Problem Reaching 1 to 1 NAT Adresses

proxy
nat1:1
fortinet
arp

#1

Hello Values Community,

we have changed the WLAN infrastructure of a customer and now we have a problem with the ewon wlan device where I would like to ask the community in the council.

The EWON has an IP address on the WLAN (WAN) interface which is also reachable - everything is OK here.

Now the customer has bound 2 additional addresses on the EWON via 1 to 1 Nat, which are passed on internally to devices. Supposedly, these additional addresses have always reacted to a ping. Only after changing the access points do the additional addresses no longer react. Does anyone have a brilliant idea for me?

Many thanks in advance!


#2

Hello @Marcel.Zimmer,

To be clear, the wireless access points were replaced, but the IP addresses (of the WAPs and the rest of the subnet) were not changed?

I would check to make sure that none of the new equipment is using the same IP addresses at the NAT 1:1 addresses. Try recreating the NAT 1:1 configuration using different IP addresses.

Can you provide more specifics on the equipment? What was replaced and with what type of access points? It may be a default setting on the new equipment that blocks certain traffic.

Also, you may need to take a packet capture (using Wireshark, for example) and/or get the syslog from the wireless controller to diagnose if that is the case.

Kyle


#4

Hello, Kyle,

Thank you so much for your answer. Only" the Access Points were replaced. SSID’s and IP address were not changed. There were previously Sophos access points in use which tunneled the WLAN network directly to the firewall, so the customer did not have to work with VLAN’s on the switches. The Sophos access points, however, no longer worked properly, so he now uses Fortinet access points which work via a WLAN controller. The SSID is bridged to a VLAN on the network. The primary address of the device is also accessible (via ping and the web interface), but the additional addresses do not work. I suspect an ARP problem here, but I don’t want to look for the error in only one place :slight_smile:

Wireshark will be used tomorrow. I’ll try the tip with other IP addresses for 1 to 1 NAT tomorrow.


#5

Yes, I would also check for any security settings that may be blocking the traffic. I’m not familiar with the Fortinet controllers, but check settings that may be blocking based on MAC address or other spoofing and check the logs for security incidents. It may be mistaking the traffic as malicious.


#7

Hi,
we have found the Problem - in this case it was a proxy arp problem :slightly_smiling_face:
The Fortinet Support has set a CLI Command and it works fine now


#8

Great - Thanks for letting us know!