Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oliverlag
New Contributor

Created on ‎02-09-2011 06:35 AM

policy route back to inside interface

Hi.. I' ve this situation with a FG_200B: two policy routes that say: 1: from my_net (internal) to remote_net port 80 force traffic to internal interface with gateway x.x.x.x (that belongs to my_net) 2: from my_net (internal) to any port 80 force traffic to wanX with gateway y.y.y.y then.. the second one works. the first one doesn' t... I am able to ping the remote_net but not get to port 80. is it possible do a rule like the 1st one that force traffic to the same interface from where the traffic comes from? thanks Oliver
3846
0 Kudos
6 REPLIES 6
emnoc
Esteemed Contributor III

Created on ‎02-09-2011 07:57 AM

Interesting scenario that you have. Can you just do this with a static route on the FGT and use ICMP redirection to steer the clients to the other gw on my_net for that remote network ? Or better yet, place static route entries on the clients that need to use the 2nd gateway. I don' t think PBR will allow you to redirect in the fashion that you want imho.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1927
0 Kudos
oliverlag
New Contributor

Created on ‎02-09-2011 08:08 AM

Hi Emnoc, thanks for your reply.. I cannot do it via a static route since policy routing is before static routes in ' order of operations' .. and then I' ve a default policy routes that force the whole http traffic to anther hop. Btw if I set up a static route on the pc it works... just tried. in cisco router the policy route back to the same interface as the source shold work.. I don' t understand why it doesn' t with FG. Oliver
1927
0 Kudos
ejhardin
Contributor

Created on ‎02-09-2011 09:23 AM

That should work if I' m understanding correctly. As long as you specify the destination address for the remote network and make it the first policy route.
1920
0 Kudos
oliverlag
New Contributor

Created on ‎02-09-2011 11:20 PM

it doesn' t :( I will try to debug a bit later..
1920
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎02-10-2011 11:19 AM

I cannot do it via a static route since policy routing is before static routes in ' order of operations' .. and then I' ve a default policy routes that force the whole http traffic to anther hop. Btw if I set up a static route on the pc it works... just tried. in cisco router the policy route back to the same interface as the source shold work.. I don' t understand why it doesn' t with FG. Oliver
Correct PBR comes before static, but how about removing the PBR entry and replacing it with a static entry for a test.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1920
0 Kudos
oliverlag
New Contributor

Created on ‎02-10-2011 11:43 PM

ook, I did a debug and I found the problem.. traffic was coming from internet, being natted with a VIP, redirected with a PBR to a cisco router (that had a vpn) and delivered to the host (on the other side of the vpn) After that, the host was not able to send traffic back since the source was an internet address and thereforse the traffic was not going back through the vpn but to the 0.0.0.0 of the host. I just enabled the nat on the vip address and everything works now. thanks for the support guys. Oliver
1920
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.