Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lynxz211
New Contributor

connecting 2 different LANs through the same WAN1

Please help, I have a situation I can not seem to understand how to get around it. I am very new to firewalls let alone fortigate.  I am able to route to internet through LAN2 ip 10.20.10.0/24. I need to set up another LAN4 ip 10.30.30.1/24 to route to the internet through the same WAN1

5 REPLIES 5
Dave_Hall
Honored Contributor

More information is needed.  What Fortigate model and firmware is running on it.

 

Is LAN2 also the name of the interface (that is assigned 10.20.10.0/24)?  Likewise is LAN4 the name of the interface (that is assigned 10.30.30.0/24)?

 

Are you using routing policies or do you actual have firewall policy rules in place directed from LAN2 -> WAN1?  If firewall policy rules then all you may need to do is create policy rules from LAN4 to WAN1.

 

 

 

 

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
lynxz211

Fortigate 81E, Firmware v6.0.9 build0335 (GA), LAN2 is my interface to a router, I have configured a static route from that interface to wan1 and it works fine.  LAN4 is has been configure with an IP which belongs to a cisco switch and I can not seem to get access to the internet. both LAN2 and LAN 4 have different names.  I have a firewall policy directing from LAN2 to WAN1.  Yes I have the firewall policy rule from lan4 to WAN1. I can ping 8.8.8.8 from a PC connected to the switch but still no internet from the switch. I can not ping www.google.com, or ping any of the other PC on the router.

Thank you very much for you help.

ede_pfau
Esteemed Contributor III

1- there is nothing special with using one WAN interface from several local subnets, even on different ports. You often have LAN and DMZ subnets, both on different ports, and communicating to the internet via WAN port.

2- in order to send and receive traffic from WAN to LAN you need

a default route (there is only ONE per Fortigate)

a policy from LAN to WAN with NAT checked (!!)

 

and this of course for both LAN2 and LAN4.

3- if you can ping a public server but cannot surf, you probably have a DNS problem. You need to create a DNS on each LAN, you can do that for all and any ports on a FGT. Usually, this DNS forwards to the 'system DNS' which the FGT uses, often the provider's DNS.

4- if you want your PCs to get the correct DNS address, IP address and default route, configure them using DHCP. You can create one DHCP server per interface.

 

To check for a DNS problem: on a Windows command line (cmd.exe), type "ping www.google.com" or "ping 9.9.9.9". If the latter succeeds while the first does not, your PC can't resolve names, thus has no DNS.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
lynxz211

Thank you again!!! That was very helpful pointing me to right direction. I fixed the DNS issue, everything is working as it should. 

hibym3
New Contributor

if you can route your traffic from 10.20.10.9/24 (lan2) to wan1, you already should have a default route to wan1.

can you share your config (routes and relevant policies)?

 

also good to know -> traffic debugging:

diag sniffer ([link=https://kb.fortinet.com/kb/documentLink.do?externalID=11186]https://kb.fortinet.com/kb/documentLink.do?externalID=11186[/link])

diag flow filter (https://kb.fortinet.com/kb/documentLink.do?externalID=FD33882)

 

 

Labels
Top Kudoed Authors