Skip to main content
cshong
cshong
New Member
March 22, 2019
Question

Accessing remote WAN modem configuration page

  • March 22, 2019
  • 1 reply
  • 4777 views

I had setup site to site VPN. Two sites. The FortiOS version is 6.x on both sites. Lets call the sites site 1 and site 2. There are modems at both sites, connected to the WAN port of Fortigate unit. On site 1, Fortigate unit was configured to use PPPoE connection. On site 2, the fortigate unit was behind NAT.

 

Even though Fortigate unit at site 2 was behind NAT, at the modem, I had set up port forwarding to forward the correct port to the Fortigate unit. On both sites, during IPsec setup, I did not choose the option which stating one of the site was behind NAT.

 

The site to site IPsec VPN connection was up. Computers at both site can connect to each other with no problem. Computers at both sites can ping each other. We can perform file sharing, access intranet sites, etc.

 

But, there is a problem.

 

At site 2, the ip address of the modem connected to the WAN port of Fortigate unit is 192.168.1.x., which is different subnet. Users at site 2 can access the configuration page of the modem, by just entering the ip address of 192.168.1.x at the browser.

 

At site 1, users cannot access the site 2 modem configuration page.

 

Question: How to solve this problem? I want to allow users at site 1 to access the configuration page of the modem connected to the WAN port of Fortigate unit at site 2.

 

The phase two configurations on both sites are as follows:

 

Site 1:

Local address: <local subnets at site 1, which include the IP addresses of all computers, printers, servers, etc>

Remote address: <remote subnet at site 2, which include the IP addresses of all computers, printers, etc>

 

Local address: <local subnets at site 1, which include the IP addresses of all computers, printers, servers, etc>

Remote address: 192.168.1.x (the ip address of the modem connected to the WAN port of fortigate unit at site 2)

 

Site 2:

Local address: <local subnets at site 2, which include the IP addresses of all computers, printers, etc>

Remote address: <remote subnet at site 1, which include the IP addresses of all computers, printers, servers, etc>

 

Local address: 192.168.1.x (the ip address of the modem connected to the WAN port of fortigate unit at site 2)

Remote address: <remote subnet at site 1, which include the IP addresses of all computers, printers, servers, etc>

 

Both sites did not share the same internet connection.

 

So, how to allow the users at site 1 to access the configuration page of modem at site 2? The modem was connected to the WAN port of Fortigate unit.

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 22, 2019

    It's a hairpin turn at the site2 FGT, like allowing internet access to vpn users at a FW. You just need a policy vpn->wan port on the site2 FGT to let site1 user to access the modem outside the wan port. 

    cshong
    cshongAuthor
    New Member
    April 3, 2019

    Sorry for the late reply. 

     

    Toshi Esumi's answer did not help. On site 2, in policy, there is no VPN interface in incoming/outgoing interface.

     

    Any suggestions?

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 3, 2019

    Then we need to know more detail in the VPN config. under "config vpn ipsec phase1-interface" for the VPN name, and under "config sys interface" for the same VPN name, which is automatically configured when you configured the VPN. And do you have any zone configured including the vpn?

    Terms & ConditionsAccessibility statement