Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
francesco
New Contributor

Firewall FG-60E

Hello

I have this configuration:

Modem vdsl tplink--> interfaces in bridge mode (lan+wifi), wan ppoe linked to provider (lan 192.168.1.0/24)

Firewall 60E--> wan connected to tplink lan 1 port with static ip address 192.168.1.100, lan 1-2-3-4 internal of FG60E have address 192.168.2.0 with dhcp.

 

I can reach all from internal (192.168.2.0/24) to wan lan 192.168.1.0/24 but cannot reach from wan 192.168.1.0 the internal lan of fg60e 192.168.2.0, I have tried inserting a policy on the fg60e (from wan to lan all).

But it doesn't work.

 

I need thar from wifi address network (192.168.1.0) reach internal fg lan (192.168.2.0), can someone help me please?

Thank you

7 REPLIES 7
GusTech
Contributor II

What is your routing table and gatway settings to WAN? 

 

You need correct routing and GW to route traffic to WAN.

 

Fortigate <3

Fortigate <3
sw2090
Honored Contributor

Well BrUz: routing shoud be correct alas there is interfaces where the subnet is on and with that there are net-routes.

 

I think the problem is more likely this:

 

if you come from the tp-link side you might not have a default gateway that knows the subnet behind the fgt. 

A simple policy will only work if you use the FGT as default gateway.

Alas this might not be useful on the tp-link side since the internet comes from the tp-link you would need two things here:

 

The tp-link must know that the subnet behind the FGT  ihas to be routed to to the FGT.

On the FGT you will need a policy to allow the traffic but as you come from an outside network you will have to do NAT on that policy.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
GusTech

Well sw2090: He get reply from from 192.168.2.0 to the 192.168.1.0 network.

 

I assume that your policy is correct.

 

Can you run: 

1)

get router info routing-table all

2) 

execute ping-options source 192.168.2.1

execute ping 8.8.8.8

francesco New New Member  Total Posts : 2Scores: 0Reward points: 0Joined: 4 hours agoStatus: online[/ul] Re: FIREWALL FG-60E 32 minutes ago (permalink)     0 Hi, thank you for your answer, do you mean the routing table on my router tplink or on the fg60e?   on my fg60e the routing table is 192.168.1.1 that is the tplink DG, I think that when I try to reach 192.168.2.x from 192.168.1.x the tplink redirect all the traffic to wan using 192.168.1.1 default gateway. I tried also to add a static route but without success thank you          post edited by francesco - 24 minutes ago   Helpful Report AbuseForward  Quote   #3 sw2090New Silver Member  Total Posts : 104Scores: 8Reward points: 0Joined: 6/14/2017Status: online[/ul] Re: FIREWALL FG-60E 23 minutes ago (permalink)     0 Well BrUz: routing shoud be correct alas there is interfaces where the subnet is on and with that there are net-routes.   I think the problem is more likely this:   if you come from the tp-link side you might not have a default gateway that knows the subnet behind the fgt.  A simple policy will only work if you use the FGT as default gateway. Alas this might not be useful on the tp-link side since the internet comes from the tp-link you would need two things here:   The tp-link must know that the subnet behind the FGT  ihas to be routed to to the FGT. On the FGT you will need a policy to allow the traffic but as you come from an outside network you will have to do NAT on that policy.   Helpful Report AbuseForward  Quote   #4   BrUz Quick Reply: (Open Full Version)        Paragraph Font Family Font Size                  Path: p   Preview    Submit Post     Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=119][Other FortiGate and FortiOS Topics][/link] » Firewall » FIREWALL FG-60E Jump to:  Jump to - - - - - - - - - -  [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall  - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier  - - - - FortiCASB - - - - FortiClient - - - - FortiCloud - - - - FortiConnect - - - - FortiController - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiExtender - - - - FortiFone - - - - FortiGuard - - - - FortiHypervisor - - - - FortiMail - - - - FortiManager - - - - FortiMonitor - - - - FortiNAC - - - -  Fortinet Security Fabric - - - - FortiPlanner - - - - FortiPortal - - - - FortiPresence - - - - FortiProxy - - - - FortiRPS - - - - FortiSandbox - - - - FortiScan - - - - FortiSIEM - - - - FortiSwitch - - - - FortiTester - - - - FortiToken - - - - FortiTap - - - - FortiVoice - - - - FortiWAN - - - - FortiWeb - - - - FortiWiFi - - - - Wireless Infrastructure (FortiWLC, FortiWLM, Meru) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical      © 2018 APG vNext Commercial Version 5.5   Latest Posts    Re: Tunnel Failover Question Re: HA configuration on Fortigate Re: FIREWALL FG-60E Re: FIREWALL FG-60E Re: Fortinet Virtual ethernet adapter has same MAC address in all computers Re: How to View Link Up or Down to my 2 port SD-WAN...... Re: Avaya phones behind fortigate can't login to cloud PBX Re: Multiple virtual interfaces Re: Firewall Recommendation Re: Avaya phones behind fortigate can't login to cloud PBX [/ul] Active Posts    Tunnel Failover Question HA configuration on Fortigate Fortinet Virtual ethernet adapter has same MAC address in all computers Frequent Internet disconnections 5.6.3 IPSEC VPN - Peer ID? Export Fortigate 300d Rules Problem with SD-WAN Streaming media time analysis HTTPS and replacement messages DNS Web Filtering Requires Using Fortinet DNS Servers? [/ul] All FAQs    There is no record available at this moment[/ul] francesco

Fortigate <3

Fortigate <3
GusTech

Well sw2090: He get reply from from 192.168.2.0 to the 192.168.1.0 network.

 

I assume that your policy is correct.

 

Can you run: 

1)

get router info routing-table all

2) 

execute ping-options source 192.168.2.1

execute ping 8.8.8.8

Fortigate <3

Fortigate <3
GusTech

Sorry, read the first post again and misunderstood. Thought he had problems from fgt lan to wan. :D

tp-link must tell the 192.168.1.0 network where 192.168.2.0 net is.

Fortigate <3

Fortigate <3
francesco
New Contributor

Hi, thank you for your answer,

do you mean the routing table on my router tplink or on the fg60e?

 

on my fg60e the routing table is 192.168.1.1 that is the tplink DG, I think that when I try to reach 192.168.2.x from 192.168.1.x the tplink redirect all the traffic to wan using 192.168.1.1 default gateway.

I tried also to add a static route but without success

thank you

 

 

 

 

sw2090
Honored Contributor

if you want to access 192.168.2.0/24 from 192.168.1.0/24 (i.e. access the net behind your fgt from the net at your tp-link router) then the routing table on the tp-link must provide a route for 192.168.2.0/24 that leads your traffic through your tplink's port 1 to your Fortigate.

On your FGT this means:

 

From 192.168.1.0/24 to 192.168.2.0/24 will have to do dNAT in the policy since devices in 192.168.1.0/24 I suppose to have the tp-link as default gateway. You will not need any further routing here.

 

From 192.168.2.0/24 to 192.168.1.0/24 will have to have a static route pointing to port1 and the FGT as Gateay on your tp-link. Or alternatively do dNAT on the tp-link.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors