Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mokaz
New Contributor

Subnet routing and FAP integration

Hi all,

 

I'm setting up a FortiGate VM device and have a few routing/firewalling questions i cant seem to get through with.

 

Here is my setup (each bound to a physical adapter):

Green Subnet = 10.0.1.0/24 (wired LAN subnet)

Blue Subnet = 10.0.2.0/24 (wireless subnet --> connected to 1xFAP)

Red Subnet = 192.168.8.0/24 (local router --> ISP)

 

My 1st question is this one, while setting up the FAP through the GUI, i've had to input a new subnet (setup in tunnel mode) for the WiFi interface, that is 10.0.3.0/24. Why can't i use my dedicated FortiGate port2 Blue Subnet IP scheme for this indeed ?? (i guess this is due to the tunnel mode used but any clue/explanations i'd take =)

 

My 2nd question is that i would like to have traffic allowed between Green to Blue & Blue to Green.

 

I've setup Addresses objects like this:

Green Subnet on port1 = 10.0.1.0/24

Blue Subnet on port2 = 10.0.2.0/24

Blue Wifi Subnet on Blue Wifi = 10.0.3.0/24

 

and IPv4 Policy like this:

#1 - Green to Blue = from green (port1) to blue (port2) & SSID (Blue WiFi) / Source = Green Subnet / Dest = all / Services = all / Action = Accept / NAT = disabled

#2 - Blue to Green = from SSID (Blue WiFi) to green (port1) & blue (port2) / Source = Blue WiFi Subnet / Dest = all / Services = all / Action = Accept / NAT = disabled

#3 - web access policies...

 

From a client wired on the Green Subnet i can ICMP to any allowed destinations.

From a client on Blue WiFi Subnet i can ICMP local client ip and the FAP on 10.0.3.0/24 network. But nothing else.

Internet access is okay wherever i'm connected, so further down ipv4 policies are reached and works.

Routing monitor show's all local routes.

 

Any clue at what i'm doing wrong ?

 

Thanks,

regards,

m.

 

 

1 REPLY 1
mokaz
New Contributor

Okay, found my stupid mistake --> check your Trusted Hosts settings and enable your local subnets in there (according to your security needing and compliance)

Labels
Top Kudoed Authors