Comments (5)
mobilesuitzero
commented on July 23, 2024
Hi,
If you are trying access from the same private subnet as the port2. Then can try to set the ip to /32 mask, and then add two extra routes for the same subnet, so that it knows how to reply to the traffic.
For example,
config system interface
edit "port2"
set vdom "root"
set ip 172.16.1.2 255.255.255.255
set allowaccess ping https ssh http fgfm
set type physical
set description "int"
set snmp-index 2
set mtu-override enable
set mtu 1460
next
end
edit 2
set dst 172.16.1.0 255.255.255.0
set gateway 172.16.1.1
set device "port2"
next
edit 3
set dst 172.16.1.1 255.255.255.255
set device "port2"
next
Hope that helps.
Cheers
from fortigate-terraform-deploy.
CledersonE
commented on July 23, 2024
Thank you! After making the changes I was able to reach the internet. I have some doubts since I'm testing Fortigate to use in production in the future, will put here but let me know if there is a better place to talk about it:
- Can this Terraform example can be updated to set the private subnet to /32 and the necessary static routes or there is a specific reason of not having this config in the example?
- I was able to reach the internet without the second static config (edit 3 / set dst 172.16.1.1 255.255.255.255) is it really necessary?
from fortigate-terraform-deploy.
mobilesuitzero
commented on July 23, 2024
Hi,
- The extra static route can be added manually by user later, if need to. Will discuss internally if should update to use /32 instead.
- If doing /32, then would need to have that static route.
Cheers
from fortigate-terraform-deploy.
CledersonE
commented on July 23, 2024
Hello,
Thank you for the replies.
After spending some time reading about it, this brought me some other doubts:
- If the /32 is the default behavior from GCP to work with netmask for interfaces, on Fortigate the other interfaces such as the public, management and ha-sync also should have the /32 netmask instead of /24? In addition, I'm trying to understand in which scenario you will not use the /32, and that's why the Terraform example is set as /24. If you can give me one, I appreciate it as well.
- In the Fortigate docs, there is this section about MULT_IP_SUBNET that, in my understanding, is a feature that the OS must support, and then you don't need to set the /32 or any static route in the subnets that you have the interface. But I really would like to understand this in deep, so if you have a better explanation or excellent documentation about it, I appreciate (maybe this can be better explained in the Fortinet docs as well)
from fortigate-terraform-deploy.
mobilesuitzero
commented on July 23, 2024
Hi,
-
User can change the netmask in the vars.tf if need to use /32. Hasync and hamgmt port are handle differently, hence, only need to worry about for port1/port2. However, if you are using /32, then you would need to add those extra routes as needed. As in your case, since you are trying to connect from within the same subnet, that's why need to have that /32 and /24 route.
-
The MULT_IP_SUBNET is need to enable on the image level. If you want to do that you can create an custom image with that MULT_IP_SUBNET enabled.
Cheers
from fortigate-terraform-deploy.
Related Issues (20)
- Issue with DNS on GCP using FortiGate HA example HOT 10
- Update AWS AMI id's to use the latest 7.0.12 HOT 1
- GCP 7.4 single template HOT 1
- How to add a new private subnet and create a dynamic route (GCP) HOT 2
- VPN Settings with External Load Balancer (GCP) HOT 2
- Deployment of Azurevwan fails: IPSEC P1 Interface HOT 2
- External LB with Backend Service (GCP) HOT 2
- Issue with deploying ha-3ports configuration on GCP HOT 1
- fix(aws/6.2/ha/variables.tf): syntax error
- Comments have a single slash
- Missing hashmarks in terraform files to comment string
- Variables missing terminating quote
- Invalid quotes around type value
- Grammar fix in Azure README.md HOT 2
- terraform fmt --recursive HOT 1
- terraform fmt - missed some sections of automated formatting. HOT 1
- Inconsistent ip addressing mode for Azure deployments HOT 1
- sdn-connector configuration does not work by default HOT 2
- Public IP for Azure HA setup is not zone redundant HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fortigate-terraform-deploy.