AnsweredHot!Route branch local traffic to Internet via HQ's FGT without VPN ?

Page: 12 > Showing page 1 of 2
Author
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
2018/07/01 19:35:31 (permalink)
0

Route branch local traffic to Internet via HQ's FGT without VPN ?

Topology:

 
Hello All, I have the privilege to manage two FGTs.
(I can control NAT, Route... etc on two FGTs.)
 
Question:
1.Can I route local traffic to 8.8.8.8 via following path ?
   [ Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> ISP2 -> Internet ]
   In other words, when local PCs visit Internet, they have to go through FGT2 first.
2.If possible, how to implement it?
 
post edited by LiaoYuRuei - 2018/07/05 20:57:39

Attached Image(s)

#1
Toshi Esumi
Expert Member
  • Total Posts : 960
  • Scores: 56
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/01 21:18:06 (permalink)
0
Not possible. Once the traffic hits the GW at your ISP, they have no idea where to route packets destined to 192.168.x.y.
#2
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 06:40:49 (permalink)
0
toshiesumi
Not possible. Once the traffic hits the GW at your ISP, they have no idea where to route packets destined to 192.168.x.y.


Hello Toshi Esumi, thanks your reply.
In order to avoid misunderstandings, I modified the question.
I want to route local traffic to Internet (via FGT1 -> ISP1 -> ISP2 -> FGT2 -> Internet),
In other words, I want to local PC visit Internet via FGT2, does it possible?
p.s. I can manage two FGTs (include the NAT feature)
#3
rwpatterson
Expert Member
  • Total Posts : 8229
  • Scores: 177
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 06:55:23 (permalink)
0
An aside: You have the same private subnet on both units. CHANGE ONE (or both!). You will run into more issues down the road if you use the common subnets when you set up networks. 192.168.0, 192.168.1, 192.168.2, 192.168.3. These ship on a majority of devices from the factory, so if/when you meet someone down the road you need to connect to and they do the same, you are going to have issues.
 
Onto the main question: Cannot be done without a VPN. No ISP will allow the RFC 1918 subnets onto the Internet. End of story. So, no VPN = no remote gateway Internet routing.
 
Look up "RFC 1918" (https://tools.ietf.org/html/rfc1918) for yourself, superseded by RFC 3330 (https://tools.ietf.org/html/rfc3330) then by RFC 5735 (https://tools.ietf.org/html/rfc5735).
 
More reading material on the subject could be found here: https://en.wikipedia.org/wiki/Bogon_filtering
post edited by rwpatterson - 2018/07/02 07:12:31

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#4
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 07:11:22 (permalink)
0
rwpatterson
An aside: You have the same private subnet on both units. CHANGE ONE (or both!). You will run into more issues down the road if you use the common subnets when you set up networks. 192.168.0, 192.168.1, 192.168.2, 192.168.3. These ship on a majority of devices from the factory, so if/when you meet someone down the road you need to connect to and they do the same, you are going to have issues.
 
Onto the main question: Cannot be done without a VPN. No ISP will allow the RFC 1918 subnets onto the Internet. End of story. So, no VPN = no remote gateway Internet routing.
 
Google "RFC 1918" for yourself




Hello rwpatterson, thanks for your reply!!
(I've modefied the subnet of topology)
If I use NAT on FGT1, the source IP of outgoing traffic will be 221.27.31.2,
after that, is it be possible to implement what I want?
#5
rwpatterson
Expert Member
  • Total Posts : 8229
  • Scores: 177
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 07:16:35 (permalink)
0
Read the linked materials on BOGONs.
 
No
 
You cannot route to any 192.168/16 network over the Internet without a VPN. End of story.
post edited by rwpatterson - 2018/07/02 07:18:47

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#6
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 07:59:03 (permalink)
0
rwpatterson
Read the linked materials on BOGONs.
 
No
 
You cannot route to any 192.168/16 network over the Internet without a VPN. End of story.





Hello, rwpatterson, Thanks your reply.
I'm sorry. It's my fault. I think that I do not express my question clearly on the title.
All I want to do is that routing local traffic to Internet via FGT2.
The traffic path what I want is: Local PC -> FGT1 -> ISP1 -> ISP2 -> FGT2 -> Internet,
and I don't care where the FGT2's local subnet is reachable or not,
I just want the traffic of local PC visiting Internet should go to FGT2 first.
 
