Helpful ReplyHot!LAN-to-LAN 2 sites

Author
wallib
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/16 01:28:46
  • Status: offline
2018/11/16 01:46:06 (permalink)
0

LAN-to-LAN 2 sites

Hello
 
 
I have 2 sites what need to be connected together temporarily until their re-structuring is finished. We are slowly fusioning both sites together but it's a bit on standby. 
 
LAN1 (site1) - 192.168.100.2/255.255.252.0 (connected directly to fortigate 60c internal1)
LAN2 (site2)- 192.168.200.254/255.255.0.0 (connected via antenna directly to 60c internal2)
 
These are overlapping subnets, however with set allow-subnet-overlap enable I am able to have lan1/lan2 on the same subnet.
 
I only really need 2-3 machines from site1 to talk to site2 and visa versa, but I'm a bit confused on LAN-to-LAN policies when both sites have their own internet connec./firewall/dhcp etc etc. However we have no IP conflicts between the both sites.
 
How should I attack this? I was even thinking of maybe using WAN1 for site2 and keeping site1 on LAN1 and configure it like a 'firewall' but I'm not sure this is a good idea.
post edited by wallib - 2018/11/16 04:21:49
#1
Toshi Esumi
Expert Member
  • Total Posts : 1259
  • Scores: 89
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: LAN-to-LAN 2 sites 2018/11/16 09:23:37 (permalink)
0
I haven't used "allow-subnet-overlap" so I don't know how it would behave if a host in the smaller subnet resides on the other side. But LAN-to-LAN policies wouldn't have much difference from LAN-to-WAN other than GUI appearance. They're just separate interfaces so just internal1/2-to-internal2/1 policies.
#2
wallib
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/16 01:28:46
  • Status: offline
Re: LAN-to-LAN 2 sites 2018/11/18 23:01:25 (permalink)
0
This is what I thought as well, I'm running a 80E as my actual firewall and I've had no problems replacing all the policies etc from my old 60C. 
 
    edit "internal1"
        set vdom "root"
        set ip 192.168.100.238 255.255.252.0
        set allowaccess ping https ssh http telnet capwap
        set vlanforward enable
        set type physical
        set alias "domaine_"
        set snmp-index 6

    edit "internal3"
        set vdom "root"
        set ip 192.168.200.238 255.255.252.0
        set allowaccess ping https http capwap
        set vlanforward enable
        set type physical
        set alias "domaine_2"
        set snmp-index 8
        set dns-server-override disable

 
These are the 2 interfaces, from the cli in the firewall i can ping anything on both sites which is great, however impossible to get my machine ping a mobatime server on the other site2, I thought accepting all would help me debug, but nothing goes through. - 
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat disable

 
nat enable or nat disable has not helped me either. my 60C is my old firewall which was replaced by a 80E which means it has no more license/contract. Could this be causing problems? 

Thanks alot
#3
Toshi Esumi
Expert Member
  • Total Posts : 1259
  • Scores: 89
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: LAN-to-LAN 2 sites 2018/11/18 23:14:49 (permalink) ☄ Helpfulby wallib 2018/11/19 00:31:47
0
You need to run "flow debug". It would show you the reason if the FGT is dropping packets. By the way your internal3 subnet mask is not matching your original post.
#4
wallib
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/16 01:28:46
  • Status: offline
Re: LAN-to-LAN 2 sites 2018/11/19 05:23:42 (permalink)
0
Yes I realize now I mis-noted from my first post. I was copy/pasting from a file and I'd made a mistake. Right now my fortigate is connected via DHCP to site2 until I figure this out. I am no professional network manager that's for sure but I never realized I would have troubles letting traffic through 2 different ports!
 
I've left a machine pinging my fortigate from site2 and using debug flow I get this, 192.168.160.62 is the machine on site2 and 192.168.160.19 is my fortigate on site1.
 
2018-11-19 14:05:18 id=20085 trace_id=333 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 192.168.160.62:1->192.168.160.19:8) from internal3. code=8, type=0, id=1, seq=2594."
2018-11-19 14:05:18 id=20085 trace_id=333 func=init_ip_session_common line=4624 msg="allocate a new session-0030357e"
2018-11-19 14:05:18 id=20085 trace_id=333 func=fw_local_in_handler line=394 msg="iprope_in_check() check failed on policy 0, drop"

 
What can I be missing? A route?
 
get router info routing-table connected 
C 192.168.0.0/16 is directly connected, internal3
C 192.168.100.0/22 is directly connected, internal1

get router info routing-table static
S* 0.0.0.0/0 [5/0] via 192.168.200.254, internal3

 
 
 
#5
Toshi Esumi
Expert Member
  • Total Posts : 1259
  • Scores: 89
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: LAN-to-LAN 2 sites 2018/11/19 08:31:17 (permalink)
0
It's not finding a matching policy. Create a set of policies; internal1->internal6 and internal6->internal1 instead. Also probably it needs static routes like 192.168.160.19/32->internal6 and 192.168.160.62/32->internal1.
#6
Toshi Esumi
Expert Member
  • Total Posts : 1259
  • Scores: 89
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: LAN-to-LAN 2 sites 2018/11/19 09:59:59 (permalink)
0
Wait. 192.168.160.x is not a part of either 192.168.100.0/22 or 192.168.200.0/22 but a part of 192.168.0.0/16. What are the actual subnets on both ports? Looks like your configuration is mismatching.
 
#7
Jump to:
© 2018 APG vNext Commercial Version 5.5