I have some issues with a Fortigate 60C Build0762.
I am not able to make PolicyBasedRouting to work as I expected.
I have the following VLAN/Subnet:
[ul]
There is a switch in front so all Vlan is tagged on internal5.
Is seems like randomly however outbound trafic is routed over local gateway or via VPN. 2 devices connected to technical net (10.201.1.x) is routed differently.
I know that the NAT/DHCP on linknet could give some issues, but since the VPN is connected and stable (also after reboot) I presume this is not a problem.
Could anyone tell me what I am doing wrong?
config system interface
edit "internal5"
set vdom "vdom_THIS"
set ip 10.201.1.1 255.255.255.0
set allowaccess ping
set type physical
set listen-forticlient-connection enable
set snmp-index 20
next
edit "201 Router"
set vdom "vdom_THIS"
set mode dhcp
set distance 25
set allowaccess ping
set snmp-index 31
set interface "internal5"
set vlanid 201
next
edit "202 Directly"
set vdom "vdom_THIS"
set ip 10.201.202.1 255.255.255.0
set allowaccess ping
set device-identification enable
set snmp-index 32
set interface "internal5"
set vlanid 202
next
edit "203 ViaVPN"
set vdom "vdom_THIS"
set ip 10.201.203.1 255.255.255.0
set allowaccess ping
set snmp-index 33
set interface "internal5"
set vlanid 203
next
edit "GW_HQ"
set vdom "vdom_THIS"
set ip 10.0.0.2 255.255.255.255
set type tunnel
set remote-ip 10.0.0.1
set snmp-index 34
set interface "201 Router"
next
end
config router static
edit 1
set dst 10.203.107.0 255.255.255.0
set distance 3
set device "GW_HQ"
next
edit 4
set distance 25
set device "GW_HQ"
next
end
config router policy
edit 1
set input-device "203 ViaVPN"
set src "0.0.0.0/0.0.0.0"
set dst "192.168.11.0/255.255.255.0"
set output-device "201 Router"
next
edit 3
set input-device "203 ViaVPN"
set src "10.201.203.0/255.255.255.0"
set dst "10.201.202.0/255.255.255.0"
set output-device "202 Directly"
next
edit 4
set input-device "203 ViaVPN"
set src "10.201.203.0/255.255.255.0"
set dst "10.201.1.0/255.255.255.0"
set output-device "internal5"
next
edit 2
set input-device "203 ViaVPN"
set src "10.201.203.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "GW_HQ"
next
edit 5
set input-device "202 Directly"
set src "10.201.202.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "internal5"
next
end
How are your link-monitor objects set up? Maybe they're marking an interface as down when it is not?
Thanks Tanr;
I have now link-monitor configured. I also see that there are outbound trafic on both gateway on the same time.
Branch01-FGT60C (vdom_THIS) # get router info routing-table al
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [25/0] via 192.168.11.1, 201 Router (***DHCP recieved gateway***)
[25/0] via 10.0.0.1, GW_HQ
C 10.0.0.1/32 is directly connected, GW_HQ
C 10.0.0.2/32 is directly connected, GW_HQ
C 10.201.202.0/24 is directly connected, 202 Directly
C 10.201.203.0/24 is directly connected, 203 ViaVPN
C 192.168.11.0/24 is directly connected, 201 Router
C 10.201.1.0/24 is directly connected, internal5
S 10.203.107.0/24 [3/0] via 10.0.0.1, GW_HQ
Branch01-FGT60C (vdom_THIS) #
Solved.
I had to re-enter the policys in correct order and add gateway / ip to the GW-interface.
Y
Sorry to break it down, but most of those policy are not required and can be eliminated. #3- thru #5 for sure. I I even suspect #1 is useless and your kernel routes from the "config router static" might have work.
Ken Felix
.
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.