If it is possible? If possible, could you tell me how to implement it?
#7
rwpatterson
Expert Member
  • Total Posts : 8229
  • Scores: 177
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 08:45:45 (permalink) ☼ Best Answerby LiaoYuRuei 2018/07/05 20:59:10
0
Create a VPN and route the traffic across it.
post edited by rwpatterson - 2018/07/02 08:49:26

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#8
emnoc
Expert Member
  • Total Posts : 4890
  • Scores: 300
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 16:23:27 (permalink) ☄ Helpfulby LiaoYuRuei 2018/07/05 20:59:21
0
Hmm.not so quick.
 
He mention no  vpn,  but you have another option. GRE-tunnel  the traffic back to the HQ , but keep these thoughts in mind.
 
  • GRE offers no  protection or encryption.
  • Any thing that can inspect  1 or 2 level deep will ID the traffic.
  • PMTUD and max datagram  could be a issues ( UDP is even worst ), you can fixup TCP with mss.tcp adjustments.
Overhead with  GRE might be slightly less than ESP encryption from a function and layer3 header
 
Ken
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#9
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/02 19:29:35 (permalink)
0
emnoc
Hmm.not so quick.
 
He mention no  vpn,  but you have another option. GRE-tunnel  the traffic back to the HQ , but keep these thoughts in mind.
 
  • GRE offers no  protection or encryption.
  • Any thing that can inspect  1 or 2 level deep will ID the traffic.
  • PMTUD and max datagram  could be a issues ( UDP is even worst ), you can fixup TCP with mss.tcp adjustments.
Overhead with  GRE might be slightly less than ESP encryption from a function and layer3 header
 
Ken
 




Hello emnoc,
I think that I should study first about the GRE tunnel, thank you.
 
 
2018.07.06
I've tested, using GRE-tunnel is ok, but it seems to be a type of VPN.
post edited by LiaoYuRuei - 2018/07/05 20:56:38
#10
rwpatterson
Expert Member
  • Total Posts : 8229
  • Scores: 177
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/03 02:47:20 (permalink)
0
@LiaoYuRuei Look, I'm not trying to be hard or stubborn, but why are you so resistant to protect your traffic? You are on a firewall forum asking how to send your organization's traffic over the Internet unencrypted so the world can see it? That's like walking around with your pants around your ankles. Doesn't make sense. Setting up a VPN between two Fortigates takes minutes and costs nothing. The potential savings between lost data and stolen information is HUGE. I don't know why you are so hesitant to do what most here would construe as the right thing.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#11
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/03 18:37:05 (permalink)
0
rwpatterson
@LiaoYuRuei Look, I'm not trying to be hard or stubborn, but why are you so resistant to protect your traffic? You are on a firewall forum asking how to send your organization's traffic over the Internet unencrypted so the world can see it? That's like walking around with your pants around your ankles. Doesn't make sense. Setting up a VPN between two Fortigates takes minutes and costs nothing. The potential savings between lost data and stolen information is HUGE. I don't know why you are so hesitant to do what most here would construe as the right thing.


Hello, rwpatterson,
Yes, you are right, I'm so appreciate for your help.
In fact, the reason that I ask this question is that there is a firewall which I can't control it in the traffic path,
Local PC -> FGT1 -> ISP1 -> [FW, and which I can't control] -> Internet -> ISP2 -> FGT2,
In the past, we used IPSec VPN tunnel as you said, but now the FW block it.
The phenomenon we observed is that (I guess, because I don't have the privilege on firewall):
FW monitor the traffic, if the traffic is used for IPSec VPN, block the IP address with all service.
 
So, I have to find the way to
1.Control the traffic path as same as the past.
2.To avoid limited IP address which I have being blocked again
(I've lost 1 public IP I can use in the environment.)
 
post edited by LiaoYuRuei - 2018/07/05 20:53:28
#12
ede_pfau
Expert Member
  • Total Posts : 5591
  • Scores: 376
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/04 01:48:18 (permalink)
0
Contrary to what the other fellows posted, YES this can be done.
In short: Create a static route on FGT1 with destination FGT2 and use FGT2 as your next hop router.
 
