Dear All,
few months ago I configured VLAN on my network and it worked corectly. After I have changed router to FTG 80C (5.2.5) the VLAN stopped working. I use HP switch which supports VLAN - I didn't change the configuration on it. I use on FTG advanced routing.
Idea is:
LAN - 192.168.1.0/24
VLAN - 192.168.5.0/24 - access to Internet but no access to LAN
Fortigate 192.168.1.99 <-> hp switch 192.168.1.106 (VLAN 192.168.5.2) <-> tp-link switch (WAN 192.168.5.3)
I added on FTG VLAN interface 192.168.5.1 and policy VLAN -> WAN.
When I am connected to tp-link I have no access to Internet - I can ping 192.168.5.2 but I can't ping 192.168.5.1 (VLAN interface on Fortigate). I think that I should add some Static Routes or Policy Routes?
Thank You in advance,
Bart.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sorry for second post but I can only one attachment upload. Please see VLAN information form HP switch.
I think the error is
"id=20085 trace_id=1 func=ip_route_input_slow line=1273 msg="reverse path check fail, drop""
That means that you are missing a route for 192.168.5.0/24 (I guess) behind WiFiguests.
Once you add that static route, try again.
If you still can't access, try to run another debug and attach the file.
By the way, I suggest you give another check to your firewall policies and routing.
Cheers!
Suggestion: A network topology of your configuration would be very helpful. Does the lan interface works? Is the vlan L3 configured on the FGT or elsewhere?
PCNSE
NSE
StrongSwan
Hey Sceda,
Could you run the below debugs in the Fortigates CLI while trying to ping 8.8.8.8?
diag debug reset diag debug enable diag debug flow show console enable diag debug flow filter addr 192.168.5.x diag debug flow trace start 200
and when finsihed run: diag debug disable
Regards,
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
Hey Bart,
No problem. Could you post the Fortigate CLI diag flow output of that ping test?
After taking a look at your topology, I have a couple of theories:
1. Your HP Switch is not tagging, or tagging wrong VLAN associated with the 192.168.5.x subnet. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: Make port facing WiFi guest router a access port to tag correct VLAN
2. Next, Link connected directly to Fortigate from HP switch is not Trunking/Tagging the VLAN associate with 192.168.5.x subnet. Traffic never making it to the Fortigate Solution: Add allow vlan across trunk link interfacing with Fortigate
3. Next, Wifi users on 192.168.50.x are not NATing behind 192.168.5.3 and making it to the Fortigate with source IP of 192.168.50.x in which fortigate does not have a route back to 192.168.5.3, resulting in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: add static route 192.168.50.x pointing to 192.168.5.3
4. Lastly, Fortigate sub-vlan Interface has incorrect VLAN associated. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: Match Vlan interface with vlan of incoming packets associated with 192.168.5.x / 192.168.50.x
Along with the Diag flow output provide 'show ful sys int' output. With those two piece of information the problem should be able to be identified.
Regards,
Daniel
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
Hi Daniel,
howardsinc wrote:
Hey Bart, No problem. Could you post the Fortigate CLI diag flow output of that ping test?
please see attached file.
howardsinc wrote:
After taking a look at your topology, I have a couple of theories: 1. Your HP Switch is not tagging, or tagging wrong VLAN associated with the 192.168.5.x subnet. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: Make port facing WiFi guest router a access port to tag correct VLAN
On HP Switch I have two VLANs - one is default by HP and the second one is created by me (WiFiguest). Port 21 is connected to Fortigate. Ports 20 and 21 are connected to TP-link routers. Now I use only router on port 20.
Ports 20 & 21 are untagged on VLAN WiFiguest because TP-Link doesn't support vlan - is it correctly?
howardsinc wrote:
2. Next, Link connected directly to Fortigate from HP switch is not Trunking/Tagging the VLAN associate with 192.168.5.x subnet. Traffic never making it to the Fortigate Solution: Add allow vlan across trunk link interfacing with Fortigate3. Next, Wifi users on 192.168.50.x are not NATing behind 192.168.5.3 and making it to the Fortigate with source IP of 192.168.50.x in which fortigate does not have a route back to 192.168.5.3, resulting in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: add static route 192.168.50.x pointing to 192.168.5.3 4. Lastly, Fortigate sub-vlan Interface has incorrect VLAN associated. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: Match Vlan interface with vlan of incoming packets associated with 192.168.5.x / 192.168.50.x Along with the Diag flow output provide 'show ful sys int' output. With those two piece of information the problem should be able to be identified. Regards, Daniel
Regards,
Bart.
I think the error is
"id=20085 trace_id=1 func=ip_route_input_slow line=1273 msg="reverse path check fail, drop""
That means that you are missing a route for 192.168.5.0/24 (I guess) behind WiFiguests.
Once you add that static route, try again.
If you still can't access, try to run another debug and attach the file.
By the way, I suggest you give another check to your firewall policies and routing.
Cheers!
agreed, and diag debug flow is your friend ;)
PCNSE
NSE
StrongSwan
Thank You for help but I didn't find the solution :( I tried a lot of configurations - I added static route, policy route to Fortigate but I don't know what exactly there should be. I have firewall policy WiFiguest->wan2 + NAT.
Bart.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.