VLAN settings so that shouldn' t be a problem.
Does anyone have an idea why I can' t get to these two devices? If I understand correctly, since 172.16.4.1 is a directly connected route, the rest of the subnet should be accessible as well, but that' s an assumption.
Thanks in advance.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The title of this message is somewhat confusing :)
Am i right in presuming that you are using A VLAN trunk to the switch from the internal interface? and that you are NOT using the DMZ interface, but instead an VLan subinterface?
On that presumption, then you will need to have the internal interface also assigned a vlan ID as well as the DMZ sub interface. then routing between the two will work, as long as you have rules to allow it.
So if you are trying to connect from internal vlan1 to DMZ vlan2 for example, then you will need have firewall rules to allow it, so an INT -> DMZ allow and a DMZ -> INT for the other direction.
But, its unusual to have a core switch on the DMZ... and if its a true DMZ, then you wouldnt want any DMZ -> INTERNAL traffic allowed.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The title might be confusing because I' m confused!!
I' ll try to be a little more concise.
/edit - The exact error from pinging the units from 192.168.40.x to 172.16.4.x is " Reply from 192.168.40.1: Destination host unreachable" , implying the internat interface can' t find a route to 172.16.4.x /edit
The DMZ isn' t really being used as such. The VLAN sub-interface (call it the MGMT interface) on the DMZ port has the address of 172.16.4.1 on Vlan 2. The physical Internal interface has the address of 192.168.40.1. It is not a Vlan, but the actual, physical interface.
I have policies allowing all traffic from any souce to any destination on the MGMT interface from the Internal interface, as well as the converse (for troubleshooting purposes). In effect, the firewall should be wide open between the two interfaces.
I' m not sure I understand your suggestion, but here goes...
With the above setup, the Internal interface needs to be a Vlan interface? Is that accurate? If so, how do I make it so? Would I have to create a Vlan sub-interface below it? I don' t understand how making it a Vlan will help traffic flow between the two interfaces.
In any case, I appreciate your help. I' m dead in the water with this one!!
Cheers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you create a vlan sub-interface, then the cable to the port needs to go to a switch that is configured to have it as a vlan trunk port.
without that you cannot use sub-interfaces, they are purely for vlan usage.
you can omit the vlan ID on the native interface, only if your switch also supports the native vlan ID traffic.
What exactly are you trying to achieve?
What you have configured is if the switch its connected to has multiple vlans within it, and you want the fortinet to provide the routing between them. But as stated above, that connecting switch port must be trunk enabled (ie be set for tag for at least the internal vlan and dmz vlan.
If the DMZ sub-interface is purely for firewall mgmt, then whats the point?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Related Posts
- S2S VPN Traffic from a 1GB... 31 Views
- FortiAP 231F not connecting to FG 172 Views
- FortiAP offline/disconnected 107 Views
- SSL VPN Country Restriction 812 Views
- Windows error Forticlient script error access... 711 Views
Labels
-
FortiGate
6,924 -
FortiClient
1,365 -
5.2
801 -
5.4
639 -
FortiManager
598 -
FortiAnalyzer
438 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
280 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
122 -
FortiGuard
111 -
IPsec
97 -
FortiGateCloud
91 -
FortiSIEM
91 -
SSL-VPN
85 -
FortiCloud Products
85 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
FortiGate v5.2
19 -
DNS
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 986 | |
| 821 | |
| 457 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.