- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Wi-Fi, subnets and cabled devices
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wi-Fi, subnets and cabled devices
We have a splitted subnet:
LAN2: (physical interface)
172.29.6.1/255.255.255.128 for FortiAP's
Wi-Fi SSID:
172.29.6.129/255.255.255.128
I have connected a cabled physical device and given static ip details:
ip: 172.29.6.201
gw: 172.29.6.129
sub: 255.255.255.128
Was hoping I could reach this device from the Wi-Fi clients, but no good. All good when connected to cable though. Where am I going wrong here?
-PM
*edited LAN1 to LAN2
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pmh,
yes, you are correct. FortiGate implicitly denies traffic between separate interfaces, even if they should be in the same subnet. You would have to create a policy from lan2 to your SSID, and would have to ensure that the server IP is within the subnet for lan2, not the SSID subnet, otherwise traffic will fail on the reverse routing check.
One way around the policy requirement would be to create a software switch out of the interfaces (the SSID and lan2 interface) and have a single interface IP and subnet on those two interfaces. You would have to roll back some IP configuration to put lan2 and the SSID into a switch interface, though.
Another option would be to switch the SSID to bridge mode (instead of tunnel mode), that way the SSID is essentials considered part of the physical interface the access point is connected on (it achieves the same result as creating a software switch).
In tunnel mode, the SSID is considered an entirely separate (virtual) interface from LAN2, and communication from anything in WiFi is tunnelled via CAPWAP; you essentially have two completely different connections on LAN2.
You could also put the SSID and lan2 into a zone, and allow intra-zone traffic, that would also eliminate the need for a policy. However, as there is no shared subnet between lan2 and the SSID, you would still need to update the server IP to ensure it is within the lan2 /25 subnet to prevent traffic failing on a routing check.
If you are unsure what the routing check is:
When FortiGate receives the first packet in a session, it does a basic sanity check to verify that a reply to that IP would go back out the interface it received the packet on.
In your case:
- FortiGate receives a packet with source IP .201 on lan2
- it checks its routing table to determine where it would send replies TO the IP .201
- it sees that the .201 IP belongs to the SSID subnet, not lan2, so the routing does NOT check out
- it denies the packet based on reverse path check failure
- this is intended as a basic check to prevent IP spoofing
I hope this helps :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pmh,
It sounds like are missing a firewall policy.
You can test whether that is the case:
diag debug console timestamp enable
diag debug flow filter proto 1 (=icmp)
diag debug flow filter addr 172.29.6.201
diag debug flow show iprope enable
diag debug enable
diag debug flow trace start 20
Run a second SSH session with a packet capture to show which interface the packets are arriving at and leaving at (if any).
diag sniffer packet any 'host 172.29.6.201' 4 0 a
Then run a ping to that device.
- the flow trace will show if there is a policy match and what routing decisions are taken.
- the sniffer will show you the incoming interface of the traffic as well as the outgoing. If there is no policy match, there won't be outgoing traffic.
Best regards,
Markus
Created on 12-23-2021 09:28 AM Edited on 12-23-2021 09:52 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Markus,
Thanks for your reply. Tried this now and got the below result:
fgt-name (crew) # diag sniffer packet any 'host 172.29.6.201' 4 0 a
interfaces=[any]
filters=[host 172.29.6.201]
2021-12-23 17:50:58.496217 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:50:59.921865 lan2 in 172.29.6.201.12345 -> 255.255.255.255.12345: udp 450
2021-12-23 17:51:00.583504 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:01.163824 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
2021-12-23 17:51:01.599185 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:01.921638 lan2 in 172.29.6.201.12345 -> 255.255.255.255.12345: udp 450
2021-12-23 17:51:02.005358 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
2021-12-23 17:51:02.622811 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:03.012420 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
2021-12-23 17:51:03.920836 lan2 in 172.29.6.201.12345 -> 255.255.255.255.12345: udp 450
2021-12-23 17:51:04.194155 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
2021-12-23 17:51:04.199888 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:05.007252 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
2021-12-23 17:51:05.213791 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:05.921636 lan2 in 172.29.6.201.12345 -> 255.255.255.255.12345: udp 450
2021-12-23 17:51:06.026824 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
2021-12-23 17:51:06.237475 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:07.603104 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:07.921265 lan2 in 172.29.6.201.12345 -> 255.255.255.255.12345: udp 450
2021-12-23 17:51:08.199220 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
2021-12-23 17:51:08.604550 lan2 in arp who-has 172.29.6.129 tell 172.29.6.201
2021-12-23 17:51:09.001465 CrewName in arp who-has 172.29.6.201 tell 172.29.6.186
^C
25 packets received by filter
0 packets dropped by kernel
Didn't really make me any wiser unfortunately.
-PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi PM,
one device of yours, 172.29.6.186 is asking via arp where 172.29.6.201 is or which MAC it has because it is not known on which interface it is. This is happening on interface "CrewName". I suppose, this is your SSID name.
Then 172.29.6.201 is asking the same for its own subnets' gateway IP on "lan2" (your initial post doesn't mention lan2, but lan1 and the address is outside it).
I would want to say that FGT is being asked this but not responding to it; However, you want to check why the same subnet is known on 2 different interfaces.
That configuration isn't possible without enabling an "overlapping subnet".
Explanation:
The range you have here is from 172.29.6.128-172.29.6.255; .128 being the network address, .255 being the broadcast address.
All other 126 addresses in between belong to the same subnet and must be on the same interface as it handles one defined subnet.
172.29.6.129 is your configured gateway for the devices in the same network and the interface IP for the SSID interface.
172.29.6.186 is in that same network supposedly, so is 172.29.6.201.
If the 172.29.6.201 is on a different interface, you should check why it seems to be there and why it has that IP (statically assigned?).
Best regards,
Markus
Created on 12-23-2021 11:38 PM Edited on 12-24-2021 12:37 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again Markus and thank you so much for helping me on this.
You are correct, it should be LAN2 (not LAN1).
"CrewName" is indeed the SSID for the Wi-Fi.
Also, yes 172.29.6.186 is the Wi-Fi connected client I am pinging the LAN2 connected device 172.29.6.201 (static ip) from. Both devices are in the same subnet 255.255.255.128
I was initially thinking that it should be possible to comunicate as long as the devices were in the same subnet, but if I understand you correctly they also have to be connected to the same interface (Wi-Fi "CrewName" clients cannot connect to devices physically connected to cabled devices on LAN2)
That basically correct?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pmh,
yes, you are correct. FortiGate implicitly denies traffic between separate interfaces, even if they should be in the same subnet. You would have to create a policy from lan2 to your SSID, and would have to ensure that the server IP is within the subnet for lan2, not the SSID subnet, otherwise traffic will fail on the reverse routing check.
One way around the policy requirement would be to create a software switch out of the interfaces (the SSID and lan2 interface) and have a single interface IP and subnet on those two interfaces. You would have to roll back some IP configuration to put lan2 and the SSID into a switch interface, though.
Another option would be to switch the SSID to bridge mode (instead of tunnel mode), that way the SSID is essentials considered part of the physical interface the access point is connected on (it achieves the same result as creating a software switch).
In tunnel mode, the SSID is considered an entirely separate (virtual) interface from LAN2, and communication from anything in WiFi is tunnelled via CAPWAP; you essentially have two completely different connections on LAN2.
You could also put the SSID and lan2 into a zone, and allow intra-zone traffic, that would also eliminate the need for a policy. However, as there is no shared subnet between lan2 and the SSID, you would still need to update the server IP to ensure it is within the lan2 /25 subnet to prevent traffic failing on a routing check.
If you are unsure what the routing check is:
When FortiGate receives the first packet in a session, it does a basic sanity check to verify that a reply to that IP would go back out the interface it received the packet on.
In your case:
- FortiGate receives a packet with source IP .201 on lan2
- it checks its routing table to determine where it would send replies TO the IP .201
- it sees that the .201 IP belongs to the SSID subnet, not lan2, so the routing does NOT check out
- it denies the packet based on reverse path check failure
- this is intended as a basic check to prevent IP spoofing
I hope this helps :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie and thank you for your explanation.
I already have the two interfaces in a zone, and I'm not blocking intra-zone-traffic, so if I understand you correctly I can simply change the IP details on my server from .201 to .121 and I should be able to reach the server from my Wi-Fi clients?
If so, do I also need to change my gateway on the server from .129 to .1 ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey pmh,
yes and yes, that should allow you to ping clients in the wifi subnet.
If you are pinging Windows clients, make sure their firewalls allow the ping :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just wanted to let you know that after changing mentioned IP details and adding a policy:
Source interface: My_ZONE
Destination interface: My_ZONE
SourceIP: SERVER
DestIP: DEVICESall is working :)
Thank you so much for al your help @Debbie_FTNT and @Markus_M !
Related Posts
- Fortigate with Mikrotik Site to site... 380 Views
- Site-to-Site GRE tunnel fails after about... 241 Views
- Multicast Flooding Issue with 100+ Apple... 238 Views
- ssl-vpn let client reach devices in... 476 Views
- Slow Veeam Backups through 2x fortigates 369 Views
Labels
-
FortiGate
6,450 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.