Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: second IP on internal interface - problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
second IP on internal interface - problem
Hello,
I added second IP address on internal interface (FortiGate 100A). I have also enabled Administrative Access - PING.
The main IP address on this interface is 10.0.0.1/24
The second IP address on this interface is now 192.168.0.1/24
On Windows client PC I have main IP address: 10.0.0.23. Now I added additional IP address: 192.168.0.23 on network card properties.
Why can`t I ping to 192.168.0.1 ?
I have also other PC`s with 192.168.0.x addresses and I can ping to them.
FGT60B, FGT100A, FGT100D
FGT60B, FGT100A, FGT100D
- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you have any policy routes defined?
what static routes do you have?
do you have any other interfaces configured, and if so, whats their IP?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have seen times where you cannot ping to secondary interfaces on the FGT. I would discount that as a ' problem' . Also if you wish to have one subnet see the other with single IP addresses (on the work stations), you need to create a policy on the FGT like stated above, because the FGT must permit the traffic to cross via a policy.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works okay on a test box here, and its running unpatched mr6 (660 build).
What version are you running?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone for Your time.
UkWizard,
I`m answering for Your questions:
because I have two internet providers, I have two WAN interfaces enabled and I have link redundancy and load sharing.
In Router I have two static routes (for WAN1 and WAN2) with the same distance.
IP/Mask Gateway Device Distance 0.0.0.0/0.0.0.0 A1.B1.C1.D1 wan1 10 0.0.0.0/0.0.0.0 A2.B2.C2.D2 wan2 10I have also one policy route to make WAN1 as preferred link:
Incoming Outgoing Source Destination internal wan1 0.0.0.0 / 0.0.0.0 0.0.0.0 / 0.0.0.0I have doubled firewall policy internal -> wan1 and internal ->wan2 I have set ping servers to check if link is alive. Everything works fine but second internal IP doesn' t work. My firmware is: 3.00-b0670(MR6 Patch 3) Earlier it was 3.00-b0668 and there was the same problem. rwpatterson, all I want is to have two subnets with one device as internet gate. I do not want to see computers from one subnet to another. I only want to FortiGae act with two internal IP addresses and allow traffic from both subnets to internet.
FGT60B, FGT100A, FGT100D
FGT60B, FGT100A, FGT100D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i bet its the policy route breaking this, whether its by design or a bug.
Just as a quick test to eliminate it, take the policy route out temporarily and retest.
You will need the INT to INT policy as well to allow the routing.
if it works without that policy route, try changing the source subnet for it as the main internal IP subnet, rather than 0.0.0.0 and then retest.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok. I deleted policy route and I deleted second static route (for additional internet provider). I also disabled all firewall rules except one.
The state is now:
FG internal primary IP: 10.0.0.1/24 (ping enabled)
FG internal secondary IP: 192.168.0.1/24 (ping enabled)
One static route:
IP/Mask Gateway Device Distance 0.0.0.0/0.0.0.0 A.B.C.D2 wan1 10No polisy routes. One firewall policy:
internal -> wan1 ID Source Destination Schedule Service Profile Action 1 all all always ANY ACCEPTIn routing monitor I see:
Type Subtype Network Distance Metric Gateway Interface Static 0.0.0.0/0 10 0 A.B.C.D2 wan1 Connected 10.0.0.0/24 0 0 0.0.0.0 internal Connected A.B.C.D1/29 0 0 0.0.0.0 wan1 Connected 192.168.0.0/24 0 0 0.0.0.0 internalWAN2 interface is now disabled. I rebooted FortiGate. Form my primary subnet (my PC have only one IP address: 10.0.0.x and 10.0.0.1 as default gateway) I can accesss to internet. I can ping to FG using 10.0.0.1 an I can ping to FG using 192.168.0.1 too! From test computer (with only one IP address 192.168.0.x with 192.168.0.1 as default gateway) a can`t ping to 192.168.0.1 and I can`t go to the internet. I try with overlap enabled and disabled and always nothing.
FGT60B, FGT100A, FGT100D
FGT60B, FGT100A, FGT100D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try your pc with just the one static IP 192.168.0.x and see if that works.
This is getting odder by the second, this could be a switch problem, do you have any vlans, trunks or managed switches? or any routers within the infrastructure?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From test computer (with only one IP address 192.168.0.x with 192.168.0.1 as default gateway) ...I just made simple test: I connected notebook with manualy set one IP address (192.168.0.x) straight to FG (other internal port) and it`s the same situation. I should have allow-overlap enabled or disabled?
FGT60B, FGT100A, FGT100D
FGT60B, FGT100A, FGT100D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Overlap only matters when you wish to have two interfaces share the same IP range. That does not apply here.
Treat both networks as independent. The 10.0.0.x works, now forget it! Work on the 192.168.0.x network. Define the default gateway, and then the rule to permit traffic, etc. Even though they are on the same wire, they won' t talk without an explicit FGT rule allowing it (except for that funky PC with two IP addresses). I think you are confusing yourself.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I solved the problem.
1. I could not execute PING from 192.168.0.x subnet to second FG IP address because in Trusted Hosts (administrator settings) I had only 10.0.0.0/24.
Because PING is treated as administrative access, it acted only with subnet 10.0.0.0/24.
2. Internet connection from net 192.168.0. x did not act because I didn' t have DNS server in this subnet (I forgot about this).
I also didn' t have enabled " Enable DNS forwarding from: internal" option in Networking options.
I' m very grateful for Your help, thank you very much.
FGT60B, FGT100A, FGT100D
FGT60B, FGT100A, FGT100D
- « Previous
-
- 1
- 2
- Next »
Labels
-
FortiGate
10,515 -
FortiClient
2,136 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
674 -
5.4
638 -
FortiSwitch
579 -
FortiAP
558 -
FortiClient EMS
551 -
6.0
416 -
IPsec
411 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
277 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
126 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
73 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
FortiSandbox
53 -
fortilink
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2551 | |
| 1356 | |
| 795 | |
| 646 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.