Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ragno
New Contributor

Created on ‎08-14-2017 01:47 PM

Policy route to wan2 blocking connections to wan1 (FGT60D)

Hi, 

 

I have two Wan interfaces, 1 and 2. Wan 1 is set for vlan 10 and Wan 2 for vlan 60.

To be able for computers on vlan 60 use the wan 2 internet, I created a Policy Route below:

 

 

The problem:

 

There is an http server in vlan 10 that hosts a website and it is listening in wan 1 IP (already set in Fortigate and on Http Server).

 

Computers on vlan 10 can open the website using the wan "1"  IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.

 

When I disable the policy route created before, vlan 60 can open the website normally.

 

What is the problem? 

 

Thank you.

 

 

 

 

6921
0 Kudos
1 Solution
Antonio_Milanese
Contributor
In response to ragno

Created on ‎08-17-2017 02:39 AM

Hi Ragno,

 

Sorry I should have noted by the screeshot that the FOS versio it's  5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.

 

Regards,

 

Antonio

View solution in original post

3061
0 Kudos
7 REPLIES 7
oheigl
Contributor II

Created on ‎08-16-2017 01:15 AM

Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?

3027
0 Kudos
ragno
New Contributor
In response to oheigl

Created on ‎08-16-2017 02:15 PM

oheigl wrote:

Is the virtual IP for the HTTP server configured with interface any? Can you try to add another policy before this one, with the destination of the HTTP server and the wan1 interface?

Currently now the virtual IP is set this way, isn't right?

 

 

 

3027
0 Kudos
Antonio_Milanese
Contributor

Created on ‎08-16-2017 04:38 AM

hi Ragno,

 

ragno wrote:

Computers on vlan 10 can open the website using the wan "1"  IP but computers on vlan 60 can't reach the website. But vlan 60 can ping the wan "1" IP.

When I disable the policy route created before, vlan 60 can open the website normally.

What is the problem? 

 

If you think about PBR goal this is the expected behavior since the policy route was defined with destination 0.0.0.0/0 (any) and any protocol ... Pbr replaces/override the normal routes lookup then traffic is forced to be forwarded to specified gateway (if up / present in the FIB)..

Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.

 

Regards,

 

Antonio

3027
0 Kudos
ragno
New Contributor
In response to Antonio_Milanese

Created on ‎08-16-2017 02:19 PM

Antonio Milanese wrote:

Just add a PBR entry before (evaluation top/down first match) with source vlan60_subnet destination wan1_subnet and action stop policy routing.

Antonio,

 

Should I do this setting by command line? 

I can't find the suggested option to stop the policy routing on the menu, by going "Router >  Static > Policy Routes"

3027
0 Kudos
Antonio_Milanese
Contributor
In response to ragno

Created on ‎08-17-2017 02:39 AM

Hi Ragno,

 

Sorry I should have noted by the screeshot that the FOS versio it's  5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.

 

Regards,

 

Antonio

3062
0 Kudos
ragno
New Contributor
In response to Antonio_Milanese

Created on ‎08-21-2017 11:43 AM

Antonio Milanese wrote:

Hi Ragno,

 

Sorry I should have noted by the screeshot that the FOS versio it's  5.x,5.2.x so PBR does not support allow or deny(stop PBR) action as per 5.4 or 5.6 versions .. a workaround it's to add (before your wan2 PBR) an entry with source vlan60_subnet , destination vip_mapped_IP and destination interface vip_mapped_IP "internal" interface (optional protocol TCP port 8080 , depend of webserver app/content behavior).. the ratio it is to PBR traffic destined to VIP_mapped_ip to be forced to lan as without PBR normal flow and post vip traslation.

 

Regards,

 

Antonio

Worked!! Thank you!

3027
0 Kudos
nawin
New Contributor
In response to ragno

Created on ‎11-15-2018 12:33 AM

Hello,

 

In above scenario, i cant access with name (Ex: abcd.com) instead of IP address. Any suggestions.

 

 

Regards

Naveen.D

nawindara
nawindara
3027
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.