Dear All,
few months ago I configured VLAN on my network and it worked corectly. After I have changed router to FTG 80C (5.2.5) the VLAN stopped working. I use HP switch which supports VLAN - I didn't change the configuration on it. I use on FTG advanced routing.
Idea is:
LAN - 192.168.1.0/24
VLAN - 192.168.5.0/24 - access to Internet but no access to LAN
Fortigate 192.168.1.99 <-> hp switch 192.168.1.106 (VLAN 192.168.5.2) <-> tp-link switch (WAN 192.168.5.3)
I added on FTG VLAN interface 192.168.5.1 and policy VLAN -> WAN.
When I am connected to tp-link I have no access to Internet - I can ping 192.168.5.2 but I can't ping 192.168.5.1 (VLAN interface on Fortigate). I think that I should add some Static Routes or Policy Routes?
Thank You in advance,
Bart.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sorry for second post but I can only one attachment upload. Please see VLAN information form HP switch.
I think the error is
"id=20085 trace_id=1 func=ip_route_input_slow line=1273 msg="reverse path check fail, drop""
That means that you are missing a route for 192.168.5.0/24 (I guess) behind WiFiguests.
Once you add that static route, try again.
If you still can't access, try to run another debug and attach the file.
By the way, I suggest you give another check to your firewall policies and routing.
Cheers!
Run diagnose debug again and let's see what happens.
I found bug ... I set up wrong mask on VLAN interface - was 192.168.5.1/255.255.255.255, today I've changed to 192.168.5.1/255.255.255.0 and it works :)
That's not a bug, that's human error ;)
btw, fortiOS is flawed in it allows a /32 on 802.1.q interfaces but the catch ;
it will not be present in your route table as a connect route
it will not be present from routing all output
and only the get router info kernel output will show the route
PCNSE
NSE
StrongSwan
Hi,
thank You for answers. Please see network scheme. When I'm connected to WIFI Guest I can ping 192.168.5.2 but not 192.168.5.1. I can't ping 8.8.8.8 - so this is not dns problem. When I'm connected to LAN (192.168.1.XXX) I can ping 192.168.5.1 but not 192.168.5.2 - I think it is ok. Internet works ok on LAN network.
Regards,
Bart.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.