- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: help with routing
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
help with routing
hi
i have a network with mikrotik. we are planning to replace mikrotik with fortigate 100F (v7.4.0)
now i have:
switch
tag vlans: 32, 33 to mikrotik
tag vlans: 32, 33 to fortigate
untag vlans: 32 to two hosts
two hosts: vlan 32, untag
192.168.5.251/24 (gw: 192.168.5.1 - mikrotik) ,
192.168.5.252/24 (gw 192.168.5.2 - fortigate)
mikrotik
trunk vlans: 32 (192.168.5.1/24), 33 (192.168.20.1/24)
fortigate:
config system interface
edit "vlan0032"
set vdom "root"
set ip 192.168.5.2 255.255.255.0
set allowaccess ping https ssh snmp http
set device-identification enable
set role lan
set snmp-index 38
set interface "x2"
set vlanid 32
next
edit "vlan0033"
set vdom "root"
set ip 192.168.20.2 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set device-identification enable
set role lan
set snmp-index 35
set interface "x2"
set vlanid 33
next
end
config firewall policy
edit 7
set name "all"
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
end
ping from 192.168.5.252 to 192.168.20.2 (fortigate) - working
ping from 192.168.5.251 to 192.168.20.2 - dont working
why ?
theoretically, the traffic should go like this:
ask: 192.168.5.251 - 192.168.5.1 (mikrotik directly connected) 192.168.20.1 - 192.168.20.2
answer: 192.168.20.2 (dir. conn.) 192.168.5.2 - 192.168.5.251
fortigate capture showing incoming packets from 192.168.5.251, but outgoing - no
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solved the problem like this:
config router static
edit 3
set gateway 192.168.20.1
set device "vlan0033"
next
end
at the time of migration it will be like this
- « Previous
-
- 1
- 2
- Next »
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Christian_89 wrote:1. Verify the routing configuration on the FortiGate firewall: Ensure that there is a route configured on the FortiGate firewall to reach the subnet 192.168.5.0/24 via the interface connected to the MikroTik router (x2 interface). This route is necessary to send the reply traffic back to the MikroTik router.
its ok
@Christian_89 wrote:
2. Check the default gateway on the hosts: Ensure that the default gateway on the hosts in VLAN 32 (192.168.5.251) is set correctly to point to the MikroTik router (192.168.5.1). This will ensure that the ping requests are sent to the correct gateway.
its ok
@Christian_89 wrote:3. Verify the VLAN configuration: Double-check the VLAN configuration on the FortiGate firewall (x2 interface) and ensure that VLAN tagging is correctly configured for VLANs 32 and 33. Make sure that the VLAN ID matches the configuration on the MikroTik router.
ping from mikrotik to fortigate and in the opposite direction - working
192.168.20.1 - 192.168.20.2
192.168.5.1 - 192.168.5.2
@Christian_89 wrote:4. Verify connectivity between the MikroTik router and the FortiGate firewall: Ensure that there is connectivity between the MikroTik router and the FortiGate firewall. You can try pinging the FortiGate's IP address (192.168.5.2) from the MikroTik router to verify this.
By going through these troubleshooting steps, you should be able to identify and resolve any configuration or routing issues that may be causing the problem.
ok
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The routing on the FGT is given by the interfaces the thread starter configured (so called connected routes). But you clearly see the incoming traffic hits the wrong incoming interface on the fgt and it therfore cannot detect the proper outgoing one. So packets are dropped.
To me that more looks like if the mikrotik sends the packets to the fortigate with the wrong vlan tag.
Also it should be connected to x1 then to have a vlan trunk available on uplink.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solved the problem like this:
config router static
edit 3
set gateway 192.168.20.1
set device "vlan0033"
next
end
at the time of migration it will be like this
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Internet data not passing from firewall 104 Views
- Issue with SD-WAN 104 Views
- Resolve FortiGate Connectivity Issue Same As... 61 Views
- Can't ping VLAN interfaces through VPN 217 Views
- Oracle sessions randomly hanging behind fortigate 134 Views
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.