Skip to main content
tommaddex
tommaddex
New Member
August 21, 2019
Solved

FG60E-DSL - Assign Public IP address from ISP

  • August 21, 2019
  • 2 replies
  • 12024 views

Hi

 

I have a Fortigate FG60E-DSL configured with an FTTC connection and I want to assign the WAN interface with a Public IP address.

 

The DSL interface is configured using VDSL and a VLAN interface which is configured using PPPoE. The interface is obtaining an IP address automatically but it's changing and this means my site-to-site VPN doesn't stay connected.

 

I've entered a usable Public IP address in the Unnumbered IP section of the WAN interface and this now shows when I go to www.whatismyip.com but the WAN IP on the interface in the dashboard is still showing the obtained IP and the obtained IP is the only IP I can access the firewall on externally.

 

I know the Public IPs we have work because I have Virtual IPs configured for services like OWA which work.

 

Any way I can properly assign a Public IP to the firewall to achieve what I want to do?

    Best answer by sw2090

    well there is two ways here:

     

    you could get yourself a static public ip from your isp and use that. Most ISP can handle that with pppoe so you you don't need to change anything.

    you could - as you are doing pppoe with your FGT - use the Fortigate's built in fortinet Dyndns service to have a fqdn pointing to your public ip (and have it automagically updated when the ip changes). You could then use that fqdn as remote gw on your remote vpn site.

    This won't still mean your vpn will stay up but it will disconnect and reconnect autmatically upon ip change with that.

    I used this on one of our shop as long as they didn't have a static public ip and it worked fine.

    2 replies

    sw2090
    SuperUser
    sw2090Answer
    SuperUser
    August 21, 2019

    well there is two ways here:

     

    you could get yourself a static public ip from your isp and use that. Most ISP can handle that with pppoe so you you don't need to change anything.

    you could - as you are doing pppoe with your FGT - use the Fortigate's built in fortinet Dyndns service to have a fqdn pointing to your public ip (and have it automagically updated when the ip changes). You could then use that fqdn as remote gw on your remote vpn site.

    This won't still mean your vpn will stay up but it will disconnect and reconnect autmatically upon ip change with that.

    I used this on one of our shop as long as they didn't have a static public ip and it worked fine.

    tommaddex
    tommaddexAuthor
    New Member
    August 21, 2019

    Thanks sw2090 but we already have a block of static public IPs issued by the ISP and these are working because I have Virtual IPs configured which allow SMTP and OWA to come in on one and some other services on some other static public IPs.

     

    My only problem is that the DSL interface on the FG60E is obtaining an IP address from the ISP which is outside of those allocated Public IPs and this means I lose the ability to administer the firewall externally and my VPN disconnects.

     

    The firewall that we replaced with the FG60E was configured with it's WAN interface using one of the static public IPs so that it could be used to externally manage it and our remote site VPN tunnel used this static public IP to connect.

     

    I want to do the same with the FG60E but can't find a way.

    OneOfUs
    OneOfUs
    New Member
    August 21, 2019

    I see two possible options:

     

    1) use the ForiGuard DDNS service found under Network | DNS.  Then configure the remote site to use the FQDN instead of IP Address.

     

    2) Use one of the static IP addresses assigned to you and use the CLI to change the Local Gateway IP:

     

    SXFLSDBT02F # conf vpn ipsec phase1-interface

    SXFLSDBT02F (phase1-interface) # edit your-vpn-name SXFLSDBT02F (your-vpn-name) # set local-gw <class_ip> Class A,B,C ip xxx.xxx.xxx.xxx

     

     

    https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Web-based_Manager/Auto_Key_IKE.htm

     

     

    tommaddex
    tommaddexAuthor
    New Member
    August 21, 2019

    Thanks OneOfUS, the CLI command has allowed me to set the local phase-1 gateway IP as one of our static public IPs and the site-to-site VPN is now working so that's great.

     

    I still want to be able to access the FG60E using HTTPS or SSH via one of our static public IPs and can't see a way to set this.

     

    I've asked the question via the Technical Web Chat and was told that a static IP can't be specified when using the PPPoE addressing mode, only when Manual mode is in use on the WAN interface.

     

    I explained that using Manual address mode doesn't allow me to enter the PPP credentials for the connection and I've been asked to log a support ticket.

     

    I've logged a ticket so I'll post the response here when I get it. Unless anyone else has any other suggestions in the meantime!

    OneOfUs
    OneOfUs
    New Member
    August 21, 2019

    Unfortunately it will not allow you to set a Secondary IP on the interface when in DHCP.  FortiGuard DDNS is your best bet. 

     

    In the past I've setup HTTPS/SSH on a loopback interface, then run our management over a site-to-site IPSec tunnel.  However, this does not help if the tunnel is down.

    Terms & ConditionsAccessibility statement