Hi All,
Hope someone can help me with my problem. Scenario and setup below:
HQ Setup
BR1 WAN IP = 146.X.X.X/27
LAN IP = 192.168.111.0/24 ; GATEWAY IS .1
FIREWALL WAN IP = 192.168.111.2/24
FIREWALL LAN IP = 10.100.1.0/24 ; GATEWAY IS .250
SERVER = 10.100.1.2
ISP BR1 <LAN Port 1> FIREWALL SERVER
=====
BRANCH Setup
BR1 WAN IP = 9.X.X.X/27
LAN IP = 192.168.6.0/24 ; GATEWAY IS .1
DSL BR1 <LAN Port 1> PC
SCENARIO
BR1 HQ have static route 10.100.1.0/24 to 192.168.111.2
- Speedfusion Tunnel already established
- BR1 HQ can ping FIREWALL IP 192.168.111.2
- BR1 HQ can ping 10.100.1.250
ISSUE
- Branch BR1 can ping 192.168.111.1
- Branch BR1 can’t ping 192.168.111.2 and 10.100.1.250
- Outbound policy Any Any to Speedfusion Tunnel
Please help what is wrong and how to fix this.
The firewall normally does a NAT so be sure it has a NAT exemption policy configured for each direction as follows:
Source = 10.100.1.0/24
Destination = 192.168.6.0/24
Don’t NAT
Source = 192.168.6.0/24
Destination = 10.100.1.0/24
Don’t NAT
Test next by pinging from a device on the 192.168.6.0 LAN to 10.100.1.250 and 10.100.1.2 to see if the issue is resolved.
1 Like
Hi Ron,
We are using Fortinet Firewall for this. Am i going do this here?
Yes, this is configured in the firewall. Once this is done you should see the 10.100.1.0 clients at the HQ BR1 under: Status> Client List.
1 Like
Thank you Ron, let me try this.
Hi Ron,
Below are the image for reference only:
Branch Outbound Policy
The any_any rule on top at the branch site is all that will be used and it will force all internet traffic through the VPN.
1 Like
To add to @Ron_Case - the rules are evaluated from the top down until a match is found. In your case the first rule will match all connections - so all the traffic will be router to the VPN connection. Move that any-any rule to below the three specific destination rules and the behavior will change.
1 Like
Oh, that’s new. I did know that it can be move. Thanks a lot bro will try this too
1 Like