PurposeThis article describes how to configure a FortiGate to route/allow traffic between 2 (or more) subnets attached to the same interface of a FortiGate.
ScopeAll FortiGates or VDOM running in NAT/Route Mode.
DiagramThis diagram illustrates a simple example :
subnet 10.1.1.0/24 ===== [ port1 FortiGate ]
subnet 172.16.1.0/24 ===== [ port1 ]
Expectations, Requirements
Assume that subnet 10.1.1.0/24 is configured on port1, and 172.16.1.0/24 is configured as a secondary IP address of port1.
For this example, it is expected the all traffic flows from 10.1.1.0/24 to 172.16.1.0/24 and vice versa.
Configuration
The following firewall policy will allow traffic between both subnets.
A policy from a port to the same port is sometimes also referred as a hairpin policy (or one-arm firewall).
config firewall policy
edit 0
set srcintf "port1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
|
To get a finer control on the traffic flows in either direction, more than one hairpin policy may be needed, with specific IP source or destination IP addresses.
Troubleshooting
For troubleshooting connectivity problems, please check related articles about sniffer and debug flow.
Related Articles
Troubleshooting Tip : How to use the FortiGate sniffer and debug flow in presence of NP2 ports
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...
