Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
digimetrica
New Contributor

Weird route behaviour in 5.6

Hello, We manage several fortigates and this is the first i am clueless about this issue. I am UNABLE to reach the whole DMZ from the Internal LAN. Wan -> DMZ Works DMZ -> Internal Works (it was a test) LAN -> DMZ doesn't work. Policy was a plain one: Internal -> DMZ all open. We have tried a single pc connected to the internal just to exclude other network devices in the lan. Looking at the Flow debug it seems traffic goes toward default gateway to internet. Even a traceroute, the first step are * * * * I even tried to add static routes to client and it doesn't work, firewall dmz ip is reachable!!! I don't know what else to look at since this is something I do for years and it's easy to implement.

11 REPLIES 11
net1
New Contributor

Hi,

are you trying to reach the DMZ via external (mapped ip) through NAT or directly (private to private IP) ...

The only thing (AFAIK) which changed is the need of hairpinning when trying to reach internal networks form internal (via NAT) - this changend from 5.2 to 5.4 ...

 

 

-

300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3

FortiMail VMs

FortiAnalyzer VMs

FortiSandbox (testrun)

- 300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3 FortiMail VMs FortiAnalyzer VMs FortiSandbox (testrun)
digimetrica

Hello,

private to private (192.168.1.x reaching a 192.168.2.10)

 

reaching the server using a mapped ip from the Wan works.

net1

Hi,

 

intresting ... did you try to ping via Fortigate CLI?

 

First set the source IP with: 'execute ping-options source 192.168.1.x' (so it will ping from the internal LAN)

Then a simple ping: 'execute ping 192.168.2.10'

 

Does this work?

-

300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3

FortiMail VMs

FortiAnalyzer VMs

FortiSandbox (testrun)

- 300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3 FortiMail VMs FortiAnalyzer VMs FortiSandbox (testrun)
digimetrica

Yes i can ping from Fortigate CLI using a LAN address.

I practically made every test possible.

I manage over 40 Fortigates and this is first time I am dealing with such a thing, I even opened a ticket :(

 

My concern might be the latest firmware 5.6.

 

I just can't see what's wrong really. Even a show route info shows me this 192.168.2.0/24 is connected.

 

Doing a Policy lookup for a ping from 192.168.1.x to 192.168.2.x doesn't match any policy except the internal -> wan. 

 

net1

Okay, that's strange - the policy lookup shows no mathing policy for your ping request?

I think that no policy matches because of incorrect internal routing ...

 

Is it possible to paste the cli-output for your interface configuration of lan and DMZ?

(conf sys interface -> edit lan -> show)

 

Also the output of 'diag ip route list' ...

 

 

 

-

300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3

FortiMail VMs

FortiAnalyzer VMs

FortiSandbox (testrun)

- 300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3 FortiMail VMs FortiAnalyzer VMs FortiSandbox (testrun)
digimetrica

It is strange :)

 

config system interface edit "internal1" set vdom "root" set ip 192.168.1.1 255.255.255.0 set allowaccess ping https ssh set type physical set role lan set snmp-index 13 next end

config system interface edit "dmz" set vdom "root" set ip 192.168.2.1 255.255.255.0 set allowaccess ping set type physical set netflow-sampler both set role dmz set snmp-index 1 next end

