Mikrotik "WAN" from Fortigate, cannot accessd evices after Fortigate

Metatron · June 19, 2024, 12:31pm

Hello I’m new here on Forum, also new with Mirotik solution too.

In GNS I’ve Fortigate, Cisco SW, Mikrotik
Port description
Fortigate:
Port1 = “WAN”
Port2 = VLAN 500 10.10.20.1/24

Cisco SW
Port1 = Trunk to Fortigate (Fortigate port2)
Port2 = Virtual PC1 IP: 10.10.20.100/24 GW 10.10.20.1
Port3 = Mikrotik

Mikrotik
Port2 = “WAN” Link coming from Cisco IP: 10.10.20.10/24
Port3 = Virtual PC IP 10.50.50.2/8 GW 10.50.50.1 (this subnetwork is created on Mikrotik)
Port 3 is only part for bridgeLAN

On Mikrotik side all connection/routing/addresses list they are coming from Cisco/Fortigate are automatically, I do not set any static stuff.

Now situation is I can ping from:
PC1 (FG site) (10.10.20.100) to 10.50.50.0/8 Network (On FG I had to add static routing)
But I can’t ping from
PC2 (Mikrotik site) 10.50.50.100/8 to 10.10.10.0/24 Network

I don’t have any rule on FW, I read on mikrotik from default communication is not blocked, any static routing helping, what I need to check setup on Mikrotik side to get access to network on FG?

Thank you in advance for any attempts at help and answers

anav · June 19, 2024, 3:48pm

If you want to create a subnet on the mikrotik then it will have to act as a router not a switch.
In this case the 10.10.10.X address assigned to the MT by the Fortigate will be:
a. the LANIP of the MT on the fortinet lan subnet
b. the WANIP of the MT.

What you need to decide behind the MT is if
a. you want all ports o n the MT to be part of the MT LAN bridge and have distinct IPs .50 subnet
b. you want some ports on the MT to be part of the Fortigate LAN ( and not involved in any MT router rules ).

After you have decided your requirements, as by your description it seemed to be a.
Post your config for review.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

( does the fortigate get a public IP?? )

Metatron · June 19, 2024, 5:49pm

Hello anav and, thank for your reply

I had play little bit with configuration, seems it work.

The one thing what I change was bridge, on Mikrotik I named two interfaces one:
FG (link from Fortigate)
MK-LAN (LAN on Mikrotik)

On beginig in bridge1 was only MK-LAN, then pings works from FG to MK but not reverse
When i moved FG to bridge1 too and deleted one default routing was created automaticly the pings works in both directions.

I prepared some pictures, this configuration is ok from “network” poerspective on mikrotik? Or this can give some trouble in the future?

You also asked "does the fortigate get a public IP?? "

No is GNS3 at now some LAB for the future where mikrotik will take care with Programmable controllers.