Hot!FGFW Behind Home WiFi Router

Author
ari_mis
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/15 09:21:14
  • Status: offline
2020/07/15 09:44:14 (permalink)
0

FGFW Behind Home WiFi Router

Hello all! Long time reader, first time poster. I apologize if this is already discussed or should possibly be in the Routing area. My googling has let me down. Thanks in advance!
 
An unusual setup: Essentially what I need to do is give a FGFW 30E to an employee for home use to limit and control access on a single host computer. We want to keep the home network untouched, so we plan to have the person plug the FGFW's WAN into an available port on their existing WiFi router (which is then plugged into a standard cable modem). Computer is plugged into LAN1. I've created a LAN zone that includes LAN1 interface. (I deleted the default Hardware Switch that comes preconfigured.)
 
I'm testing this at my home and here's what I've run into.
 
If I create a policy allowing all traffic from LAN to WAN, the host computer operates just fine, can browse all the interwebs.
 
However, if I modify that same policy to only allow traffic from that single Host IP to specified FQDNs (and the DNS IPs the host is using (8.8.8.8,8.8.4.4)), I get an unwanted experience on the host. The FQDNs take 5+ minutes to load, Chrome browser takes 5+ minutes to load...
 
No other policies are in place. No static routes.
 
Obviously I must be missing some simple setting or additional policy on my FGFW if it works fine when I do not limit the Destination addresses of the policy.
 
Do I need another policy of some sort? Some kind of static route?
 
Let me know what configs or settings you might need to see.
 
WAN Interface is set to DHCP (which picks up a private IP from the WiFi router); and the FGFW sees the real public IP as the "WAN IP" in the Dashboard>Status>System Info
#1

12 Replies Related Threads

    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/15 23:53:29 (permalink)
    0
    Could you please provide some more details?
    What does you policy look like? How do you filter that?
    Does the PC do DHCP from the FGT?
     
    Maybe do a flow debug on cli to see what happens?
     
    #2
    rwpatterson
    Expert Member
    • Total Posts : 8490
    • Scores: 205
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: FGFW Behind Home WiFi Router 2020/07/16 05:19:32 (permalink)
    0
    Welcome to the forums.
     
    I would:
    1) Switch the DNS to use the Fortigate's DNS
    2) Have the Fortigate get it's DNS from the user's ISP, not Google
    3) Make sure to change the internal network from the default which is more than likely 192.168.1.x/24. Double NATting may be an issue if both networks are the same.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (3)
     
    #3
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/16 11:28:32 (permalink)
    0
    Here are some more details while I work on running the flow debug.
     
    Lone policy in the IPv4:
    From: LAN (Zone created with single interface included)
    To: WAN
    Source: all
    Destination: (Address group including specific IPs and FQDNs I want to limit traffic to.)
    Schedule: always
    Service: ALL
    Action: Accept
    Inspection Mode: Flow-based
    Firewall/Network Options
    NAT: On
    IP Pool Configuration: Use Outgoing Interface Address
    Preserve Source Port: Off
    Protocol Options: Default
    Security Profiles: All Off Except SSL Inspection is set to SSL no-inspection
    #4
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/16 11:46:28 (permalink)
    0
    Here's the flow debug output. Guessing it has something to do with the "Denied by forward policy check."
    For reference: 10.10.10.2 is the host CPU on the LAN Zone
    192.168.168.1 is the WiFi router's Gateway IP
     
    trace_id=1060 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59183->17.167.194.230:443) from lan1. flag [S], seq 226791540, ack 0, win 65535"
    id=20085 trace_id=1060 func=init_ip_session_common line=5788 msg="allocate a new session-001b0685"
    id=20085 trace_id=1060 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
    id=20085 trace_id=1060 func=fw_forward_handler line=624 msg="Denied by forward policy check (policy 0)"
    id=20085 trace_id=1061 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59182->17.167.194.230:443) from lan1. flag [S], seq 550501757, ack 0, win 65535"
    id=20085 trace_id=1061 func=init_ip_session_common line=5788 msg="allocate a new session-001b0686"
    id=20085 trace_id=1061 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
    id=20085 trace_id=1061 func=fw_forward_handler line=624 msg="Denied by forward policy check (policy 0)"
    id=20085 trace_id=1062 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59168->17.167.194.224:443) from lan1. flag [S], seq 2484871658, ack 0, win 65535"
    id=20085 trace_id=1062 func=init_ip_session_common line=5788 msg="allocate a new session-001b0687"
    id=20085 trace_id=1062 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
    id=20085 trace_id=1062 func=fw_forward_handler line=624 msg="Denied by forward policy check (policy 0)"
    #5
    brycemd
    Silver Member
    • Total Posts : 105
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: online
    Re: FGFW Behind Home WiFi Router 2020/07/16 13:32:08 (permalink)
    0
    It's saying whatever 17.167.194.230 and 17.167.194.224 is isn't matching the policy. I guess the obvious question is are those IPs part of the destination for the policy?
     
