unable to ping beyond default gateway on new Internet connection
I have a Fortigate 200B with the latest 4.0 firmware.
We use muiltiple Internet connections, two PPPoE connections that work just fine, and one new manual connection that I can' t get to work. I feel like I must be missing something really simple/stupid.
The connections that are working:
Port 13 (DSL01) - DHCP
188.8.131.52 / 255.255.255.255 Gateway: 184.108.40.206
Port 14 (DSL02) - DHCP
220.127.116.11/255.255.255.255 Gateway: 18.104.22.168
The connection that isn' t working:
Port 15 (EoCu) - Manual
Device distance priority gateway ip/mask
Port 13 10 5 0.0.0.0 0.0.0.0/0.0.0.0
port 14 10 5 0.0.0.0 0.0.0.0/0.0.0.0
port 15 10 5 22.214.171.124 0.0.0.0/0.0.0.0
port 13 ping server 126.96.36.199
port 14 ping server 188.8.131.52
port 15 ping server 184.108.40.206
Routing monitor shows:
type network distance gateway interface
static 0.0.0.0/0 5 220.127.116.11 PPP1
static 0.0.0.0/0 5 18.104.22.168 PPP2
(no other static entries are listed for any interfaces)
connected 22.214.171.124/32 0 0.0.0.0 PPP2
connected 126.96.36.199/29 0 0.0.0.0 Port 15
connected 188.8.131.52/32 0 0.0.0.0 PPP1
connected 184.108.40.206/32 0 0.0.0.0 PPP2
connected 220.127.116.11/32 0 0.0.0.0 PPP1
(why isn' t my static route default gateway listed for port 15???)
From the firewall console:
exec ping 18.104.22.168 comes back fine
exec ping 22.214.171.124 does not come back
When I connected my laptop to the same connection as port 15 I configured it like this:
Subnet mask: 255.255.255.248
Default gateway: 126.96.36.199
With that configuration, I am able to ping 188.8.131.52 from my laptop.
What am I missing???
Tier 2 support was able to resolve my issue in no time! Hereâ€™s what was going on:
The screenshot of the static routes showed a distance value of 10, and all things being equal, all three static routes should have appeared in the routing table screenshot. However, if you look close, the routing tableâ€™s entries for port 13 and 14 have a distance value of 5 instead of 10. This is because port 13 and 14 are PPPoE connections and are getting their default gateway information from the server (because it may change from time to time on a DHCP connection). When the â€œget default gateway from serverâ€ setting is enabled, the distance value of the interface is applied with a default value of 5.
The Fortigate will only put the route(s) with the lowest distance value into the routing table. Port 13 and port 14 had a value of 5 per their interface configuration so they made it in, whereas port 15 had a value of 10 set in the static route configuration, so it didnâ€™t make it in. The funny thing here is that the two entries for ports 13 and 14 in the static routes screen were doing nothing because those entries had a distance value higher than the interface configuration. The static route configuration for port 15 was applying, but wasnâ€™t added to the routing table because itâ€™s value was higher than those of port 13 and 14.
I removed the static routing entries for ports 13 and 14, and decreased the distance value of port 15 in the static routes screen to 5. Bingo â€“ it works!
I also wanted to change the priority of port 13 and 14 so that all Internet traffic goes over port 15 (faster connection) unless it is down. If 15 is down I want to use port 13 and 14 as backup load-balanced links. I increased the priority value of port 13 and 14 at the CLI with these commands:
IASLC-FW01 # config sys interface
IASLC-FW01 (interface) # edit port13
IASLC-FW01 (port13) # set priority 5
IASLC-FW01 (port13) # next
IASLC-FW01 (interface) # edit port14
IASLC-FW01 (port14) # set priority 5
IASLC-FW01 (port14) # end
Today I learned:
1. Fortinet support and forums are wonderful!
2. Fortigate looks at routing information before policies
3. Fortigate looks at policy routes before static routes
4. Fortigate will only enter the route(s) with the lowest value into the routing table, higher-distance routes will not be entered into the routing table until lower-distance routes go down.
5. When an route has a distance configured in both the Interface and Static Route screens (as is the case with DHCP PPPoE connections with default gateway information coming from the server) the Interface configuration will take precedence.
Thank you all for your time!
check your interface and dhcp settings.
You show your are using a 32 bit netmask, that means the network connected to that interface only contains 1 host, the interface itself. So nothing else on that interface will get through.
The other issue could be the three default routes. There should only be one, especially for testing.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.