Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
saskuu
New Contributor II

Created on ‎06-01-2023 03:10 AM

help with routing

hi
i have a network with mikrotik. we are planning to replace mikrotik with fortigate 100F (v7.4.0)

now i have:

switch
tag vlans: 32, 33 to mikrotik
tag vlans: 32, 33 to fortigate
untag vlans: 32 to two hosts

two hosts: vlan 32, untag
192.168.5.251/24 (gw: 192.168.5.1 - mikrotik) ,
192.168.5.252/24 (gw 192.168.5.2 - fortigate)

 

mikrotik
trunk vlans: 32 (192.168.5.1/24), 33 (192.168.20.1/24)

fortigate:

config system interface

edit "vlan0032"

set vdom "root"

set ip 192.168.5.2 255.255.255.0

set allowaccess ping https ssh snmp http

set device-identification enable

set role lan

set snmp-index 38

set interface "x2"

set vlanid 32

next

 

edit "vlan0033"

set vdom "root"

set ip 192.168.20.2 255.255.255.0

set allowaccess ping https ssh snmp http fgfm

set device-identification enable

set role lan

set snmp-index 35

set interface "x2"

set vlanid 33

next

end

config firewall policy

edit 7

set name "all"

set srcintf "any"

set dstintf "any"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set logtraffic all

end


ping from 192.168.5.252 to 192.168.20.2 (fortigate) - working

ping from 192.168.5.251 to 192.168.20.2 - dont working

why ?
theoretically, the traffic should go like this:
ask: 192.168.5.251 - 192.168.5.1 (mikrotik directly connected) 192.168.20.1 - 192.168.20.2
answer: 192.168.20.2 (dir. conn.) 192.168.5.2 - 192.168.5.251

fortigate capture showing incoming packets from 192.168.5.251, but outgoing - no

Labels:
4390
0 Kudos
1 Solution
saskuu
New Contributor II

Created on ‎06-06-2023 03:47 AM

solved the problem like this:

 

config router static
    edit 3
        set gateway 192.168.20.1
        set device "vlan0033"
    next
end

 


at the time of migration it will be like this

View solution in original post

4192
0 Kudos
12 REPLIES 12
saskuu
New Contributor II
In response to Christian_89

Created on ‎06-06-2023 03:43 AM

@Christian_89 wrote:

1. Verify the routing configuration on the FortiGate firewall: Ensure that there is a route configured on the FortiGate firewall to reach the subnet 192.168.5.0/24 via the interface connected to the MikroTik router (x2 interface). This route is necessary to send the reply traffic back to the MikroTik router.

its ok

 

@Christian_89 wrote:

 

2. Check the default gateway on the hosts: Ensure that the default gateway on the hosts in VLAN 32 (192.168.5.251) is set correctly to point to the MikroTik router (192.168.5.1). This will ensure that the ping requests are sent to the correct gateway.

its ok

@Christian_89 wrote:

3. Verify the VLAN configuration: Double-check the VLAN configuration on the FortiGate firewall (x2 interface) and ensure that VLAN tagging is correctly configured for VLANs 32 and 33. Make sure that the VLAN ID matches the configuration on the MikroTik router.

ping from mikrotik to fortigate and in the opposite direction - working
192.168.20.1 - 192.168.20.2
192.168.5.1 - 192.168.5.2

@Christian_89 wrote:

4. Verify connectivity between the MikroTik router and the FortiGate firewall: Ensure that there is connectivity between the MikroTik router and the FortiGate firewall. You can try pinging the FortiGate's IP address (192.168.5.2) from the MikroTik router to verify this.

By going through these troubleshooting steps, you should be able to identify and resolve any configuration or routing issues that may be causing the problem.

ok

923
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎06-05-2023 11:46 PM

The routing on the FGT is given by the interfaces the thread starter configured (so called connected routes). But you clearly see the incoming traffic hits the wrong incoming interface on the fgt and it therfore cannot detect the proper outgoing one. So packets are dropped.

To me that more looks like if the mikrotik sends the packets to the fortigate with the wrong vlan tag. 

Also it should be connected to x1 then to have a vlan trunk available on uplink.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
933
0 Kudos
saskuu
New Contributor II

Created on ‎06-06-2023 03:47 AM

solved the problem like this:

 

config router static
    edit 3
        set gateway 192.168.20.1
        set device "vlan0033"
    next
end

 


at the time of migration it will be like this

4193
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.