- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Routing between 2 subnets is it possible with a 30...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing between 2 subnets is it possible with a 300D
So I currently have a switch with IP 172.16.0.1/21 connect to Fortigate Lan port 2 172.16.0.220/21 and want to add a new subnet with a new switch IP 172.18.0.1/21 connected to Fortigate Lan port 3 172.18.0.220/21. Once connected they show up in the Router Monitor but I want to be able to communicate ping or other wise say from the old subnet to a computer/server on the new subnet. I added a rule that said all traffic from one lan interface to another with all servers and no NAT but still cannot get them to communicate past either switch. Spoke to the switch manufacture and they said all information on the switch is correct and both switches can ping the lan ports on the firewall just nothing passed so they said to contact fortigate. I called and spoke to a rep and the told me that routeing between two subnets on two different interfaces is not possible is that true.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L2 switches themselves do not route traffic by IP, so putting an IP on a switch would be for management purposes only IMO. Communication between the Fortigate and the switchers should be via the trunk or uplink ports on the switches. Default routes for each subnet should be to the Fortigate (172.x.0.220) and not the switch (172.x.0.1).
So in the routing table, you should see something like:
Network gateway Interface 172.16.0.0 172.16.0.220 (or 0.0.0.0) port2 172.18.0.0 172.18.0.220 (or 0.0.0.0) port3 Someone correct me if this is not correct.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is all of the IPs above are in a big 172.16.0.0/21 (up to 172.23.x.x) subnet. They're NOT different subnets. That's why the rep said it's impossible. If they're /24s, yes, it's possible.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scrap my comment. I was not thinking straight...sorry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your policy is correct (you need two!) then it's due to incorrect routing.
Make sure your hosts have got the correct default route, like @Dave Hall has posted: one part of your hosts is in the 172.16 subnet, the other in the 172.18 subnet. Their IP config must have a default route of 172.16.0.220 and 172.18.0.220, respectively. The easiest way to make that happen is to configure DHCP servers on both ports and select "gateway: use interface address" in the setup.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So both switches are the default gateways on there subnet and both have a default route to there corresponding Fortigate interface. Switch 172.16.0.1 has a default route of 0.0.0.0 172.16.0.220 and switch 172.18.0.1 default 0.0.0.0 172.18.0.220. So if I execute a ping from switch 172.16.0.1 I can ping both interfaces 172.16.0.220 and 172.18.0.220 as well as switch 172.18.0.1 but nothing connected to switch 18. If I ping from the other switch 172.18.0.1 I can ping anything on the subnet of 172.16.0.0/21 but if I go to a computer on 172.18.0.0/21 I cannot ping anything on 172.16.0.0/21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You did not understand! A Laywer 2 Switch can not be your default gateway for your subne for - as said before - they can not do any routing. Your Clients have to use the Fortigate with its corresponding LAN address als default Gateway.
On the FGt you have already done the routing by creating the interfaces.
You just have to have policies to allow the traffic.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SW2090 you jogged my memory thanks. I had it in my notes to change dhcp and static address to the .200 lan interface for the gateways. The switches had been the default gateways for many years basically forwarding traffic on the subnet then when it feel out of range sending up to the default route which was a Microsoft TMG firewall. Once I replaced the Fortinet I planned on redoing the gateway proper but was on Medicaal leave and forgot I had wrote and pllaned all this out. Anyways changing the gateways did correct the issues now need to go correct change all other old gateways to confirm. Thanks again Fourm.
Related Posts
- Multiple phase 2 selectors needed for... 126 Views
- FortiMangaer and FGT Hub migration issues... 107 Views
- Dial-up IPsec tunnels with same source... 625 Views
- ipv6 - internal lan interface cannot... 283 Views
- Fortigate 7.4.0 IPsec VPN is... 720 Views
Labels
-
FortiGate
6,500 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.