Hello!
I have a FortiGate 80F, internal address range 1.
I created two vlan on fortigate, 3 and 5 and set up ssl vpn 11. The vpn works fine, except that I can't reach any vlan address, even though I set up a firewall rule for all of them and I have also selected the two vlan addresses in the ssl vpn portal in addition to the internal one in the routing address override menu. I could not set static root because I always got the error message : Gateway IP is the same as the interface IP, please choose another IP address. I think this is a problem because the vlan should be available on the local network, but there is no gateway between them.
Please if anyone knows the solution please help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You don't need a route for the communication to the VLAN interface as they will be present as connected/direct route in fortigate.
When you say the interfaces are not reachable via SSL, can you run a diagnose sniffer command and check if the ping requests to vlan interface is reaching fortigate via ssl interface?
Are you able to ping the VLAN interface directly from the fortigate itself?
Is ping enabled under interface access ?
Hi !
Ping is enabled on the network interface.
Both 192.168.3.1 and the devices on the vlan can be pinged from FortiGate, but the client logging in on the vpn cannot see it.
I can see the vlans in the Windows routing table.
The diagnose sniffer command gives the following output.
Can you share the policy configuration?
IsoPlus_Fortinet # config firewall policy
IsoPlus_Fortinet (policy) # edit "5"
IsoPlus_Fortinet (5) # show
config firewall policy
edit 5
set name "vpn_internal"
set uuid 8e3e8ad0-062d-51ee-b262-e8a055549309
set srcintf "ssl.root"
set dstintf "internal"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "Internal"
set schedule "always"
set service "ALL"
set groups "Remote users" "Remote admin" "Remote kulsos"
next
end
IsoPlus_Fortinet (5) #
IsoPlus_Fortinet # config firewall policy
IsoPlus_Fortinet (policy) # edit "7"
IsoPlus_Fortinet (7) # show
config firewall policy
edit 7
set status disable
set name "test"
set uuid 2b07d1f8-261f-51ee-1b9c-44a5635c0cd9
set srcintf "ssl.root"
set dstintf "internal"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "Szerver_Vlan address"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set groups "Remote admin" "Remote kulsos" "Remote users"
set comments " (Copy of vpn_internal)"
next
end
IsoPlus_Fortinet (7) #
Both policy shows to interface as "internal", is 192.168.3.0,192.168.4.0 reachable via same interface? Can you share the route table from fortigate?
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 109.74.50.255, ppp2, [1/0]
C x.x.x.x/32 is directly connected, ppp2
C 109.74.50.255/32 is directly connected, ppp2
S 192.168.0.0/16 [10/0] via 192.168.4.1, internal, [1/0]
C 192.168.3.0/24 is directly connected, Szerver_Vlan
C 192.168.4.0/24 is directly connected, internal
C 192.168.5.0/24 is directly connected, Pc_Vlan
C 192.168.20.0/24 is directly connected, Voip_Vlan
C 192.168.70.0/24 is directly connected, teszt
C 192.168.100.0/24 is directly connected, Wifi_Vlan
The ip address of fortigate 192.168.4.253 is used to connect to a pfsense with three virtual ports configured with 192.168.4.0/24, open vpn 192.168.20.0/24 and
192.168.1.0/24 , this address range is shared by AD on dhcp to local clients.
Now the task is to disable pfsens, so I am trying to configure fortigat step by step.
Next step would be to collect debug flow trace.
diagnose debug reset
diagnose debug flow filter saddr <Source IP>
diagnose debug flow filter daddr <Destination IP>
diagnose debug console timestamp enable
diagnose debug flow trace start
diagnose debug flow trace start 100
diagnose debug enable
Please remember to disable debug after the logs are captured.
diagnose debug disable
diagnose debug reset
IsoPlus_Fortinet # diagnose debug reset
IsoPlus_Fortinet # diagnose debug flow filter saddr 192.168.11.1
IsoPlus_Fortinet # diagnose debug flow filter daddr 192.168.3.1
IsoPlus_Fortinet # diagnose debug console timestamp enable
IsoPlus_Fortinet # diagnose debug flow trace start
IsoPlus_Fortinet # diagnose debug flow trace start 100
IsoPlus_Fortinet # diagnose debug enable
IsoPlus_Fortinet # 2023-07-28 08:00:49 id=65308 trace_id=229 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 1
92.168.11.1:1->192.168.3.1:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=273."
2023-07-28 08:00:49 id=65308 trace_id=229 func=init_ip_session_common line=6049 msg="allocate a new session-00708728, tun_id=0.0.0.0"
2023-07-28 08:00:49 id=65308 trace_id=229 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-192.168.3.1 via ro
ot"
2023-07-28 08:00:49 id=65308 trace_id=229 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=75, len=1"
2023-07-28 08:00:49 id=65308 trace_id=229 func=fw_local_in_handler line=538 msg="iprope_in_check() check failed on policy 0, drop"
2023-07-28 08:00:54 id=65308 trace_id=230 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 192.168.11.1:1->192.
168.3.1:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=274."
2023-07-28 08:00:54 id=65308 trace_id=230 func=init_ip_session_common line=6049 msg="allocate a new session-00708735, tun_id=0.0.0.0"
2023-07-28 08:00:54 id=65308 trace_id=230 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-192.168.3.1 via ro
ot"
2023-07-28 08:00:54 id=65308 trace_id=230 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=75, len=1"
2023-07-28 08:00:54 id=65308 trace_id=230 func=fw_local_in_handler line=538 msg="iprope_in_check() check failed on policy 0, drop"
2023-07-28 08:00:59 id=65308 trace_id=231 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 192.168.11.1:1->192.
168.3.1:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=275."
2023-07-28 08:00:59 id=65308 trace_id=231 func=init_ip_session_common line=6049 msg="allocate a new session-0070873b, tun_id=0.0.0.0"
2023-07-28 08:00:59 id=65308 trace_id=231 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-192.168.3.1 via ro
ot"
2023-07-28 08:00:59 id=65308 trace_id=231 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=75, len=1"
2023-07-28 08:00:59 id=65308 trace_id=231 func=fw_local_in_handler line=538 msg="iprope_in_check() check failed on policy 0, drop"
2023-07-28 08:01:04 id=65308 trace_id=232 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 192.168.11.1:1->192.
168.3.1:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=276."
2023-07-28 08:01:04 id=65308 trace_id=232 func=init_ip_session_common line=6049 msg="allocate a new session-0070873f, tun_id=0.0.0.0"
2023-07-28 08:01:04 id=65308 trace_id=232 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-192.168.3.1 via ro
ot"
2023-07-28 08:01:04 id=65308 trace_id=232 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=75, len=1"
2023-07-28 08:01:04 id=65308 trace_id=232 func=fw_local_in_handler line=538 msg="iprope_in_check() check failed on policy 0, drop"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.