Policybased routing not working as expected

Yngve0 · ‎10-08-2018

I have some issues with a Fortigate 60C Build0762.

I am not able to make PolicyBasedRouting to work as I expected.

I have the following VLAN/Subnet:

[ul]

internal5 (Untagged): Tech/SMZ-subnet. Restricted internet access routed through local access

201 Router: Uplink to router. Frontend router is supplied by my ISP and I cant control it.=> DHCP & NAT

202 Directly: Should have internet locally

203 ViaVPN: Internet-trafic should be routed through HQ.[/ul]

There is a switch in front so all Vlan is tagged on internal5.

Is seems like randomly however outbound trafic is routed over local gateway or via VPN. 2 devices connected to technical net (10.201.1.x) is routed differently.

I know that the NAT/DHCP on linknet could give some issues, but since the VPN is connected and stable (also after reboot) I presume this is not a problem.

Could anyone tell me what I am doing wrong?

config system interface
    edit "internal5"
        set vdom "vdom_THIS"
        set ip 10.201.1.1 255.255.255.0
        set allowaccess ping
        set type physical
        set listen-forticlient-connection enable
        set snmp-index 20
    next
    edit "201 Router"
        set vdom "vdom_THIS"
        set mode dhcp
        set distance 25
        set allowaccess ping
        set snmp-index 31
        set interface "internal5"
        set vlanid 201
    next
    edit "202 Directly"
        set vdom "vdom_THIS"
        set ip 10.201.202.1 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set snmp-index 32
        set interface "internal5"
        set vlanid 202
    next
    edit "203 ViaVPN"
        set vdom "vdom_THIS"
        set ip 10.201.203.1 255.255.255.0
        set allowaccess ping
        set snmp-index 33
        set interface "internal5"
        set vlanid 203
    next
    edit "GW_HQ"
        set vdom "vdom_THIS"
        set ip 10.0.0.2 255.255.255.255
        set type tunnel
        set remote-ip 10.0.0.1
        set snmp-index 34
        set interface "201 Router"
    next
end
config router static
    edit 1
        set dst 10.203.107.0 255.255.255.0
        set distance 3
        set device "GW_HQ"
    next
    edit 4
        set distance 25
        set device "GW_HQ"
    next
end
config router policy
    edit 1
        set input-device "203 ViaVPN"
        set src "0.0.0.0/0.0.0.0"
        set dst "192.168.11.0/255.255.255.0"
        set output-device "201 Router"
    next
    edit 3
        set input-device "203 ViaVPN"
        set src "10.201.203.0/255.255.255.0"
        set dst "10.201.202.0/255.255.255.0"
        set output-device "202 Directly"
    next
    edit 4
        set input-device "203 ViaVPN"
        set src "10.201.203.0/255.255.255.0"
        set dst "10.201.1.0/255.255.255.0"
        set output-device "internal5"
    next
    edit 2
        set input-device "203 ViaVPN"
        set src "10.201.203.0/255.255.255.0"
        set dst "0.0.0.0/0.0.0.0"
        set output-device "GW_HQ"
    next
    edit 5
        set input-device "202 Directly"
        set src "10.201.202.0/255.255.255.0"
        set dst "0.0.0.0/0.0.0.0"
        set output-device "internal5"
    next
end

tanr · ‎10-09-2018

How are your link-monitor objects set up? Maybe they're marking an interface as down when it is not?

Yngve0 · ‎10-09-2018

Thanks Tanr;

I have now link-monitor configured. I also see that there are outbound trafic on both gateway on the same time.

Branch01-FGT60C (vdom_THIS) # get router info routing-table al
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
S* 0.0.0.0/0 [25/0] via 192.168.11.1, 201 Router (***DHCP recieved gateway***)
                  [25/0] via 10.0.0.1, GW_HQ
C 10.0.0.1/32 is directly connected, GW_HQ
C 10.0.0.2/32 is directly connected, GW_HQ
C 10.201.202.0/24 is directly connected, 202 Directly
C 10.201.203.0/24 is directly connected, 203 ViaVPN
C 192.168.11.0/24 is directly connected, 201 Router
C 10.201.1.0/24 is directly connected, internal5
S 10.203.107.0/24 [3/0] via 10.0.0.1, GW_HQ
 
 
Branch01-FGT60C (vdom_THIS) #

Yngve0 · ‎10-24-2018

Solved.

I had to re-enter the policys in correct order and add gateway / ip to the GW-interface.

Y

emnoc · ‎10-25-2018

Sorry to break it down, but most of those policy are not required and can be eliminated. #3- thru #5 for sure. I I even suspect #1 is useless and your kernel routes from the "config router static" might have work.

Ken Felix

.

PCNSE

NSE

StrongSwan