Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hiteco-Srl
New Contributor

Created on ‎01-13-2024 05:26 AM Edited on ‎02-26-2024 03:16 AM By Community Manager

Ping WAN IP from LAN

Hi,

I can't ping WAN IPs from the LAN. The only IP address I can ping is the one configured on the WAN interface.

 

ES:
WAN interface - 192.168.10.1/29
LAN interface - 192.168.1.1/24

From the LAN if I ping the IP address 192.168.10.1 I will reach it. However, if I try to ping the IP addresses 192.168.10.2, 192.168.10.3, 192.168.10.4, 192.168.10.5 and 192.168.10.6, I cannot reach them

 

Have i nice day

Andrea

596
0 Kudos
2 Solutions
maulishshah
Staff
Staff

Created on ‎01-13-2024 07:47 AM

Hi @Hiteco-Srl ,

 

You are unable to ping the remaining addresses that are part of the WAN subnet due to the absence of ARP entries for a specific IP address in the firewall. Consequently, the firewall fails to route the packet.

 

To successfully ping an IP address, it is necessary to configure a secondary IP within the relevant interface. This configuration enables you to ping the rest of the network.

 

Here is the article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-a-secondary-IP-on-a-FortiGate-interfac...

Maulish Shah

View solution in original post

556
AEK
SuperUser
SuperUser
In response to maulishshah

Created on ‎01-13-2024 12:10 PM

Hi Andrea

In addition to @maulishshah advice, in case you don't want to add it as secondary address for some reason or because you use them as VIP, you still can use these public IPs as VIPs to forward ping requests to some internal server if that's what you need.

AEK

View solution in original post

AEK
541
0 Kudos
6 REPLIES 6
mle2802
Staff
Staff

Created on ‎01-13-2024 06:30 AM

Hi @Hiteco-Srl,

Can you try "execute ping-option source  192.168.10.1" and then "execute ping 192.168.10.2". Please make sure those device able to reply ping.

583
0 Kudos
Hiteco-Srl
New Contributor
In response to mle2802

Created on ‎01-13-2024 06:39 AM

From the firewall I can ping all the IP addresses of the subnet both with the execute ping-option source command and without

576
0 Kudos
mle2802
Staff
Staff
In response to Hiteco-Srl

Created on ‎01-13-2024 06:41 AM

Did you have a policy from Lan to Wan to allow traffic? Also is NAT enabled on the policy?

 

572
0 Kudos
maulishshah
Staff
Staff

Created on ‎01-13-2024 07:47 AM

Hi @Hiteco-Srl ,

 

You are unable to ping the remaining addresses that are part of the WAN subnet due to the absence of ARP entries for a specific IP address in the firewall. Consequently, the firewall fails to route the packet.

 

To successfully ping an IP address, it is necessary to configure a secondary IP within the relevant interface. This configuration enables you to ping the rest of the network.

 

Here is the article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-a-secondary-IP-on-a-FortiGate-interfac...

Maulish Shah
557
AEK
SuperUser
SuperUser
In response to maulishshah

Created on ‎01-13-2024 12:10 PM

Hi Andrea

In addition to @maulishshah advice, in case you don't want to add it as secondary address for some reason or because you use them as VIP, you still can use these public IPs as VIPs to forward ping requests to some internal server if that's what you need.

AEK
AEK
542
0 Kudos
Hiteco-Srl
New Contributor

Created on ‎02-07-2024 01:38 AM

Hi guys,

Thank you so much for your super help.

 

Good day!!!

304
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.