routing between two subnets/ unable to connect to devices( printer/NAS)

antoniocerasuolo · ‎02-02-2025

hi,

I have two subnets :

wifi 10.8.8.0/24

internal 172.22.2.0/24 ( NAS,Printer)

I have created policies to route from wifi->internal and internal ->wifi, I am able to ping the NAS and Printer from the wifi network but am unable to access the actual devices. in the policies in the source and destination i used the actual subnets and not the usual "all" for the policies, is this correct? I had also tried with all but didn't seem to work either so the issue must be something else...

I am able to access the fortigate admin on the internal from the wifi subnet but that seems to be about all i am able to do..

any idea how to get the visibility of the devices?

ciao,

Antonio

dingjerry_FTNT · ‎02-03-2025

Hi @antoniocerasuolo ,

It is still not very clear.

Please provide the FGT config.

If you have any concerns about providing the FGT config, please provide the following:

1) All relevant firewall policy configurations;

2) All relevant objects applied in the firewall policies, such as Source Address, Destination Address, Service Object(s).

3) The IP for Dell laptop;

4) The IP for Printer that Dell laptop was accessing.

5) The outputs of the sniffer command I provided before.

Regards,

Jerry

antoniocerasuolo · ‎02-03-2025

is there a quick way from the cli to get and download the configs of the policies on an interface?

dingjerry_FTNT · ‎02-03-2025

Hi @antoniocerasuolo ,

Please run:

show firewall policy

show firewall address

show firewall service custom

get router info routing-table all

Then copy and paste all the outputs into one Text editor. Delete all irrelevant configurations. For the rest of the configurations, you may mask all sensitive info.

Regards,

Jerry

antoniocerasuolo · ‎02-03-2025

i have all the downloads in the txt editor but how do i attach the file here?

dingjerry_FTNT · ‎02-03-2025

Hi @antoniocerasuolo ,

You may copy and paste in several replies.

For example, firewall policies in one reply. Firewall addresses are in another reply. Routing table in another reply and outputs of sniffer packets in one reply.

Regards,

Jerry

antoniocerasuolo · ‎02-03-2025

but its lots of data

antoniocerasuolo · ‎02-03-2025

edit 30
        set name "allow_guest_wifi_to_intn_PRN_policy"
        set uuid 668a2c58-e22a-51ef-ef5d-ef539542a881
        set srcintf "guestwifi"
        set dstintf "internal"
        set action accept
        set srcaddr "guest_wifi_to_internal_source"
        set dstaddr "guest_wifi_to_internal_dest"
        set schedule "always"
        set service "printer_access_from_wifi_guest"
        set logtraffic all
    next
    edit 27
        set name "allow_guest_wifi_to_intn_NAS_policy"
        set uuid 7dc4cb26-e1a8-51ef-b31c-0526d0eb42ee
        set srcintf "guestwifi"
        set dstintf "internal"
        set action accept
        set srcaddr "guest_wifi_to_internal_source"
        set dstaddr "guest_wifi_to_internal_dest"
        set schedule "always"
        set service "nas_access_from_guest_wifi"
        set logtraffic all
    next
    edit 29
        set name "guest_wifi_to_PRN_NAS_all_policy"
        set uuid 039e3608-e215-51ef-bf3c-f1e75d77ca15
        set srcintf "guestwifi"
        set dstintf "internal"
        set action accept
        set srcaddr "guest_wifi_to_internal_source"
        set dstaddr "guest_wifi_to_internal_dest"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments " (Copy of allow_guestwifi_to_internal_policy)"
    next

