cannot connect from lan to other lan

Yosef · ‎01-22-2015

hi in my fortigate i have lan ports that are connected like this : internal1 :192.168.0.61/255.255.252.0 internal2 :192.168.7.61/255.255.255.0 internal3 :192.168.4.61/255.255.255.0 and the wan like this : wan1 :215.215.2.165/255.255.255.255

internal1 is the local servers port

in the policy i created policies to connect each lan internal to internal1 and to wan 1 when i am trying to connect from internal 3 to internet and to servers everything work correctly as shown in tracnet command cmd:

C:\Users\student>tracert 192.168.0.1

[size="1"]Tracing route to a-server.ba.local [192.168.0.1][/size] over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.4.61 [size="1"] 2 <1 ms <1 ms <1 ms a-server.ba.local [192.168.0.1][/size]

Trace complete.

C:\Users\student>tracert www.google.co.il

[size="1"]Tracing route to www.google.co.il [213.151.35.143][/size] over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.4.61 [size="1"] 2 17 ms 16 ms 16 ms mx-lns-01.neto.net.il [213.151.32.237][/size] 3 16 ms 16 ms 16 ms 10.17.50.1 4 16 ms 16 ms 36 ms 213.151.32.188 [size="1"] 5 16 ms 16 ms 16 ms cache.google.com [213.151.35.143][/size]

Trace complete.

but when i'm trying to connect to servers on internal1 from internal 2 nothing happens and it seems like it trying to find the server on internet from any reason as shown:

C:\Users\1>tracert 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.7.61 [size="1"] 2 16 ms 15 ms 16 ms mx-lns-01.neto.net.il [213.151.32.237][/size] 3 16 ms 16 ms 16 ms 10.17.50.5 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * ^C C:\Users\1>tracert www.google.com

[size="1"]Tracing route to www.google.com [74.125.195.147][/size] over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.7.61 [size="1"] 2 16 ms 15 ms 15 ms mx-lns-01.neto.net.il [213.151.32.237][/size] 3 16 ms 16 ms 15 ms 10.17.50.5 4 16 ms 16 ms 17 ms 213.151.32.188 [size="1"] 5 82 ms 70 ms 87 ms xe-10-3-3-249.edge4.London1.Level3.net [212.113.[/size] 14.217] 6 77 ms 77 ms 77 ms 72.14.203.126 7 78 ms 77 ms 77 ms 209.85.255.78 8 74 ms 75 ms 75 ms 216.239.51.3 9 85 ms 84 ms 84 ms 209.85.249.211 10 80 ms 80 ms 80 ms 72.14.239.96 11 * * * Request timed out. [size="1"] 12 83 ms 83 ms 83 ms wj-in-f147.1e100.net [74.125.195.147][/size]

Trace complete.

thanks for any help

emnoc · ‎01-22-2015

I would use diag debug flow and dump the route table

diag debug dis

diag debug reset

diag debug flow filter addr 192.168.0.1

diag debug flow show console enable

diag debug enable

diag debug flow trace start 100

And this start that traffic up to the server

For the route table;

get route info routing-table det 192.168.0.0/24

And for a suggestion, I would get rid of the ideal of using 192.168.0.0/24 for any common subnet unless you want problems in the future. Same goes for 192.168.1.0/24 , almost all generic stuff today uses this by default & it will lead to problems now or later.

PCNSE

NSE

StrongSwan

rwpatterson · ‎01-22-2015

If you have added any static routes for the connected LANs, remove them. The Fortigate is already aware of connected subnets. Also unless you are doing some hairy routing, policy routes are unneeded as well.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Yosef · ‎01-22-2015

i added static route in wan connection to let default to one of the wan but all the lan connection are managed by the router also there is policies in the router to open some of the lans to internet and block the others static route configure like this wan1: priority 2 distance 10 wan2: priority 1 distance 10 what I do not understand why internal3 connected to internal1 well but in internal2 there's problems

rwpatterson · ‎01-22-2015

When you "Router > Monitor", do you see all of the interfaces present?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Yosef · ‎01-22-2015

yes

and i am able to connect from all port to internal1 but internal2

and all ports could connect to internet even internal2

it seem like it trying to find the server on the internrt when i am using tracert command cmd

Dave_Hall · ‎01-22-2015

Can any devices on the internal1 network access any devices on the internal2 network?

Routing Monitor should be showing a route for network 192.168.0.61/22 (gateway 0.0.0.0(?), interface internal1). Can you confirm the subnet mask is correct (where appropriate)?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Yosef · ‎01-22-2015

i can not connect device from interna1 to internal2 too

on routing monitor appear:

network 192.168.0.0/22

gateway 0.0.0.0

interface internal1

Dave_Hall · ‎01-22-2015

Is there a fc policy from internal1 to internal2?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

rwpatterson · ‎01-22-2015

Have you defined any IP pools which overlap either of these two networks?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com