One way routing

Hi everyone, great to be here and learning all things networky :slight_smile:

I’m hoping someone can help me with a strange problem. I’m pretty sure I’ve messed up the routing but can’t figure out where. I’ve attached a basic diagram of the setup - Please see Diagram 1a.

Below I’ve listed routes that are currently configured on each device:

Routes on Vodafone router:

10.0.136.0 255.255.255.0 10.0.135.1

Routes on the Core switch:

10.0.136.0 255.255.255.0 10.0.135.6
10.136.0.0 255.255.0.0 10.0.135.6

Routes on Checkpoint:

213.156.18.102 192.168.19.11 255.255.255.255 UGHD 0 0 0 External
192.168.19.0 0.0.0.0 255.255.255.0 U 0 0 0 External
10.0.135.0 0.0.0.0 255.255.255.0 U 0 0 0 Internal
89.138.200.0 192.168.19.11 255.255.248.0 UGD 0 0 0 External
10.135.0.0 10.0.135.1 255.255.0.0 UGD 0 0 0 Internal
10.0.0.0 10.0.135.250 255.0.0.0 UGD 0 0 0 Internal
0.0.0.0 192.168.19.11 0.0.0.0 UGD 0 0 0 External

The problem:

Users on 10.90.0.0 /16 are unable to access the 10.136.0.0 /16 network. Diagram 1b shows a traceroute from 10.90.0.0/16 to 10.136.128.1. It times out after hitting 10.0.135.1

Access the other way works fine. Users on 10.136.0.0 /16 can access 10.90.0.0 /16 fine but the traceroute looks odd to me. It can be seen in Diagram 1c.

Would you be able to review the routes I currently have in place and confirm where I’m going wrong please? I’d like to clarify that the routes I currently have in place are correct. Also, would like assistance on what route I need to add on the Fortigate.

Thanks very much for your time. Any assistance would be gratefully received.

Thank you!

Diagram 1c

Diagram 1b

Hello Baljit

I believe your diagram is a little bit confusing, as you have some IP addresses with five octets, and some site address ranges as being /16 and /24 without clarifying which is which. However, for the most part I understand the addressing scheme.

The traceroute you shared goes from a device in the Site B LAN (10.136.0.0/24) to 10.90.1.1 which is in the network labelled “Legacy Network”. The traceroute seems to indicate the following path:

  1. Site B FW
  2. Site B WAN
  3. Checkpoint
  4. Vodafone Secondary
  5. Core switch
  6. Checkpoint
  7. Legacy Network destination

Based on the diagram, this doesn’t seem to be possible, since the checkpoint is not directly connected to the legacy network. Also in the final traceroute, it seems that via the fortigate firewall, you are reaching the checkpoint subnet directly, again, something that is not possible according to the diagram.

The issues that I would deal with first are the following:

  1. Ultimately, accurate documentation (diagrams, routing information, network topology) is important in order to understand the topology of a network and to be able to successfully troubleshoot, so before beginning any further troubleshooting procedures, make sure that you have accurate initial information.
  2. What purpose are the Vodafone Primary and Secondary devices playing? They are running VRRP which means they’re providing a redundant gateway for specific hosts. Which hosts?
  3. What is the purpose of the 10.0.135.0/24 network? It seems to have many routers connected to this subnet (Core switch, Vodafone primary and secondary, site A WAN, Checkpoint). It seems that these routers are not well coordinated in their routing. Make sure that particular routes are being sent correctly, otherwise, you will have phenomena similar to what you are seeing here, where the checkpoint routes to the VRRP pair, which routes to the core switch, which routes back to the checkpoint.
  4. Any routing towards the VRRP pair should only occur in order to route traffic to some destination behind those devices. This way VRRP’s redundancy is actually being utilized effectively.

I hope this has been helpful!

Laz