tab=254 vf=0 scope=0 type=1 proto=14 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root) tab=254 vf=0 scope=0 type=1 proto=14 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root) tab=254 vf=0 scope=0 type=1 proto=14 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->xxx.xxx.xxx.64/28 pref=xxx.xxx.xxx.67 gwy=0.0.0.0 dev=5(wan1) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.130.0/24 pref=192.168.130.254 gwy=0.0.0.0 dev=8(internal2) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.2.0/24 pref=192.168.2.1 gwy=0.0.0.0 dev=4(dmz) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.0.0/24 pref=172.16.0.1 gwy=0.0.0.0 dev=11(internal5) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/24 pref=192.168.1.1 gwy=0.0.0.0 dev=7(internal1) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.1.0/24 pref=172.16.1.254 gwy=0.0.0.0 dev=6(wan2) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.9.200.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=18(AranSede_Fase1) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.9.202.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=18(AranSede_Fase1) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.143.0/24 pref=0.0.0.0 gwy=192.168.130.253 dev=8(internal2) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.9.204.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=18(AranSede_Fase1) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.142.0/24 pref=0.0.0.0 gwy=192.168.130.253 dev=8(internal2) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->190.1.1.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=18(AranSede_Fase1) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.141.0/24 pref=0.0.0.0 gwy=192.168.130.253 dev=8(internal2) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.140.0/24 pref=0.0.0.0 gwy=192.168.130.253 dev=8(internal2) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=xxx.xxx.xxx.65 dev=5(wan1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.1/32 pref=192.168.1.1 gwy=0.0.0.0 dev=7(internal1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.130.255/32 pref=192.168.130.254 gwy=0.0.0.0 dev=8(internal2) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/32 pref=192.168.1.1 gwy=0.0.0.0 dev=7(internal1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.130.254/32 pref=192.168.130.254 gwy=0.0.0.0 dev=8(internal2) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.2.255/32 pref=192.168.2.1 gwy=0.0.0.0 dev=4(dmz) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=16(root) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.0.1/32 pref=172.16.0.1 gwy=0.0.0.0 dev=11(internal5) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->xxx.xxx.xxx.64/32 pref=xxx.xxx.xxx.67 gwy=0.0.0.0 dev=5(wan1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.1.254/32 pref=172.16.1.254 gwy=0.0.0.0 dev=6(wan2) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.0.0/32 pref=172.16.0.1 gwy=0.0.0.0 dev=11(internal5) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.1.255/32 pref=172.16.1.254 gwy=0.0.0.0 dev=6(wan2) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->xxx.xxx.xxx.67/32 pref=xxx.xxx.xxx.67 gwy=0.0.0.0 dev=5(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.130.0/32 pref=192.168.130.254 gwy=0.0.0.0 dev=8(internal2) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.2.1/32 pref=192.168.2.1 gwy=0.0.0.0 dev=4(dmz) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.2.0/32 pref=192.168.2.1 gwy=0.0.0.0 dev=4(dmz) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.255/32 pref=192.168.1.1 gwy=0.0.0.0 dev=7(internal1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->xxx.xxx.xxx.79/32 pref=xxx.xxx.xxx.67 gwy=0.0.0.0 dev=5(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.1.0/32 pref=172.16.1.254 gwy=0.0.0.0 dev=6(wan2) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->172.16.0.255/32 pref=172.16.0.1 gwy=0.0.0.0 dev=11(internal5) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=16(root) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=16(root) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=16(root)

net1

After checking all your routes and settings and comparing with some other devices i have to agree with you: That's really strange ...

 

But it has to be some sort of internal routing problem, if you concern how a Fortigate handles packets:

http://docs.fortinet.com/d/fortigate-life-of-a-packet/download

 

I have to admit that i have no more clue why it doesn't work ... is there any chance to downgrade to 5.4.5? Or do you need the new features?

 

BTW.: i never use firmware versions without a minimum patchlevel of 4 for a productive firewall ;)

-

300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3

FortiMail VMs

FortiAnalyzer VMs

FortiSandbox (testrun)

- 300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3 FortiMail VMs FortiAnalyzer VMs FortiSandbox (testrun)
digimetrica

Yes, I know I just wanted to try this 5.6 "for fun" :)

I can downgrade to 5.4.5, it's just I will have to redo interfaces configurations but I think this is the only option I have because I have no clue at all.

 

This thing I want to accomplish is the stupidest and easiest thing and being in this situation makes me nervous :)

net1

I fully understand you ... especially if it's such a simple thing like ordinary routing - I'm really curious about the answer of Fortinets Tech Support - looks like a serious bug to me ...

 

And i understand your nervousness ;)

 

Please keep me (us) informed about whats going on with the ticket!

 

 

-

300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3

FortiMail VMs

FortiAnalyzer VMs

FortiSandbox (testrun)

- 300C x1, 200E x4, 240D x2, 200D x4, 101E x2, 100E x4, 100D x12, 80C x2, 70D x2, 61E x2, 60E x2, 60D x30, 60C x24, 60B x9, 50E x20, 50B x17, 40C x17, 30E x3 FortiMail VMs FortiAnalyzer VMs FortiSandbox (testrun)
Labels
Top Kudoed Authors