Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fferraro87
New Contributor II

Created on ‎09-04-2018 01:56 AM

routing between two different subnet on two different port

Hi,

like you can see from image attached i've two different servers connected to my fortigate 100D on two different internal port. So i've 192.168.3.0/24 on port 3 and on port 4 i've defined many VLAN and there is a VLAN called VLAN 70 that has 172.16.70.0/24 subnet. Now i've to communicate using their private ip, it's possible? i've try to add a policy like that :

 

config firewall policy
    edit 114
        set name "lan port3 to VLAN 70"
        set uuid 6a55395a-b017-51e8-f2b8-e066fb5ec046
        set srcintf "port3"
        set dstintf "VLAN70"
        set srcaddr "192.168.3.190/32"
        set dstaddr "172.16.70.100/32"
        set action accept
        set schedule "always"
        set service "ALL_ICMP"
    next
end
But that policy isn't matched. I've try also to debug connection but i've no trace. It's possible to do that? Thanks

Labels:
6396
0 Kudos
4 REPLIES 4
tanr
Valued Contributor II

Created on ‎09-04-2018 07:38 AM

I think that looks right.  You're just trying to ping the host on VLAN70 from the host on port3 and it fails?

 

Is it possible you're hitting another security policy before this one and the ping is getting handled/blocked by that?

What do the logs say for which policy handled this ping?

1839
0 Kudos
fferraro87
New Contributor II
In response to tanr

Created on ‎09-04-2018 08:15 AM

tanr wrote:

I think that looks right.  You're just trying to ping the host on VLAN70 from the host on port3 and it fails?

 

Is it possible you're hitting another security policy before this one and the ping is getting handled/blocked by that?

What do the logs say for which policy handled this ping?

i don't see anything from debug flow, that's strange.

for debug i do these command on console :

 

diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug flow show console enable
diag debug flow filter saddr 192.168.3.190
diag debug flow filter daddr 172.16.70.100
diag debug flow trace start 100

 

but i don't see anything when i ping from 192.168.3.190 to  172.16.70.100

 

1839
0 Kudos
tanr
Valued Contributor II
In response to fferraro87

Created on ‎09-04-2018 08:20 AM

If you enable ping on port3 lan interface itself, can you ping the interface from the host?

1839
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to fferraro87

Created on ‎09-04-2018 08:30 AM

Any situation like this, I would always start my debugging with:

  config firewall policy

    edit 114

      set auto-asic-offload disable

    next

  end

then,

  diag sniffer packet any 'host 192.168.3.190' 4

to see if the ping packets are arriving at port3. This would also show you what interface the same packets are going out. But I assume they don't going out and are dropped. At that time, I start run the debug flow.

 

The asic offload might be hiding them from your flow debug if they're arriving.

 

Toshi

1839
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.