    Try on the ipv4 page to do a policy lookup
    #6
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/16 14:03:25 (permalink)
    0
    Those 17.167.x.x are not IPs that I'd want the computer going to. (These specifically look to be Apple IPs so most likely software updates/Apple Diagnostic reporting or general Apple OS chatter).
     
    I'll try to run a flow debug where the output will have one of the destination IPs that I want to be allowed.
    #7
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/17 00:59:30 (permalink)
    0
      trace_id=1060 func=print_pkt_detail   line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59183->17.167.194.230:443) from lan1. flag [S], seq 226791540, ack 0, win 65535"
    This says the FGt received a packet from 10.10.10.2 on the lan1 interface that would go to 17.167.194.230.

    id=20085 trace_id=1061 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
    This says it did find a route for that packet. It is to go to 192.168.168.1 via interface or zone "wan"

    And then it says "denied by forward policy check (policy 0)". That means it did get the packet and it did find a route to the destination BUT it did not matc any of your policies execept policy 0 which is implicit deny.
    Policy 0 will always match anything that don't match any other policy. Policies are top down and Policy 0 is the tar pit where all that lands that didn't go anywhwere :)



    #8
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/17 11:02:22 (permalink)
    0
    Thanks for the explanations! I noticed the Destination IPs in my flow debug are ones that I do not want the host going to, so this is desired behavior in that regard. I'm going to try to capture a flow when the host is connecting to a desired IP and see what the report says.
    #9
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/17 16:50:04 (permalink)
    0
    Here is a flow debug output of the host CPU hitting a specific URL. However, this is when I set the policy's Destination to "all." In the next reply, I will send the flow debug output when the policy's Destination is set to the specific Address Group (which includes this URL).
     