antoniocerasuolo · ‎02-03-2025

config firewall address
    edit "none"
        set uuid 18c092ec-95ee-51ef-743a-d23359a99a72
        set subnet 0.0.0.0 255.255.255.255
    next
    edit "login.microsoftonline.com"
        set uuid 18c0aeda-95ee-51ef-69c3-ab8469c3925e
        set type fqdn
        set fqdn "login.microsoftonline.com"
    next
    edit "login.microsoft.com"
        set uuid 18c0c7da-95ee-51ef-0050-41e9310a42d0
        set type fqdn
        set fqdn "login.microsoft.com"
    next
    edit "login.windows.net"
        set uuid 18c0de78-95ee-51ef-3a62-4d54b1002114
        set type fqdn
        set fqdn "login.windows.net"
    next
    edit "gmail.com"
        set uuid 18c0f548-95ee-51ef-ba11-4419bf290419
        set type fqdn
        set fqdn "gmail.com"
    next
    edit "wildcard.google.com"
        set uuid 18c10bd2-95ee-51ef-63dd-0610a40031e6
        set type fqdn
        set fqdn "*.google.com"
    next
    edit "wildcard.dropbox.com"
        set uuid 18c12266-95ee-51ef-e47c-d8ac160d85f3
        set type fqdn
        set fqdn "*.dropbox.com"
    next
    edit "all"
        set uuid 1b02621a-95ee-51ef-5f4f-3e53698fcedb
        set color 18
    next
    edit "FIREWALL_AUTH_PORTAL_ADDRESS"
        set uuid 1b026c7e-95ee-51ef-281f-232eedb24b15
    next 
    edit "FABRIC_DEVICE"
        set uuid 1b0274f8-95ee-51ef-7370-0cd08a2bf105
        set comment "IPv4 addresses of Fabric Devices."
    next
    edit "SSLVPN_TUNNEL_ADDR1"
        set uuid 1b04c816-95ee-51ef-1825-201381b67daa
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
    edit "lan"
        set uuid 1d709846-95ee-51ef-89f0-e1f717e559ba
        set type interface-subnet
        set subnet 0.0.0.0 255.255.255.255
        set interface "lan"
    next
    edit "internal"
        set uuid 1d70f84a-95ee-51ef-5493-286ba3c2a9bb
        set type interface-subnet
        set subnet 172.22.2.0 255.255.255.0
        set interface "internal"
    next
    edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
        set uuid 35a9fc90-95ee-51ef-3942-265c0286e02e
        set type dynamic
        set sub-type ems-tag
    next
    edit "EMS_ALL_UNKNOWN_CLIENTS"
        set uuid 35b38af8-95ee-51ef-d2a8-45dda398764b
        set type dynamic
        set sub-type ems-tag
    next
    edit "FCTEMS_ALL_FORTICLOUD_SERVERS"
        set uuid b24117da-95f2-51ef-5b24-ec1c07f261a0
        set type dynamic
        set sub-type ems-tag
    next
    edit "youtube"
        set uuid 5c3aced2-9843-51ef-bd5b-bce8cabd99bb
        set type fqdn
        set fqdn "*youtube.com"
    next
    edit "google_com"
        set uuid b48433e4-9843-51ef-0369-4fd9fe07ab3b
        set type fqdn
        set fqdn "*.google.com*"
    next
    edit "nas_access"
        set uuid 8e682104-a1a1-51ef-2b2e-b552072e7080
        set type mac
        set color 28
        set macaddr "90:09:D0:46:37:1E"
    next
    edit "HP_printer_access"
        set uuid ce2530ce-a1b1-51ef-f4f1-b4c55ea83a4c
        set type mac
        set color 23
        set macaddr "BC:0F:F3:4A:D3:9E"
    next
    edit "source_lan_subnet"
        set uuid c2cd0d8c-aa8f-51ef-9c7f-1928cee9f859
        set subnet 172.22.2.0 255.255.255.0
    next
    edit "dns_server"
        set uuid 0134da3c-aa90-51ef-3618-f02ee1eb2266
        set type iprange
        set start-ip 192.168.1.254
        set end-ip 192.168.1.254
    next
    edit "LAN_SOURCE_DNS"
        set uuid 0bad7e2a-aa99-51ef-dde6-c9ed6f20c71f
        set type iprange
