hi in my fortigate i have lan ports that are connected like this : internal1 :192.168.0.61/255.255.252.0 internal2 :192.168.7.61/255.255.255.0 internal3 :192.168.4.61/255.255.255.0 and the wan like this : wan1 :215.215.2.165/255.255.255.255
internal1 is the local servers port
in the policy i created policies to connect each lan internal to internal1 and to wan 1 when i am trying to connect from internal 3 to internet and to servers everything work correctly as shown in tracnet command cmd:
C:\Users\student>tracert 192.168.0.1
[size="1"]Tracing route to a-server.ba.local [192.168.0.1][/size] over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.4.61 [size="1"] 2 <1 ms <1 ms <1 ms a-server.ba.local [192.168.0.1][/size]
Trace complete.
C:\Users\student>tracert www.google.co.il
[size="1"]Tracing route to www.google.co.il [213.151.35.143][/size] over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.4.61 [size="1"] 2 17 ms 16 ms 16 ms mx-lns-01.neto.net.il [213.151.32.237][/size] 3 16 ms 16 ms 16 ms 10.17.50.1 4 16 ms 16 ms 36 ms 213.151.32.188 [size="1"] 5 16 ms 16 ms 16 ms cache.google.com [213.151.35.143][/size]
Trace complete.
but when i'm trying to connect to servers on internal1 from internal 2 nothing happens and it seems like it trying to find the server on internet from any reason as shown:
C:\Users\1>tracert 192.168.0.1
Tracing route to 192.168.0.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.7.61 [size="1"] 2 16 ms 15 ms 16 ms mx-lns-01.neto.net.il [213.151.32.237][/size] 3 16 ms 16 ms 16 ms 10.17.50.5 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * ^C C:\Users\1>tracert www.google.com
[size="1"]Tracing route to www.google.com [74.125.195.147][/size] over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.7.61 [size="1"] 2 16 ms 15 ms 15 ms mx-lns-01.neto.net.il [213.151.32.237][/size] 3 16 ms 16 ms 15 ms 10.17.50.5 4 16 ms 16 ms 17 ms 213.151.32.188 [size="1"] 5 82 ms 70 ms 87 ms xe-10-3-3-249.edge4.London1.Level3.net [212.113.[/size] 14.217] 6 77 ms 77 ms 77 ms 72.14.203.126 7 78 ms 77 ms 77 ms 209.85.255.78 8 74 ms 75 ms 75 ms 216.239.51.3 9 85 ms 84 ms 84 ms 209.85.249.211 10 80 ms 80 ms 80 ms 72.14.239.96 11 * * * Request timed out. [size="1"] 12 83 ms 83 ms 83 ms wj-in-f147.1e100.net [74.125.195.147][/size]
Trace complete.
thanks for any help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would use diag debug flow and dump the route table
diag debug dis
diag debug reset
diag debug flow filter addr 192.168.0.1
diag debug flow show console enable
diag debug enable
diag debug flow trace start 100
And this start that traffic up to the server
For the route table;
get route info routing-table det 192.168.0.0/24
And for a suggestion, I would get rid of the ideal of using 192.168.0.0/24 for any common subnet unless you want problems in the future. Same goes for 192.168.1.0/24 , almost all generic stuff today uses this by default & it will lead to problems now or later.
PCNSE
NSE
StrongSwan
If you have added any static routes for the connected LANs, remove them. The Fortigate is already aware of connected subnets. Also unless you are doing some hairy routing, policy routes are unneeded as well.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
i added static route in wan connection to let default to one of the wan but all the lan connection are managed by the router also there is policies in the router to open some of the lans to internet and block the others static route configure like this wan1: priority 2 distance 10 wan2: priority 1 distance 10 what I do not understand why internal3 connected to internal1 well but in internal2 there's problems
When you "Router > Monitor", do you see all of the interfaces present?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
yes
and i am able to connect from all port to internal1 but internal2
and all ports could connect to internet even internal2
it seem like it trying to find the server on the internrt when i am using tracert command cmd
Can any devices on the internal1 network access any devices on the internal2 network?
Routing Monitor should be showing a route for network 192.168.0.61/22 (gateway 0.0.0.0(?), interface internal1). Can you confirm the subnet mask is correct (where appropriate)?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
i can not connect device from interna1 to internal2 too
on routing monitor appear:
network 192.168.0.0/22
gateway 0.0.0.0
interface internal1
Is there a fc policy from internal1 to internal2?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Have you defined any IP pools which overlap either of these two networks?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.