Hi,
I don't understand why I cannot ping internet from Clients. I can ping subinterface on port 2 23.1.2.71. But if I try ping from Linux or VPC 8.8.8.8 it is unsuccessful. I have static route on FortiGate 0.0.0.0/0 to router 23.1.2.1 which is router IP on port gi0/0. Switch ports gi0/0 and gi0/2 are trunk and ports gi0/1 and gi0/3 are vlan interfaces. I can ping internet 8.8.8.8 from Fortigate. Something on FW is missing I guess. Policies are applied and when I ping from client to subinterface "To Internet", policy is working. Please check pictures.
Hello Matie,
it will help to run the sniffer this way:
diag sniffer packet any 'icmp and host 8.8.8.8' 4 0 a
You filter only in one direction., The filter above shows packet in both directions, for any interface and also which interface. You may then see the packet on an inbound interface and again at the outbound interface (suggesting a firewall policy is in place and allows the traffic).
Looks like this:
diag sniffer packet any 'icmp and host 8.8.8.8' 4 0 a
interfaces=[any]
filters=[icmp and host 8.8.8.8]
2022-08-24 22:50:59.879436 internal6 in 192.168.111.2 -> 8.8.8.8: icmp: echo request
2022-08-24 22:50:59.879610 wan1 out 123.123.123.123 -> 8.8.8.8: icmp: echo request
2022-08-24 22:50:59.896803 wan1 in 8.8.8.8 -> 123.123.123.123: icmp: echo reply
2022-08-24 22:50:59.896865 internal6 out 8.8.8.8 -> 192.168.111.2: icmp: echo reply
2022-08-24 22:51:00.881151 internal6 in 192.168.111.2 -> 8.8.8.8: icmp: echo request
2022-08-24 22:51:00.881288 wan1 out 123.123.123.123 -> 8.8.8.8: icmp: echo request
2022-08-24 22:51:00.936263 wan1 in 8.8.8.8 -> 123.123.123.123: icmp: echo reply
2022-08-24 22:51:00.936315 internal6 out 8.8.8.8 -> 192.168.111.2: icmp: echo reply
Best regards,
Markus
Created on 08-24-2022 11:59 PM Edited on 08-25-2022 07:01 AM
Hello Marcus,
I did it. Filter is in place but it shows traffic only one way still. I have tried to ping from both hosts. There is only echo request and no echo reply etc. Any idea why I see only echo request? Can you please help? Please bear with me, I am new in Fortinet. Thanks
Hi @Matie ,
Thank you for providing the information. I can see direct connectivity(same segment is fine) based on your ping test.
Can you summarize the finding like this:
10.10.10.49 to 10.10.10.1(fgt) - OK/Not ok
10.10.10.49 to 23.1.2.71(fgt) - OK/ Not ok
10.10.10.49 to 23.1.2.1(fgt) - OK/Not ok
23.1.2.100 to 8.8.8.8 - OK/not OK << this is a direct test to router.
Im also concern about your setup from switch to router. I believe you should make it "access port vlan 23" instead of trunk.
Can you add 1 more PC sitting on VLAN 23? GW 23.1.2.1(router).
This pc means direct connect to your router. Bypass Fortigate.
Are you able to get the internet?
Created on 08-25-2022 12:37 AM Edited on 08-25-2022 05:19 AM
10.10.10.49 to 10.10.10.1(fgt) - OK
10.10.10.49 to 23.1.2.71(fgt) - OK
10.10.10.49 to 23.1.2.1(router) - Not ok
23.1.2.100 to 8.8.8.8 - OK - direct connection to router without FortiGate
If I reconfigure trunk port on switch as access port, I lose connectivity with internet. Port has to be configured as a trunk.
I have added PC to VLAN 23 with gateway 23.1.2.1 (router). It is directly connected to router via switch. FortiGate is bypassed and there is connectivity with internet 8.8.8.8. What else can we do here?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.