Skip to main content
cvn-b
cvn-b
New Member
July 3, 2023
Question

Forti SSL VPN Wrong Public IP

  • July 3, 2023
  • 2 replies
  • 5634 views

I am running a Fortigate 100F with a SSL VPN set up on the wan port and using Forti DynDNS service to keep my public IP which is dynamic synced with my VPN hostname. It seems that the FG is seeing a different public IP as what it is really receiving from the ISP.

 

As an example, it shows a range of 100.72.63.x as my public IP, but when looking this up, it is 102.65.x.x.

When running diagnose sys waninfo in console, it does show the same 102.65.x.x IP address but in the interface setup, the SSL VPN settings etc it all shows 100.72.63 range.

 

I am running version 7.4.0

 

Any help would be appreciated.

2 replies

pminarik
Staff
pminarik
Staff
July 3, 2023

In the CLI (config system ddns), what is the option use-public-ip set to?
Expected behaviour:

disable = use the current IP of the chosen "WAN" interface directly (this should be the default value)

enable = use the presumed public IP obtained by polling a public API (ipify; intended for use when the FortiGate is behind NAT and the public IP doesn't belong directly to any of its interfaces)

cvn-b
cvn-bAuthor
New Member
July 3, 2023

Thank you for the quick response; Here is my current configuration:

config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "x.fortiddns.com"
set use-public-ip enable
set monitor-interface "wan1"
next
end

Even on disabled it still doens't show the correct public ip on the WAN Interface

pminarik
Staff
pminarik
Staff
July 3, 2023

If you are sure that the FortiGate itself is directly assigned a public IP address, then you absolutely should use set use-public-ip disable. How long it will take to update that IP is another question, which I don't know the answer to. :)

Let's keep in mind that DNS records can potentially take some time to propagate around the world.

 

However, be careful and confirm that it is truly a publicly routable IP. It looks to be suspiciously close (could realistically be misread/mistyped) to the CGNAT range 100.64.0.0/10, which isn't publicly routable.

cvn-b
cvn-bAuthor
New Member
July 3, 2023

I think you are right; I am establishing the WAN connection using PPPoE with credentials. In the UI, it is showing me that the WAN IP is not routable:

This interface has a private IP address (100.72.39.x) which may not be publicly accessible. Everything on my LAN is accessing the internet fine not sure why this is being misrepresented in the UI?
 

 

Terms & ConditionsAccessibility statement