Hot!Policy routing from VLAN to internal port

Author
kenfung
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/05/18 08:26:02
  • Status: offline
2017/10/10 10:05:40 (permalink)
0

Policy routing from VLAN to internal port

Hi All,
 
I am setup a WIFI access for a branch office, per my attached network diagram I have setup two SSID for two VLAN.
SSID 1 : VLAN 2 for 172.16.130.0/24 ( Direct access to internet) ,
SSID 2 : VLAN 3 for 172.16.131.0/24 (Access to MPLS network , gateway : 192.168.0.2)
 
In my fortigate 100D, I have created two sub VLAN interface under LAN interface, and then I have setup a policy routing to route VLAN 2 traffic to public internet , and those client connect to SSID 1 , they can access to Internet without any problem.
 
Then I have created a policy routing for VLAN 3 , for client connect to SSID 2 for accessing to MPLS network.
My policy routing for VLAN 3 :
 
Incoming interface : VLAN 3 interface
Incoming network : 172.16.131.0/255.255.255.0
Outgoing interface : LAN
Outgoing network : 0.0.0.0/0.0.0.0
Gateway : 192.168.0.2
 
BTW, I have create policy to allow 172.16.131.0 network to access 192.168.0.2, also 192.168.0.0/24 able to access VLAN 2 and VLAN 3 network.
 
However, when client connect to SSID 2 (VLAN 3) , seem they are unable to access MPLS network.
So is there any misconfiguration ?  And how do I routing VLAN 3 traffic via MPLS gateway ?
The reason for those WIFI network differ from LAN subnet, I would like to isolate wireless client against to LAN subnet.
 
Thank you for your help.

Attached Image(s)

#1

4 Replies Related Threads

    MikePruett
    Platinum Member
    • Total Posts : 668
    • Scores: 13
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: Policy routing from VLAN to internal port 2017/10/11 20:03:46 (permalink)
    0
    Just to verify your policy for MPLS is currently set to
    Source Interface: VLAN3
    Source Address: 172.16.131.0
    Destination Interface: LAN (MPLS subnet switch ports)
    Destination Address: 192.168.0.2
    ?
     
    If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.

    Mike Pruett
    Fortinet GURU
    #2
    kenfung
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/18 08:26:02
    • Status: offline
    Re: Policy routing from VLAN to internal port 2017/10/12 01:08:50 (permalink)
    0
    MikePruett
    Just to verify your policy for MPLS is currently set to
    Source Interface: VLAN3
    Source Address: 172.16.131.0
    Destination Interface: LAN (MPLS subnet switch ports)
    Destination Address: 192.168.0.2
    ?
     
    If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.




    Hi Mike,
     
    Thanks for your quick reply, for what I have configured is "
    Source Interface: VLAN3
    Source Address: 172.16.131.0
    Destination Interface: LAN (MPLS subnet switch ports)
    Destination Address: 0.0.0.0/0.0.0.0
     
    Gateway : 192.168.0.2 (MPLS gateway)
     
    #3
    HERBINET Maxime
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/02/19 07:59:20
    • Status: offline
    Re: Policy routing from VLAN to internal port 2017/10/12 05:08:15 (permalink)
    0
    Hi,
    Could you post the output of :
    #> get router info routing-table database
     
    You need both active route through Internet & MPLS.
     
    Also, I advice you to create a "Stop Policy Routing" for any RFC1918 ip address, before your existing PBR.
    This will restore a normal behavior/routing for InterVlan traffic.
     
    BR,
    Max
    #4
    MikePruett
    Platinum Member
    • Total Posts : 668
    • Scores: 13
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: Policy routing from VLAN to internal port 2017/10/12 06:58:35 (permalink)
    0
    That looks like the way that you configured your policy route. Your firewall policy itself needs to allow the traffic to traverse as well.
     
    MPLS also needs to have a route to get back to your inside network. Couple of factors 
     
    kenfung
    MikePruett
    Just to verify your policy for MPLS is currently set to
    Source Interface: VLAN3
    Source Address: 172.16.131.0
    Destination Interface: LAN (MPLS subnet switch ports)
    Destination Address: 192.168.0.2
    ?
     
    If so, you need the destination address probably to be all (or any and all networks that exist on the MPLS you want them to access). Otherwise, you will only be able to talk to the .2 device and nothing past it.




    Hi Mike,
     
    Thanks for your quick reply, for what I have configured is "
    Source Interface: VLAN3
    Source Address: 172.16.131.0
    Destination Interface: LAN (MPLS subnet switch ports)
    Destination Address: 0.0.0.0/0.0.0.0
     
    Gateway : 192.168.0.2 (MPLS gateway)
     





    Mike Pruett
    Fortinet GURU
    #5
    Jump to:
    © 2017 APG vNext Commercial Version 5.5