FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 196746
Purpose
This article describes how to configure a FortiGate to route/allow traffic between 2 (or more) subnets attached to the same interface of a FortiGate.
Scope
All FortiGates or VDOM  running in NAT/Route Mode.

Diagram
This diagram illustrates a simple example :
subnet 10.1.1.0/24   ===== [ port1 FortiGate ]
subnet 172.16.1.0/24 ===== [ port1           ]

Expectations, Requirements
Assume that subnet 10.1.1.0/24 is configured on port1, and 172.16.1.0/24 is configured as a secondary IP address of port1.

For this example, it is expected the all traffic flows from 10.1.1.0/24 to 172.16.1.0/24 and vice versa.
Configuration
The following firewall policy will allow traffic between both subnets.
A policy from a port to the same port is sometimes also referred as a hairpin policy (or one-arm firewall).

config firewall policy  
 edit 0
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"            
            set dstaddr "all"            
        set action accept
        set schedule "always"
            set service "ANY"            
    next


To get a finer control on the traffic flows in either direction, more than one hairpin policy may be needed, with specific IP source or destination IP addresses.

Troubleshooting
For troubleshooting connectivity problems, please check related articles about sniffer and debug flow.

Related Articles

Troubleshooting Tip : How to use the FortiGate sniffer and debug flow in presence of NP2 ports

Troubleshooting Tool: Using the FortiOS built-in packet sniffer

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

Contributors