VIP for PLC and a Data collector that are in different VLANs

carlaranzaso · ‎01-08-2025

Hi,

I was wondering if someone can help me on this. I am very new to networking and would like to check if I can do IP address translation on a layer 2 device with address 192.168.199.2 on my VLAN2 going to VLAN 1 with subnet 10.156.116.0/22. My intended translated address is 10.156.119.2 for this layer 2 device and will be using a kepserver ex v6 device from the vlan 1. Hope someone can assist me. Thanks

saleha · ‎01-08-2025

Hello,

Thank you for reaching out. I assumed your goal is source NAT using the ip 10.156.119.2 as your external address. You will need to create an ippool where that address is external and use it in a policy where the source interface is VLAN2 and destination interface is VLAN1, while source subnet is that where you have 192.168.199.2 and destination subnet is the subnet of 10.156.116.0/22. Bare in mind that if this is just for single device talking to another single device you can limit the source and destination address to a /32 if you want. Here is an example of how it would look like:

CLI:
config firewall ippool
edit "kepserver NAT"
set startip 10.156.119.2
set endip 10.156.119.2
next
end

config firewall policy
edit 2
set name "kepserver_policy"
set uuid 6d8c85ac-cddd-51ef-3f42-3b0bd35aebdd
set srcintf "vlan2"
set dstintf "vlan1"
set action accept
set srcaddr "vlan2 address"
set dstaddr "vlan1 address"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set port-preserve disable
set ippool enable
set poolname "kepserver NAT"
next
end

Thank you,

saleha

carlaranzaso · ‎01-08-2025

Hi saleha,

I have followed your configuration but still could not ping the 10.156.119.2 in VLAN 1.

Here is my configuration.

dingjerry_FTNT · ‎01-08-2025

Hi @carlaranzaso ,

Again, your requirements are vague. We, at least for me, have to guess what you are going to do.

Please check my first reply. And here are more questions:

1) Are you not allowing the VLAN1 subnet 10.156.116.0/22 to access the PLC address 192.168.199.2/32 directly?

2) Do you want the VLAN1 subnet 10.156.116.0/22 to access the PLC address 192.168.199.2/32 via the IP 10.156.119.2?

If yes for both, you have to use VIP for the PLC address as the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

NOTE: You may not enable port forwarding, it is optional. You use 10.156.119.2 as the external IP and 192.168.199.2 as the mapped IP. The VLAN1 interface as extintf (external interface).

Apply this VIP in the firewall policy from VLAN1 to VLAN2.

And you don't have to use IP Pool if you have VIP configured. Just turn on NAT in the firewall policy from VLAN2 to VLAN1.

Regards,

Jerry

carlaranzaso · ‎01-08-2025

Hi @dingjerry_FTNT,

I need the VLAN1 subnet 10.156.116.0/22 to access the PLC address via IP 10.156.119.2. PLC is in VLAN 2 with address 192.168.199.2. When you say "VLAN1 subnet 10.156.116.0/22 to access the PLC address 192.168.199.2/32 via the IP 10.156.119.2", does it mean the 10.156.119.2 address will be available in VLAN 1 also?

dingjerry_FTNT · ‎01-08-2025

Hi @carlaranzaso ,

The IP 10.156.119.2 belongs to the subnet 10.156.116.0/22.

If you don't know how to identify it, you may use this website as a tool:

https://www.calculator.net/ip-subnet-calculator.html

Regards,

Jerry

dingjerry_FTNT · ‎01-08-2025

And it's your responsibility, or your network admin or your networking team's responsibility to make sure that the IP 10.156.119.2 is not being used before you apply it in the VIP configuration.

Regards,

Jerry

dingjerry_FTNT · ‎01-08-2025

Hi @carlaranzaso ,

Your requirements are vague.

My understanding is as below, but not sure if it is correct and need you to confirm:

1) You have a layer 2 device with address 192.168.199.2 on VLAN2

2) You need to allow this L2 device to access the subnet 10.156.116.0/22 on VLAN1

3) You want to pretend the L2 device to be 10.156.119.2 while accessing the VLAN1 subnet

If so, this is source NAT and you may just use the IP Pool. Please check this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...

Regards,

Jerry

saleha · ‎01-09-2025

Hi carlaranzaso,
Thank you for the reply. AS noted on this forum by dingjerry_FTNT there are some gaps in information. I see that you used one-to-one type for the ippool which is possible bottle nick. Have you tried switching to "overlead" type. I would recommend if that fails to try troubleshooting the issue following the traffic and making sure if this traffic is stopping at the firewall or not:

- disable auto-asic-offload to allow full details in the debug:

config firewall policy

edit <policy id number>

set auto-asic-offload disable

end

- run debug flow while reproducing the problem:
# diagnose debug flow filter addr 192.168.199.2 10.156.116.x and <--- replace the x with the actual ip address of the destination machine

# diagnose debug flow show function enable

# diagnose debug flow trace start 30

# diagnose debug console time enable

# diagnose debug enable

You can share the output here if you want us to take a look.

Thank you,

saleha

carlaranzaso · ‎01-09-2025

Hello @saleha @dingjerry_FTNT ,

To clarify gaps in information i have shared this is what I want to do.

VLAN 1 - 10.156.116.0/22

VLAN 2 - 192.168.199.0/24

Device in VLAN 1 - 10.156.116.1

Device in VLAN 2 - 192.168.199.2

I want to translate the 192.168.199.2 which is currently in VLAN 2, to 10.156.119.2 in VLAN 1. Is this possible given that 192.168.199.2 is a PLC without gateway configuration on that device?

VIP for PLC and a Data collector that are in different VLANs

Nominate a Forum Post for Knowledge Article Creation