Issue Deploying on GCP using HA example (Unable to access internet from private subnet)
Closed this issue · 5 comments
Using the Terraform example I'm able to see the HA configured correctly, but I'm facing some issues:
If I create any instance in the private VPC and try to reach the internet, its not possible (all packages are lost). I've already tried to create a new Firewall policy to grant access to everything on the internet, I can see the logs coming in the Fortigate firewall granting the access using my policy, but from the instance test perspective, I only receive a package loss.
I wondering if you can try to deploy using this example, create a test instance on private VPC and try to reach the internet with a simple ping?
Thank you
Hi,
If you are trying access from the same private subnet as the port2. Then can try to set the ip to /32 mask, and then add two extra routes for the same subnet, so that it knows how to reply to the traffic.
For example,
config system interface
edit "port2"
set vdom "root"
set ip 172.16.1.2 255.255.255.255
set allowaccess ping https ssh http fgfm
set type physical
set description "int"
set snmp-index 2
set mtu-override enable
set mtu 1460
next
end
edit 2
set dst 172.16.1.0 255.255.255.0
set gateway 172.16.1.1
set device "port2"
next
edit 3
set dst 172.16.1.1 255.255.255.255
set device "port2"
next
Hope that helps.
Cheers
Thank you! After making the changes I was able to reach the internet. I have some doubts since I'm testing Fortigate to use in production in the future, will put here but let me know if there is a better place to talk about it:
- Can this Terraform example can be updated to set the private subnet to /32 and the necessary static routes or there is a specific reason of not having this config in the example?
- I was able to reach the internet without the second static config (edit 3 / set dst 172.16.1.1 255.255.255.255) is it really necessary?
Hi,
- The extra static route can be added manually by user later, if need to. Will discuss internally if should update to use /32 instead.
- If doing /32, then would need to have that static route.
Cheers
Hello,
Thank you for the replies.
After spending some time reading about it, this brought me some other doubts:
- If the /32 is the default behavior from GCP to work with netmask for interfaces, on Fortigate the other interfaces such as the public, management and ha-sync also should have the /32 netmask instead of /24? In addition, I'm trying to understand in which scenario you will not use the /32, and that's why the Terraform example is set as /24. If you can give me one, I appreciate it as well.
- In the Fortigate docs, there is this section about MULT_IP_SUBNET that, in my understanding, is a feature that the OS must support, and then you don't need to set the /32 or any static route in the subnets that you have the interface. But I really would like to understand this in deep, so if you have a better explanation or excellent documentation about it, I appreciate (maybe this can be better explained in the Fortinet docs as well)
Hi,
-
User can change the netmask in the vars.tf if need to use /32. Hasync and hamgmt port are handle differently, hence, only need to worry about for port1/port2. However, if you are using /32, then you would need to add those extra routes as needed. As in your case, since you are trying to connect from within the same subnet, that's why need to have that /32 and /24 route.
-
The MULT_IP_SUBNET is need to enable on the image level. If you want to do that you can create an custom image with that MULT_IP_SUBNET enabled.
Cheers