        set start-ip 172.22.2.20
        set end-ip 172.22.2.200
    next
    edit "DNS_SERVER_1"
        set uuid 3ef0fa9c-aa9d-51ef-02e2-c5f773dc7068
        set type iprange
        set start-ip 172.22.2.1
        set end-ip 172.22.2.1
    next
    edit "DNS_SERVER_1_1"
        set uuid 6111ce6a-aaa4-51ef-175d-f0fed6e38d16
        set type iprange
        set associated-interface "internal"
        set start-ip 172.22.2.1
        set end-ip 172.22.2.1
    next
    edit "DNS_SERVER_1_1_0"
        set uuid 0c647868-ab17-51ef-8647-3db8d95ca947
        set allow-routing enable
        set subnet 192.168.1.0 255.255.255.0
    next
    edit "DNS_SERVER_TEST"
        set uuid 2e6f4faa-ab1c-51ef-4b7d-82a2e9e0ef83
        set associated-interface "wan"
        set subnet 172.22.2.0 255.255.255.0
    next
    edit "authentics_300"
        set uuid 823e6b9c-bbb7-51ef-57be-69227ae4d006
        set type mac
        set macaddr "40:72:18:9B:31:23"
    next
    edit "authentics_300_c4a_user"
        set uuid 8954811a-bbc5-51ef-5715-e732f135ec5e
        set type mac
        set macaddr "8E:2F:22:43:7E:D5"
    next
    edit "authentics_300_audiocast"
        set uuid 50e92226-bbc6-51ef-4ac9-4a71f2f95a25
        set type mac
        set macaddr "3A:34:69:96:11:8A"
    next
    edit "sw_aruba_instant_on"
        set uuid 28f59668-bbe5-51ef-2511-6bd791fc24c6
        set type mac
        set macaddr "90:E9:5E:9E:FC:E7"
    next
    edit "authentics_300_jbl_one"
        set uuid a7162be8-bded-51ef-3396-37f44db62043
        set type mac
        set macaddr "D0:76:02:08:7E:38"
    next 
    edit "unmineable.com"
        set uuid 5c94e6e4-d996-51ef-0c3a-5ddb9aeb8622
        set type fqdn
        set fqdn "unmineable.com"
    next
    edit "UNMINEABLE"
        set uuid a1f42358-d996-51ef-027b-9cb5fba7947b
        set type fqdn
        set fqdn "unmineable.com"
    next
    edit "apple_exemption"
        set uuid 5cda54ee-dcf3-51ef-67fe-dd01bb44baf1
        set type fqdn
        set comment "apple exemption"
        set fqdn "*.apple.com*"
    next
    edit "internal_2 address"
        set uuid c2079006-dfe2-51ef-42a4-00e9408536bd
        set type interface-subnet
        set subnet 172.22.3.0 255.255.255.0
        set interface "internal_2"
    next
    edit "guest_wifi_to_internal_source"
        set uuid 6eaa5c2e-e1b1-51ef-dbd9-3beface00c30
        set associated-interface "guestwifi"
        set subnet 10.8.8.0 255.255.255.0
    next
    edit "guest_wifi_to_internal_dest"
        set uuid 8c2de68a-e1b1-51ef-3f86-bf344c025c74
        set associated-interface "internal"
        set subnet 172.22.2.0 255.255.255.0
    next
    edit "internal_to_guest_source"
        set uuid d7739cf2-e1b1-51ef-1ed3-b62b7b7a0885
        set associated-interface "internal"
        set subnet 172.22.2.0 255.255.255.0
    next
    edit "internal_to_guest_destination"
        set uuid f7a18624-e1b1-51ef-4ab8-0737b88980d4
        set associated-interface "guestwifi"
        set subnet 10.8.8.0 255.255.255.0
    next
    edit "guest_wifi_to_internal_NAS"
        set uuid 13e0d844-e20c-51ef-61f6-f98a77d29ef0
        set type mac
        set macaddr "90:09:D0:46:37:1E"
    next
    edit "guest_wifi_to_NAS"
        set uuid 8c8e8a84-e20c-51ef-6725-508a74409318
        set type mac
        set macaddr "90:09:D0:46:37:1E"
    next
    edit "NAS_guest"
        set uuid d04765f2-e20c-51ef-41e6-d7e1f844be35
        set type mac
        set macaddr "90:09:D0:46:37:1E"
    next
end