    2020-07-17 16:46:26 id=20085 trace_id=8345 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [S], seq 4187103751, ack 0, win 65535"
    2020-07-17 16:46:26 id=20085 trace_id=8345 func=init_ip_session_common line=5788 msg="allocate a new session-00271567"
    2020-07-17 16:46:26 id=20085 trace_id=8345 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
    2020-07-17 16:46:26 id=20085 trace_id=8345 func=fw_forward_handler line=771 msg="Allowed by Policy-5: SNAT"
    2020-07-17 16:46:26 id=20085 trace_id=8345 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8346 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [S], seq 1521335061, ack 0, win 65535"
    2020-07-17 16:46:26 id=20085 trace_id=8346 func=init_ip_session_common line=5788 msg="allocate a new session-00271568"
    2020-07-17 16:46:26 id=20085 trace_id=8346 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
    2020-07-17 16:46:26 id=20085 trace_id=8346 func=fw_forward_handler line=771 msg="Allowed by Policy-5: SNAT"
    2020-07-17 16:46:26 id=20085 trace_id=8346 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8347 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [S.], seq 3640816309, ack 4187103752, win 28960"
    2020-07-17 16:46:26 id=20085 trace_id=8347 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8347 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8347 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-10.10.10.2 via lan1"
    2020-07-17 16:46:26 id=20085 trace_id=8348 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187103752, ack 3640816310, win 2058"
    2020-07-17 16:46:26 id=20085 trace_id=8348 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8348 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8349 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187103752, ack 3640816310, win 2058"
    2020-07-17 16:46:26 id=20085 trace_id=8349 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8349 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8350 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [S.], seq 717328328, ack 1521335062, win 28960"
    2020-07-17 16:46:26 id=20085 trace_id=8350 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8350 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8350 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-10.10.10.2 via lan1"
    2020-07-17 16:46:26 id=20085 trace_id=8351 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335062, ack 717328329, win 2058"
    2020-07-17 16:46:26 id=20085 trace_id=8351 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8351 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8352 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335062, ack 717328329, win 2058"
    2020-07-17 16:46:26 id=20085 trace_id=8352 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8352 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8353 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640816310, ack 4187104269, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8353 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8353 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8354 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640817758, ack 4187104269, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8354 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8354 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8355 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819206, ack 4187104269, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8355 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8355 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8356 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104269, ack 3640819206, win 2025"
    2020-07-17 16:46:26 id=20085 trace_id=8356 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8356 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8357 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104269, ack 3640819352, win 2023"
    2020-07-17 16:46:26 id=20085 trace_id=8357 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8357 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8358 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104269, ack 3640819352, win 2048"
    2020-07-17 16:46:26 id=20085 trace_id=8358 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8358 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8359 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717328329, ack 1521335579, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8359 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8359 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8360 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717329777, ack 1521335579, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8360 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8360 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8361 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717331225, ack 1521335579, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8361 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8361 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8362 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335579, ack 717331225, win 2025"
    2020-07-17 16:46:26 id=20085 trace_id=8362 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8362 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8363 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335579, ack 717331371, win 2023"
    2020-07-17 16:46:26 id=20085 trace_id=8363 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8363 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8364 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335579, ack 717331371, win 2048"
    2020-07-17 16:46:26 id=20085 trace_id=8364 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8364 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8365 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819352, ack 4187104395, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8365 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8365 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8365 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8366 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104395, ack 3640819594, win 2044"
    2020-07-17 16:46:26 id=20085 trace_id=8366 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8366 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8366 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8367 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104395, ack 3640819594, win 2048"
    2020-07-17 16:46:26 id=20085 trace_id=8367 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8367 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8367 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8368 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717331371, ack 1521335705, win 235"
    2020-07-17 16:46:26 id=20085 trace_id=8368 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8368 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8368 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8369 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335705, ack 717331613, win 2044"
    2020-07-17 16:46:26 id=20085 trace_id=8369 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8369 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8369 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63926"
    2020-07-17 16:46:26 id=20085 trace_id=8370 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819594, ack 4187105216, win 248"
    2020-07-17 16:46:26 id=20085 trace_id=8370 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:26 id=20085 trace_id=8370 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8370 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8371 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187105216, ack 3640819980, win 2041"
    2020-07-17 16:46:26 id=20085 trace_id=8371 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8371 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8371 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:26 id=20085 trace_id=8372 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187105216, ack 3640819980, win 2048"
    2020-07-17 16:46:26 id=20085 trace_id=8372 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:26 id=20085 trace_id=8372 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:26 id=20085 trace_id=8372 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8373 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819980, ack 4187106058, win 261"
    2020-07-17 16:46:27 id=20085 trace_id=8373 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:27 id=20085 trace_id=8373 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8373 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8374 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819980, ack 4187106058, win 261"
    2020-07-17 16:46:27 id=20085 trace_id=8374 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:27 id=20085 trace_id=8374 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8374 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8375 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640820553, ack 4187106058, win 261"
    2020-07-17 16:46:27 id=20085 trace_id=8375 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:27 id=20085 trace_id=8375 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8375 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8376 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640820553, win 2039"
    2020-07-17 16:46:27 id=20085 trace_id=8376 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:27 id=20085 trace_id=8376 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8376 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8377 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640822001, ack 4187106058, win 261"
    2020-07-17 16:46:27 id=20085 trace_id=8377 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:27 id=20085 trace_id=8377 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8377 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8378 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640823449, ack 4187106058, win 261"
    2020-07-17 16:46:27 id=20085 trace_id=8378 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
    2020-07-17 16:46:27 id=20085 trace_id=8378 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8378 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8379 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640823449, win 2002"
    2020-07-17 16:46:27 id=20085 trace_id=8379 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:27 id=20085 trace_id=8379 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8379 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8380 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640824196, win 1991"
    2020-07-17 16:46:27 id=20085 trace_id=8380 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:27 id=20085 trace_id=8380 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8380 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    2020-07-17 16:46:27 id=20085 trace_id=8381 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640824196, win 2048"
    2020-07-17 16:46:27 id=20085 trace_id=8381 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
    2020-07-17 16:46:27 id=20085 trace_id=8381 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-17 16:46:27 id=20085 trace_id=8381 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
    #10
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/20 14:23:45 (permalink)
    0
    Oddly, when I put the Policy locked down to the desired IP (even FQDN) and DNS IPs, and try to hit that desire IP from my host computer, the Flow Diag doesn't even show that it's trying. No record of the host computer attempting to connect. It does show a flood of other random operating system IPs that it is getting rightfully denied... Eventually, after about 5 minutes, my host finally connects to that desired IP so it does finally make it through albeit extremely slow...
     
