Technical Note : Asymmetrical packet forwarding in Transparent Mode

dchan · ‎02-12-2010

Description

The FortiGate unit (shown as FGT2 in the diagram below) in Transparent Mode allows asymmetrical packet forwarding where packets ingress vlanXX_inside and exited vlanXX_outside. When packets return, if they return by vlanYY_outside, the FortiGate unit will forward them to vlanYY_inside.

Diagram

PC1 = 1.1.1.10/24
|
DMZ = 1.1.1.1/24
|
FGT1 (NATmode)
|
WAN2
vlanXX = 2.2.2.1/24
vlanYY = 3.3.3.1/24|
|
TRUNK
|
|
DMZ (VLan interfaces, vlanXX_inside, vlanYY_inside)
|
FGT2 (TP mode)
|
WAN2 (Vlan interfaces, vlanXX_outside, vlanYY_outside)
|
Trunk
|
| 
Cisco (L3Switch)
vlanXX= 2.2.2.2/24

vlanYY= 3.3.3.3/24

Packet Flow

In the example above, the PC with an IP of 1.1.1.10 initiates a ICMP request to 2.2.2.2 on VlanXX. ICMP packet reaches vlanXX_inside, it creates the session and then the packet is forwarded to the vlanXX_outside interface. When it reaches the Cisco L3 router, it routes the packet to VlanYY. The ICMP reply hits the vlanYY_outside interface. The FortiGate unit will find the existing session and forward the packet to vlanYY_inside.

Sniffer

FGT2# diagnose sniffer packet any 'host 2.2.2.2' 4
interfaces=[any]
filters=[host 2.2.2.2]
900700 vlanxx_inside in arp who-has 2.2.2.2 tell 2.2.2.1
900755 vlanxx_outside out arp who-has 2.2.2.2 tell 2.2.2.1
900767 wan2 out arp who-has 2.2.2.2 tell 2.2.2.1
901415 vlanxx_outside in arp reply 2.2.2.2 is-at 0:11:92:d4:5e:c3
901448 vlanxx_inside out arp reply 2.2.2.2 is-at 0:11:92:d4:5e:c3
901458 dmz1 out arp reply 2.2.2.2 is-at 0:11:92:d4:5e:c3

032498 vlanxx_inside in 1.1.1.10 -> 2.2.2.2: icmp: echo request
032545 vlanxx_outside out 1.1.1.10 -> 2.2.2.2: icmp: echo request
032556 wan2 out 1.1.1.10 -> 2.2.2.2: icmp: echo request
032872 vlanyy_ouside in 2.2.2.2 -> 1.1.1.10: icmp: echo reply
032925 vlanyy_inside out 2.2.2.2 -> 1.1.1.10: icmp: echo reply
032934 dmz1 out 2.2.2.2 -> 1.1.1.10: icmp: echo reply

Debug Flow

FGT2# id=20085 trace_id=1 func=resolve_ip_tuple_fast line=3210 msg="vd-root received a packet(proto=1, 1.1.1.10:1280->2.2.2.2:8) from vlanxx_inside."
id=20085 trace_id=1 func=resolve_ip_tuple line=3326 msg="allocate a new session-00000251"
id=20085 trace_id=1 func=br_fw_forward_handler line=339 msg="Allowed by Policy-2:"
id=20085 trace_id=1 func=__if_queue_push_xmit line=208 msg="send out via dev-vlanxx_outside, dst-mac-00:11:92:d4:5e:c3"

id=20085 trace_id=2 func=resolve_ip_tuple_fast line=3210 msg="vd-root received a packet(proto=1, 1.1.1.10:1280->2.2.2.2:8) from vlanxx_inside."
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=3240 msg="Find an existing session, id-00000251, original direction"
id=20085 trace_id=2 func=br_ipv4_fast_cb line=69 msg="enter fast path"
id=20085 trace_id=2 func=__if_queue_push_xmit line=208 msg="send out via dev-dr_vlanxx, dst-mac-00:11:92:d4:5e:c3"

id=20085 trace_id=3 func=resolve_ip_tuple_fast line=3210 msg="vd-root received a packet(proto=1, 2.2.2.2:1280->1.1.1.10:0) from vlanyy_ouside."
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=3240 msg="Find an existing session, id-00000251, reply direction"
id=20085 trace_id=3 func=br_wccp_preroute_handler line=56 msg="state=00008200, indev=12 without wccp"
id=20085 trace_id=3 func=__if_queue_push_xmit line=208 msg="send out via dev-vlanyy_inside, dst-mac-00:09:0f:2d:9c:fc"

Scope

FortiGate unit in Transparent Mode

Solution

The reply packet can always go through the FortiGate as long as there is a matching session, no matter asymmetric routing configuration. If there is no matching session, it can only go through the FortiGate when asymmetric routing is enabled under the Config System Settings.

Related Articles

Technical Note : How to use "set peer-interface" in Transparent Mode

Technical Note : Asymmetrical packet forwarding in Transparent Mode

You are leaving our website