Policy routing from VLAN to internal port

kenfung · ‎10-10-2017

Hi All,

I am setup a WIFI access for a branch office, per my attached network diagram I have setup two SSID for two VLAN.

SSID 1 : VLAN 2 for 172.16.130.0/24 ( Direct access to internet) ,

SSID 2 : VLAN 3 for 172.16.131.0/24 (Access to MPLS network , gateway : 192.168.0.2)

In my fortigate 100D, I have created two sub VLAN interface under LAN interface, and then I have setup a policy routing to route VLAN 2 traffic to public internet , and those client connect to SSID 1 , they can access to Internet without any problem.

Then I have created a policy routing for VLAN 3 , for client connect to SSID 2 for accessing to MPLS network.

My policy routing for VLAN 3 :

Incoming interface : VLAN 3 interface

Incoming network : 172.16.131.0/255.255.255.0

Outgoing interface : LAN

Outgoing network : 0.0.0.0/0.0.0.0

Gateway : 192.168.0.2

BTW, I have create policy to allow 172.16.131.0 network to access 192.168.0.2, also 192.168.0.0/24 able to access VLAN 2 and VLAN 3 network.

However, when client connect to SSID 2 (VLAN 3) , seem they are unable to access MPLS network.

So is there any misconfiguration ? And how do I routing VLAN 3 traffic via MPLS gateway ?

The reason for those WIFI network differ from LAN subnet, I would like to isolate wireless client against to LAN subnet.

Thank you for your help.

MikePruett · ‎10-11-2017

Just to verify your policy for MPLS is currently set to

Source Interface: VLAN3

Source Address: 172.16.131.0

Destination Interface: LAN (MPLS subnet switch ports)

Destination Address: 192.168.0.2

?

If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

kenfung · ‎10-12-2017

MikePruett wrote:
Just to verify your policy for MPLS is currently set to
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 192.168.0.2
?

If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.

Hi Mike,

Thanks for your quick reply, for what I have configured is "

Source Interface: VLAN3

Source Address: 172.16.131.0

Destination Interface: LAN (MPLS subnet switch ports)

Destination Address: 0.0.0.0/0.0.0.0

Gateway : 192.168.0.2 (MPLS gateway)

HERBINET_Maxime · ‎10-12-2017

Hi,

Could you post the output of :

#> get router info routing-table database

You need both active route through Internet & MPLS.

Also, I advice you to create a "Stop Policy Routing" for any RFC1918 ip address, before your existing PBR.

This will restore a normal behavior/routing for InterVlan traffic.

BR,

Max

MikePruett · ‎10-12-2017

That looks like the way that you configured your policy route. Your firewall policy itself needs to allow the traffic to traverse as well.

MPLS also needs to have a route to get back to your inside network. Couple of factors

kenfung wrote:
MikePruett wrote:
Just to verify your policy for MPLS is currently set to
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 192.168.0.2
?

If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.

Hi Mike,

Thanks for your quick reply, for what I have configured is "
Source Interface: VLAN3
Source Address: 172.16.131.0
Destination Interface: LAN (MPLS subnet switch ports)
Destination Address: 0.0.0.0/0.0.0.0

Gateway : 192.168.0.2 (MPLS gateway)

Mike Pruett

Fortinet GURU | Fortinet Training Videos