     
     
    #11
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/21 16:39:47 (permalink)
    0
    Here's a Flow Debug of the Host hitting the desired FQDN when my IPv4 policy is set to Allow "All" for the Destination. The CLI output is empty when I change the Policy's Destination to this FQDN. I also have the DNS IPs in the Destination and the Host resolves the FQDN in a network lookup.
     
    2020-07-21 15:56:15 id=20085 trace_id=10132 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:55877->193.203.82.154:443) from lan1. flag [R.], seq 2189509940, ack 2154602185, win 2047"
    2020-07-21 15:56:15 id=20085 trace_id=10132 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040defc, original direction"
    2020-07-21 15:56:15 id=20085 trace_id=10132 func=ipv4_fast_cb line=53 msg="enter fast path"
    2020-07-21 15:56:15 id=20085 trace_id=10132 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:55877"
    2020-07-21 15:56:15 id=20085 trace_id=10133 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:56269->193.203.82.154:443) from lan1. flag [S], seq 3750226638, ack 0, win 65535"
    2020-07-21 15:56:15 id=20085 trace_id=10133 func=init_ip_session_common line=5788 msg="allocate a new session-0040e6bf"
    2020-07-21 15:56:15 id=20085 trace_id=10133 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
    2020-07-21 15:56:15 id=20085 trace_id=10133 func=fw_forward_handler line=771 msg="Allowed by Policy-3: SNAT"
    2020-07-21 15:56:15 id=20085 trace_id=10133 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:56269"
    2020-07-21 15:56:15 id=20085 trace_id=10134 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:56269) from wan. flag [S.], seq 1051637247, ack 3750226639, win 28960"
    2020-07-21 15:56:15 id=20085 trace_id=10134 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, reply direction"
    2020-07-21 15:56:15 id=20085 trace_id=10134 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:56269->10.10.10.2:56269"
    2020-07-21 15:56:15 id=20085 trace_id=10134 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-10.10.10.2 via lan1"
    2020-07-21 15:56:15 id=20085 trace_id=10135 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:56269->193.203.82.154:443) from lan1. flag [.], seq 3750226639, ack 1051637248, win 2058"
    2020-07-21 15:56:15 id=20085 trace_id=10135 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, original direction"
    2020-07-21 15:56:15 id=20085 trace_id=10135 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:56269"
    2020-07-21 15:56:15 id=20085 trace_id=10136 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:56269->193.203.82.154:443) from lan1. flag [.], seq 3750226639, ack 1051637248, win 2058"
    2020-07-21 15:56:15 id=20085 trace_id=10136 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, original direction"
    2020-07-21 15:56:15 id=20085 trace_id=10136 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:56269"
    2020-07-21 15:56:15 id=20085 trace_id=10137 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:56269) from wan. flag [.], seq 1051637248, ack 3750227156, win 235"
    2020-07-21 15:56:15 id=20085 trace_id=10137 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-0040e6bf, reply direction"
    2020-07-21 15:56:15 id=20085 trace_id=10137 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:56269->10.10.10.2:56269"
    #12
    ari_mis
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/15 09:21:14
    • Status: offline
    Re: FGFW Behind Home WiFi Router 2020/07/24 14:23:04 (permalink)
    0
    To help clarify, when I limit the IPv4 Policy for LAN>WAN to Fortigate's DNS and my restricted FQDNs, my Host (using Fortigate's DNS) successfully performs DNS Lookup (for any URL I throw at it) and Traceroute commands (to my restricted FQDNs). Yet, when I browse to one of the FQDNs, it takes over 5-10 minutes of spinning and then the page finally loads.
     
    I don't have any other settings configured on the Firewall, all default from initializing.
     
    I must need to include something else in my LAN>WAN policy's list of Destinations or set up some manual routing? Maybe a policy for WAN back to LAN?
     
    Reminder, this Fortigate is set up behind an existing wifi router which is then plugged into the ISP's modem; Fortigate's WAN is plugged into one of the router's client ports and gets a private IP from the router. If I do not restrict the Destination, hosts on the Fortigate access the internet just peachy...
    #13
    Jump to:
    © 2020 APG vNext Commercial Version 5.5