antoniocerasuolo · ‎02-03-2025

onfig firewall service custom
edit "DNS"
set category "Network Services"
set color 9
set tcp-portrange 53
set udp-portrange 53
next
edit "HTTP"
set category "Web Access"
set tcp-portrange 80
next
edit "HTTPS"
set category "Web Access"
set tcp-portrange 443
next
edit "IMAP"
set category "Email"
set tcp-portrange 143
next
edit "IMAPS"
set category "Email"
set tcp-portrange 993
next
edit "LDAP"
set category "Authentication"
set tcp-portrange 389
next
edit "DCE-RPC"
set category "Remote Access"
set tcp-portrange 135
set udp-portrange 135
next
edit "POP3"
set category "Email"
set tcp-portrange 110
next
edit "POP3S"
set category "Email"
set tcp-portrange 995
next
edit "SAMBA"
set category "File Access"
set tcp-portrange 139
next
edit "SMTP"
set category "Email"
set tcp-portrange 25
next
edit "SMTPS"
set category "Email"
set tcp-portrange 465
next
edit "KERBEROS"
set category "Authentication"
set tcp-portrange 88 464
set udp-portrange 88 464
next
edit "LDAP_UDP"
set category "Authentication"
set udp-portrange 389
next
edit "SMB"
set category "File Access"
set tcp-portrange 445
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set category "General"
set tcp-portrange 1-65535
next
edit "ALL_UDP"
set category "General"
set udp-portrange 1-65535
next
edit "ALL_ICMP"
set category "General"
set protocol ICMP
unset icmptype
next
edit "ALL_ICMP6"
set category "General"
set protocol ICMP6
unset icmptype
next
edit "GRE"
set category "Tunneling"
set protocol IP
set protocol-number 47
next
edit "AH"
set category "Tunneling"
set protocol IP
set protocol-number 51
next
edit "ESP"
set category "Tunneling"
set protocol IP
set protocol-number 50
next
edit "AOL"
set tcp-portrange 5190-5194
next
edit "BGP"
set category "Network Services"
set tcp-portrange 179
next
edit "DHCP"
set category "Network Services"
set udp-portrange 67-68
next
edit "FINGER"
set tcp-portrange 79
next
edit "GOPHER"
set tcp-portrange 70
next
edit "H323"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1720 1503
set udp-portrange 1719
next
edit "IKE"
set category "Tunneling"
set udp-portrange 500 4500
next
edit "Internet-Locator-Service"
set tcp-portrange 389
next
edit "IRC"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 6660-6669
next
edit "L2TP"
set category "Tunneling"
set tcp-portrange 1701
set udp-portrange 1701
next
edit "NetMeeting"
set tcp-portrange 1720
next
edit "NFS"
set category "File Access"
set tcp-portrange 111 2049
set udp-portrange 111 2049
next
edit "NNTP"
set tcp-portrange 119
next
edit "NTP"
set category "Network Services"
set tcp-portrange 123
set udp-portrange 123
next
edit "OSPF"
set category "Network Services"
set protocol IP
set protocol-number 89
next
edit "PC-Anywhere"
set category "Remote Access"
set tcp-portrange 5631
set udp-portrange 5632
next
edit "PING"
set category "Network Services"
set protocol ICMP
set icmptype 8
unset icmpcode
next
edit "TIMESTAMP"
set protocol ICMP
set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
set icmptype 17
unset icmpcode
next
edit "ONC-RPC"
set category "Remote Access"
set tcp-portrange 111
set udp-portrange 111
next
edit "PPTP"
set category "Tunneling"
set tcp-portrange 1723
next
edit "QUAKE"
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
set udp-portrange 7070
next
edit "REXEC"
set tcp-portrange 512
next
edit "RIP"
set category "Network Services"
set udp-portrange 520
next
edit "RLOGIN"
set tcp-portrange 513:512-1023
next
edit "RSH"
set tcp-portrange 514:512-1023
next
edit "SCCP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 2000
next
edit "SIP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 5060
set udp-portrange 5060
next
edit "SIP-MSNmessenger"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1863
next
edit "SNMP"
set category "Network Services"
set tcp-portrange 161-162
set udp-portrange 161-162
next
edit "SSH"
set category "Remote Access"
set tcp-portrange 22
next
edit "SYSLOG"
set category "Network Services"
set udp-portrange 514
next
edit "TALK"
set udp-portrange 517-518
next
edit "TELNET"
set category "Remote Access"
set tcp-portrange 23
next
edit "TFTP"
set category "File Access"
set udp-portrange 69
next
