- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- LAN-to-LAN 2 sites
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LAN-to-LAN 2 sites
Hello
I have 2 sites what need to be connected together temporarily until their re-structuring is finished. We are slowly fusioning both sites together but it's a bit on standby.
LAN1 (site1) - 192.168.100.2/255.255.252.0 (connected directly to fortigate 60c internal1)
LAN2 (site2)- 192.168.200.254/255.255.0.0 (connected via antenna directly to 60c internal2)
These are overlapping subnets, however with set allow-subnet-overlap enable I am able to have lan1/lan2 on the same subnet.
I only really need 2-3 machines from site1 to talk to site2 and visa versa, but I'm a bit confused on LAN-to-LAN policies when both sites have their own internet connec./firewall/dhcp etc etc. However we have no IP conflicts between the both sites.
How should I attack this? I was even thinking of maybe using WAN1 for site2 and keeping site1 on LAN1 and configure it like a 'firewall' but I'm not sure this is a good idea.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to run "flow debug". It would show you the reason if the FGT is dropping packets. By the way your internal3 subnet mask is not matching your original post.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't used "allow-subnet-overlap" so I don't know how it would behave if a host in the smaller subnet resides on the other side. But LAN-to-LAN policies wouldn't have much difference from LAN-to-WAN other than GUI appearance. They're just separate interfaces so just internal1/2-to-internal2/1 policies.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what I thought as well, I'm running a 80E as my actual firewall and I've had no problems replacing all the policies etc from my old 60C.
edit "internal1"
set vdom "root"
set ip 192.168.100.238 255.255.252.0
set allowaccess ping https ssh http telnet capwap
set vlanforward enable
set type physical
set alias "domaine_"
set snmp-index 6
edit "internal3"
set vdom "root"
set ip 192.168.200.238 255.255.252.0
set allowaccess ping https http capwap
set vlanforward enable
set type physical
set alias "domaine_2"
set snmp-index 8
set dns-server-override disable
These are the 2 interfaces, from the cli in the firewall i can ping anything on both sites which is great, however impossible to get my machine ping a mobatime server on the other site2, I thought accepting all would help me debug, but nothing goes through. -
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
nat enable or nat disable has not helped me either. my 60C is my old firewall which was replaced by a 80E which means it has no more license/contract. Could this be causing problems?
Thanks alot
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to run "flow debug". It would show you the reason if the FGT is dropping packets. By the way your internal3 subnet mask is not matching your original post.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I realize now I mis-noted from my first post. I was copy/pasting from a file and I'd made a mistake. Right now my fortigate is connected via DHCP to site2 until I figure this out. I am no professional network manager that's for sure but I never realized I would have troubles letting traffic through 2 different ports!
I've left a machine pinging my fortigate from site2 and using debug flow I get this, 192.168.160.62 is the machine on site2 and 192.168.160.19 is my fortigate on site1.
2018-11-19 14:05:18 id=20085 trace_id=333 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 192.168.160.62:1->192.168.160.19:8) from internal3. code=8, type=0, id=1, seq=2594."
2018-11-19 14:05:18 id=20085 trace_id=333 func=init_ip_session_common line=4624 msg="allocate a new session-0030357e"
2018-11-19 14:05:18 id=20085 trace_id=333 func=fw_local_in_handler line=394 msg="iprope_in_check() check failed on policy 0, drop"
What can I be missing? A route?
get router info routing-table connected
C 192.168.0.0/16 is directly connected, internal3
C 192.168.100.0/22 is directly connected, internal1
get router info routing-table static
S* 0.0.0.0/0 [5/0] via 192.168.200.254, internal3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not finding a matching policy. Create a set of policies; internal1->internal6 and internal6->internal1 instead. Also probably it needs static routes like 192.168.160.19/32->internal6 and 192.168.160.62/32->internal1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait. 192.168.160.x is not a part of either 192.168.100.0/22 or 192.168.200.0/22 but a part of 192.168.0.0/16. What are the actual subnets on both ports? Looks like your configuration is mismatching.
Related Posts
- Deep inspection with streaming media 110 Views
- Way to see Destination IP behind... 104 Views
- Does anyone know a tool/site to... 109 Views
- Site to Site VPN to 2... 202 Views
- Fortigates with PPPoE WAN suddenly need... 310 Views
Labels
-
FortiGate
6,538 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.