Question : fortigate 60b, add second subnet needs internet - easy

we have a fortigate 60b, and we're setting up a second subnet for a sandbox.

the current subnet should be able to access any/any on the sandbox, and the sandbox should be able to access any/any on the current subnet.  they both should be able to get to the internet.

right now, i have the sandbox and the current subnet talking just fine.  but only the current (real - existing) subnet can access the internet.

how can i get the sandbox to access the internet?  (see screenshots)

the current subnet is 192.168.101.0/24 with a gateway of 192.168.101.2
the sandbox subnet is 192.168.4.0/16 with a gateway of 192.168.101.2
the object called "internal-9" is the sandbox subnet

i gave it a slash 16 so it could talk to the gateway - because 192.168.4.1 didnt work after i added it to the fortigate
regardless, the current subnet is slash 24 and can ping/access the sandbox just fine.  

both networks are in the same office on the same physical network behind the same fortigate 60b

to clarify the scope of this question:
what do i need to do in the fortigate (or on the sandbox) so the sandbox can access the internet?

after i get the answer to this and award points, i'm going to open another question regarding how to forward incoming traffic NATtingly to the sandbox, so don't go far :)

NOTE:  i have the PDF guide already, not looking for "here read this [paste]"... looking for something specifically general like:

1. go to [this tab], make a new additional [this] with [these settings]
2. go to [another tab], set [this] to [that]
3. go to [third tab], create [this rule] and [that rule]
4. etc.


 

 

 

 


Answer : fortigate 60b, add second subnet needs internet - easy

The quick answer is that the gateway needs to be on the same subnet as the subnet for which it is the gateway (by difinition).

The Fortigate images don't quite match your statements (such as the mask for Internal-9).

From the configuration images, it appears that 192.168.101.2 is an internal gateway (L3 switch or router) to subnets 192.168.100.0 & 192.168.110.0.  Is that correct?

If the Internal-9 subnet is accessing Internal, its hosts are probably configured to access Internal using the Fortigate 192.168.4.1 as the gateway. I'm guessing that some static routes were added to the Internal-9 host(s) that should be removed. Internal-9 hosts should not even "know" about the second Internal gateway

I think the Fortigate is OK with regard to routing and not the cause of your issue. However, rule 27 would seem to pass anything not already passed by rule 28 just above making 28 useless.

Notes regarding perceived configuration:
--------------------------------------------------------------------------------------------------------------------
Networks (Subnetting):
  Subnet      Function      Subnet Address      Mask                  Hosts (including G/W)
Internal      Production      192.168.101.0      255.255.255.0 (24)      254
Internal-9      Sandbox            192.168.4.0      255.255.255.0 (24)      254
WAN1            Public/Internet      207.x.x.64      255.255.255.248 (29)      6

Firewall Interfaces:
Interface      Zone or Description
207.x.x.66      Public
192.168.101.1      Private (Internal/Production)
192.168.4.1      Private (Internal-9/Sandbox)


Static Routes:
Subnet/Networks            Gateway                  Device/Interface      Notes
0.0.0.0 /0 (default)      207.x.x.65 (ISP)      WAN1                  Standard (good)
192.168.100.0 /24      192.168.101.2            Internal            Some other network out of scope of question
192.168.110.0 /24      192.168.101.2            Internal            Some other network out of scope of question
192.168.21.0            none                  Spaw                  Some other network out of scope of question

--------------------------------------------------------------------------------------------------------------------
Unnamed Internal Gateway ("IGW"):
Interface      Zone or Description
192.168.101.2      Private (Internal)
192.168.100.1 ?      Private (unknown-100)
192.168.110.1 ?      Private (unknown-110)

IGW Static Routing:
Subnet            Gateway            Notes
0.0.0.0 /0      192.168.101.1      For Internet, etc.
192.168.4.0 /24      192.168.101.1      Optional if unknown-100 and unknown-110 access to the Sandbox is desired.

--------------------------------------------------------------------------------------------------------------------
Unnamed ISP Gateway:
207.x.x.65

--------------------------------------------------------------------------------------------------------------------
Desired Static Routes for Internal-9 (Sandbox):
Subnet/Networks      Gateway
0.0.0.0 /0      192.168.4.1

That is it and it should be there by default unless the is a configuration problem on a DHCP server or manual configuration of individual Internal-9 hosts.

 - Tom
Random Solutions  
 
programming4us programming4us