edit "MGCP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 2428
set udp-portrange 2427 2727
next
edit "UUCP"
set tcp-portrange 540
next
edit "VDOLIVE"
set tcp-portrange 7000-7010
next
edit "WAIS"
set tcp-portrange 210
next
edit "WINFRAME"
set tcp-portrange 1494 2598
next
edit "X-WINDOWS"
set category "Remote Access"
set tcp-portrange 6000-6063
next
edit "PING6"
set protocol ICMP6
set icmptype 128
unset icmpcode
next
edit "MS-SQL"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1433 1434
next
edit "MYSQL"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 3306
next
edit "RDP"
set category "Remote Access"
set tcp-portrange 3389
next
edit "VNC"
set category "Remote Access"
set tcp-portrange 5900
next
edit "DHCP6"
set category "Network Services"
set udp-portrange 546 547
next
edit "SQUID"
set category "Tunneling"
set tcp-portrange 3128
next
edit "SOCKS"
set category "Tunneling"
set tcp-portrange 1080
set udp-portrange 1080
next
edit "WINS"
set category "Remote Access"
set tcp-portrange 1512
set udp-portrange 1512
next
edit "RADIUS"
set category "Authentication"
set udp-portrange 1812 1813
next
edit "RADIUS-OLD"
set udp-portrange 1645 1646
next
edit "CVSPSERVER"
set tcp-portrange 2401
set udp-portrange 2401
next
edit "AFS3"
set category "File Access"
set tcp-portrange 7000-7009
set udp-portrange 7000-7009
next
edit "TRACEROUTE"
set category "Network Services"
set udp-portrange 33434-33535
next
edit "RTSP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 554 7070 8554
set udp-portrange 554
next
edit "MMS"
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit "NONE"
set tcp-portrange 0
next
edit "webproxy"
set proxy enable
set category "Web Proxy"
set protocol ALL
set tcp-portrange 0-65535:0-65535
next
edit "quick"
set udp-portrange 443 80
next
edit "microsoft_allow"
set color 23
set fqdn "*.microsoft.com"
set tcp-portrange 443 80
next
edit "apple_icloud"
set color 28
set fqdn "*icloud.com"
set tcp-portrange 443 80
next
edit "apple_com_services"
set color 6
set fqdn "*apple.com*"
set tcp-portrange 443 80
next
edit "apple_dns_net"
set fqdn "*apple-dns.net"
set tcp-portrange 443 80
next
edit "skype_allow"
set fqdn "*.skype.com"
set tcp-portrange 443 80
next
edit "amazon_allow"
set fqdn "*.amazonaws.com"
set tcp-portrange 443 80
next
edit "adman_media"
set fqdn "*.admanmedia.com"
set tcp-portrange 443 80
set udp-portrange 443 80
next
edit "amazon_it"
set fqdn "*.amazon.it"
set tcp-portrange 443 80
next
edit "amazon_com"
set color 15
set fqdn "*.amazon.com"
set tcp-portrange 433 80
next
edit "fortiguard_net"
set color 13
set fqdn "*.fortiguard.net"
set tcp-portrange 53
set udp-portrange 53
next
edit "google"
set fqdn "*google*"
set tcp-portrange 443 80
next
edit "azure_devices_net"
set fqdn "*.azure-devices.net"
set tcp-portrange 8883
next
edit "dell_com"
set color 29
set fqdn "*.dell.com"
set tcp-portrange 443 80
next
edit "windowsupdate_com"
set color 18
set fqdn "windowsupdate.com"
set tcp-portrange 443 80
set udp-portrange 443 80
next
edit "mozilla_com"
set fqdn "*.mozilla.com"
set tcp-portrange 443 80
set udp-portrange 443 80
next
edit "github_com"
set color 20
set fqdn "*.github.com"
set tcp-portrange 443 80
set udp-portrange 443 80
next
edit "smartadserver_com"
set fqdn "*.smartadserver.com"
set tcp-portrange 443 80
set udp-portrange 443 80
next
edit "nas_access_from_guest_wifi"
set iprange 172.22.2.12
set tcp-portrange 137 138 5000
set udp-portrange 137 138
next
edit "printer_access_from_wifi_guest"
set iprange 172.22.2.11
set tcp-portrange 547 5353 631 3910 9100
next
end

antoniocerasuolo · ‎02-03-2025

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       V - BGP VPNv4
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 192.168.1.254, wan, [1/0]
C       10.7.7.0/24 is directly connected, fortiwifi_40f_5
C       10.8.8.0/24 is directly connected, guestwifi
C       10.253.240.0/20 is directly connected, wqt.root
C       172.22.2.0/24 is directly connected, internal
C       172.22.3.0/24 is directly connected, internal_2
C       192.168.1.0/24 is directly connected, wan

routing between two subnets/ unable to connect to devices( printer/NAS)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website