In more detail:
You want all internet-bound traffic to reach FGT2, and from there, reach the internet. At the moment, the default route in FGT1 ('0.0.0.0/0' in Network > Routing > Static Routes) points to ISP1's router, either 221.27.31.1 or some other destination. Change this gateway to be 59.126.174.2, the FGT2's WAN interface.
 
technical aside:
You might not find an explicit static default route if FGT1 is connecting via PPPoE or DHCP to ISP1. In this case, you find the default route in Network > Interfaces > WAN1. Un-check "Retrieve default gateway from server" to enable your own default route in Network > Static Routes.
 
Check that this route is indeed working with a ping to 59.126.174.2. It should work in your current setup, before chaning anything - note the TTL. After setting up the new default route, ping should still work but the TTL will have changed, it will be higher.
 
Note that a ping to 8.8.8.8 or elsewhere on the internet will NOT work - yet.
 
Now, FGT2 already knows where to send internet traffic, namely to 59.126.174.1 or some other router in ISP2's control. The only thing missing now is a policy on FGT2 which allows the routing on the WAN1 interface:
create a new policy on FGT2
source interface: WAN1
destination interface: WAN1 (no typo!)
src addr: 221.27.31.2 (FGT1's external public address)
dst addr: ALL
service: ANY
action: ACCEPT
 
Test this by pinging 8.8.8.8 from LAN1 behind FGT1.
 

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#13
sw2090
Silver Member
  • Total Posts : 93
  • Scores: 8
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/04 07:35:43 (permalink)
0
Well I have plenty times this setup here
 
FGT1 (here) <-> ISP1 <-> Internet <-> ISP2 <-> FGT2 (shop somewhere)
 
FGT1 has subnet1 and FGT2 has subnet2 and both have static ip on their wan(s). 
Routing Traffic from here to shop is done via vpn (IPSEC) for our subnet1 and also vor several vlans in both directions.
This works fine so far. 
It should also work with SSL Tunnel and also static ip is not a must have. IF you have no static wan ip you will have to use some dyndns service since you then need a FQDN as remote site to know the opposite wan ip.
In this case just FGT1 needs to know a route to subnet2 if you want to get there and FGT2 needs to know a route to subnet1 to be able to get there.
 
This works fine here without problems.
IPSEC Tunneling aswell as dyndns is already included in your Fortigates.
 
I even do it here sometimes over our wlan bridge: We have a shop on the other side of the road that we connect via wlan bridge (because laying a wire into the road cost tons of $$$ unfortunately). They have their own WANs there but if they go down I reroute the internet traffic over the bridge and throughout our wan. There is no vpn here but defined interfaces the bridge is connected to to which one can route.
#14
emnoc
Expert Member
  • Total Posts : 4890
  • Scores: 300
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/04 09:01:04 (permalink)
0
I don't see how this will work btw. The ISP1 will make all routing choices based on that destination { 8.8.8.8 in this example }. if what ede discribe would work & with out a VPN tunnel or GRE tunnel, than the 1st question I have is how would  GOOGDNS 8.8.8.8  reply it's dns.answer back &  at a host locate in ISP1 and FGT1? Are we planning on SNAT twice  ( once at FGT1 and a 2nd time at FGT2 ) 
 
2nd answer what the means gained by doing such thing?
 
3rd , would latency and number of resources used would be extreme?
 
Ken
 
 
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#15
ede_pfau
Expert Member
  • Total Posts : 5591
  • Scores: 376
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/04 10:24:03 (permalink)
0
Good points, Ken.
1- yes, the WAN-WAN policy on FGT2 will have to use NAT, so double-NAT here. Otherwise the reply traffic will arrive at ISP1 first which makes for asymmetric routing.
For routing back from FGT2 to FGT1, it only needs a default route to ISP2 as the source address is a public IP.
2- spoil sport :-) ! If I have understood the request correctly, OP wants to route internet-bound traffic not through ISP1 (who is filtering) but through ISP2 (who is not). Let me guess, ISP2 is located in a different country...
Now, he needs to be lucky that ISP1 will not look into his not-encrypted traffic...
3- no, why? this is just re-routing. Routing on a FGT doesn't cost much. Latency, yes maybe. Still better than getting filtered.
 

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#16
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/04 18:23:54 (permalink)
0
ede_pfau
Contrary to what the other fellows posted, YES this can be done.
In short: Create a static route on FGT1 with destination FGT2 and use FGT2 as your next hop router.
 
