Hello! I have a FortiGate 80F, internal address range 1. I created two vlan on fortigate, 3 and 5 and set up ssl vpn 11. The vpn works fine, except that I can't reach any vlan address, even though I set up a firewall rule for all of them and I have also selected the two vlan addresses in the ssl vpn portal in addition to the internal one in the routing address override menu. I could not set static root because I always got the error message : Gateway IP is the same as the interface IP, please choose another IP address. I think this is a problem because the vlan should be available on the local network, but there is no gateway between them. Please if anyone knows the solution please help.
You don't need a route for the communication to the VLAN interface as they will be present as connected/direct route in fortigate. When you say the interfaces are not reachable via SSL, can you run a diagnose sniffer command and check if the ping requests to vlan interface is reaching fortigate via ssl interface? Are you able to ping the VLAN interface directly from the fortigate itself? Is ping enabled under interface access ?
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi ! Ping is enabled on the network interface. Both 192.168.3.1 and the devices on the vlan can be pinged from FortiGate, but the client logging in on the vpn cannot see it. I can see the vlans in the Windows routing table.
IsoPlus_Fortinet (5) # show config firewall policy edit 5 set name "vpn_internal" set uuid 8e3e8ad0-062d-51ee-b262-e8a055549309 set srcintf "ssl.root" set dstintf "internal" set action accept set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "Internal" set schedule "always" set service "ALL" set groups "Remote users" "Remote admin" "Remote kulsos" next end
IsoPlus_Fortinet (5) #
IsoPlus_Fortinet # config firewall policy
IsoPlus_Fortinet (policy) # edit "7"
IsoPlus_Fortinet (7) # show config firewall policy edit 7 set status disable set name "test" set uuid 2b07d1f8-261f-51ee-1b9c-44a5635c0cd9 set srcintf "ssl.root" set dstintf "internal" set action accept set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "Szerver_Vlan address" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set groups "Remote admin" "Remote kulsos" "Remote users" set comments " (Copy of vpn_internal)" next end
Routing table for VRF=0 S* 0.0.0.0/0 [5/0] via 188.8.131.52, ppp2, [1/0] C x.x.x.x/32 is directly connected, ppp2 C 184.108.40.206/32 is directly connected, ppp2 S 192.168.0.0/16 [10/0] via 192.168.4.1, internal, [1/0] C 192.168.3.0/24 is directly connected, Szerver_Vlan C 192.168.4.0/24 is directly connected, internal C 192.168.5.0/24 is directly connected, Pc_Vlan C 192.168.20.0/24 is directly connected, Voip_Vlan C 192.168.70.0/24 is directly connected, teszt C 192.168.100.0/24 is directly connected, Wifi_Vlan
The ip address of fortigate 192.168.4.253 is used to connect to a pfsense with three virtual ports configured with 192.168.4.0/24, open vpn 192.168.20.0/24 and 192.168.1.0/24 , this address range is shared by AD on dhcp to local clients. Now the task is to disable pfsens, so I am trying to configure fortigat step by step.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.