Skip to main content
__No
__No
New Member
October 13, 2021
Solved

Fortigate 50E Behind NAT router for site-to-site VPN client

  • October 13, 2021
  • 2 replies
  • 10736 views

Hello all,

 

I have a primary non-Fortinet router that I would like to place a Fortigate 50E behind. My goal is to configure the FortiGate as a site-to-site VPN endpoint/server to utilize the route when needing VPN services. My reasoning for not using the Fortigate as the main firewall is that this is a secondary appliance and I already have an established primary router of which I am very happy using. I do not want to reconfigure my entire network with all of its VLANs, Rules, Services, etc. to be able to use a proprietary VPN appliance. I believe that to be a reasonable enough use case.

 

Currently, I have the following interfaces configured:

[ul]
  • WAN interface for the 50E plugged into a standard upstream untagged VLAN (#100) with access to the internet.
  • LAN interface for the 50E plugged into a second standard untagged VLAN (#200) of which the computer(s) that will need the VPN is a member. The LAN interface is how I am reaching the management interface for the FortiGate.[/ul]

    My current hiccup is that the Fortigate 50E cannot reach the internet. I've attempted the following:

    [ul]
  • execute ping <local gateway on WAN interface> [FAIL]
  • execute ping <local gateway on LAN interface> [SUCCESS]
  • execute ping google.com [FAIL]
  • Modify DNS servers between Forti(Care|Guard|Net|Gate) servers, Local DNS servers, and Cloudflare/Google DNS servers.[ul]
  • Repeated all of the above for each new DNS server, [no change][/ul]
  • Modify the internal location of 50E between VLANs, switches, DMZ, etc., [no change]
  • Modify the WAN interface IP address between static/DHCP, [no change]
  • Added port forwarding in upstream router for 500/UDP (IPSec) and 4500/UDP (NAT-Traversal) to 50E's WAN interface due to this post. [no change][/ul]

    Is there any hope for this scenario? I am not sure what in the 50E is preventing access to the internet unless it cannot function with an internal IP as the WAN gateway.

      • Best answer by Toshi_Esumi

      By the way, Forum discussions are not tickets. Just discussion threads.

      2 replies

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      October 13, 2021

      You need to go through regular troubleshooting process for the routing issues between the router and the 50E including the VLAN switch in-between (I assume this since there is no such thing as "untagged VLAN" on any FGTs) to make them pingable at least each others.

      __No
      __NoAuthor
      New Member
      October 13, 2021

      "You need to go through regular troubleshooting process for the routing issues between the router and the 50E including the VLAN switch in-between"

       

      I am asking what can be done on the Fortigate 50E to be able to reach anything other than an upstream ISP's gateway on the WAN interface. i.e., this device is connected to the network the same way as any other end device or network appliance and is not able to find a route to the internet. Later in the post, I detail the troubleshooting steps I have performed.

       

      "there is no such thing as "untagged VLAN" on any FGTs"

       

      When I say untagged, I am referring to the way that the Fortigate 50E is sitting on the internal network. It is connected to an untagged VLAN port, not tagged. This means that VLANs should be out of the picture with the 50E.

       

      Please let me know if there is anything further I should clear up or anywhere else I can find a relevant support channel.

      Regards.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      October 13, 2021

      You wrote:   execute ping <local gateway on WAN interface> [FAIL]

      That's why I thought they can't ping each other. Can they?

       

      gayansa
      gayansa
      New Member
      October 14, 2021

      Hi,

       

      Do you have a public IP in the internet interface of the router?

       

      BR,

      Gayan

      Terms & ConditionsAccessibility statement