In more detail:
You want all internet-bound traffic to reach FGT2, and from there, reach the internet. At the moment, the default route in FGT1 ('0.0.0.0/0' in Network > Routing > Static Routes) points to ISP1's router, either 221.27.31.1 or some other destination. Change this gateway to be 59.126.174.2, the FGT2's WAN interface.
 
technical aside:
You might not find an explicit static default route if FGT1 is connecting via PPPoE or DHCP to ISP1. In this case, you find the default route in Network > Interfaces > WAN1. Un-check "Retrieve default gateway from server" to enable your own default route in Network > Static Routes.
 
Check that this route is indeed working with a ping to 59.126.174.2. It should work in your current setup, before chaning anything - note the TTL. After setting up the new default route, ping should still work but the TTL will have changed, it will be higher.
 
Note that a ping to 8.8.8.8 or elsewhere on the internet will NOT work - yet.
 
Now, FGT2 already knows where to send internet traffic, namely to 59.126.174.1 or some other router in ISP2's control. The only thing missing now is a policy on FGT2 which allows the routing on the WAN1 interface:
create a new policy on FGT2
source interface: WAN1
destination interface: WAN1 (no typo!)
src addr: 221.27.31.2 (FGT1's external public address)
dst addr: ALL
service: ANY
action: ACCEPT
 
Test this by pinging 8.8.8.8 from LAN1 behind FGT1.
 




Hello, ede_pfau
 
I've ever tried the method you said some days ago,
and the setting on two firewalls are exactly the same just as you said,
but it didn't work because of the default route.
 
I saw the default route being inactive.
0.0.0.0/0 [10/0] via 59.126.174.2, wan1 inactive

Routing table: (I replaced the real IP with the IP in the topology)

 
I think the reason why the default route was inactive is which the KB explained.
http://kb.fortinet.com/kb....do?externalID=FD36417
 
p.s.These two wan1 of the firewalls on topology have their static public IP (not DHCP, PPPoE...etc)
p.s.This method works when establishing Site to Site IPSec VPN between two firewalls, and it is exactly the method what we have ever used in the past.
 
 
post edited by LiaoYuRuei - 2018/07/04 18:56:48

Attached Image(s)

#17
ede_pfau
Expert Member
  • Total Posts : 5591
  • Scores: 376
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/05 02:57:28 (permalink) ☄ Helpfulby LiaoYuRuei 2018/07/05 21:03:40
0
I'm afraid that with a static WAN address the next hop (gateway) must be within the same subnet. The scenario I posted will only work if the WAN interface was connecting via PPPoE. Thanks for the KB articles which state this very clearly.
 
Now IMHO your best bet is to connect site-to-site via SSL VPN in tunnel mode, on a non-standard port, i.e. not 443 but 12345 or such (1023 < port < 65535). If arbitrary traffic is allowed but just not IPsec (udp/500, udp/4500, ESP) this might work.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#18
LiaoYuRuei
Bronze Member
  • Total Posts : 27
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/17 06:37:06
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/05 03:09:21 (permalink)
0
ede_pfau
I'm afraid that with a static WAN address the next hop (gateway) must be within the same subnet. The scenario I posted will only work if the WAN interface was connecting via PPPoE. Thanks for the KB articles which state this very clearly.
 
Now IMHO your best bet is to connect site-to-site via SSL VPN in tunnel mode, on a non-standard port, i.e. not 443 but 12345 or such (1023 < port < 65535). If arbitrary traffic is allowed but just not IPsec (udp/500, udp/4500, ESP) this might work.




Hello,ede_pfau
Sorry that I don't understand "connect site-to-site via SSL VPN in tunnel mode"
Do you mean that each local PC using SSL VPN connect to FGT2?
post edited by LiaoYuRuei - 2018/07/05 03:16:40
#19
ede_pfau
Expert Member
  • Total Posts : 5591
  • Scores: 376
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Route branch local traffic to HQ via Internet, without VPN? 2018/07/05 03:44:29 (permalink) ☄ Helpfulby LiaoYuRuei 2018/07/05 21:00:48
0
Yes, 'site-to-site' is rubbish, sorry. SSLVPN using FortiClient.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2018 APG vNext Commercial Version 5.5