Skip to main content
FXLEWIS
FXLEWIS
Explorer II
November 4, 2023
Question

Fortinet 40F basic setup / connecting to the Internet

  • November 4, 2023
  • 3 replies
  • 18542 views

Hi -

New to FortiGate and a firewall newbie as well.

 

Current layout

 

Verizon FIOS G3100 router

  • 3 SSIDs
  • 1 with WPA2 @ 2.4 GHZ (legacy)
  • 1 with WPA2 @ 5 GHZ (legacy)
  • 1 with WPA3 # 5 GHZ
  • WAN IP 98.113.x.x (obviously not providing my WAN IP to the public - no offense) 
  • Internal IP 192.168.1.1/24 internal network

 

Forti40F

  • I created 3 SSIDs to match what the G3100 currently has
  • SSID_1 - 10.1.10.1/255.255.255.0
    SSID_2 - 10.1.20.1/255.255.255.0
    SSID_1 - 10.1.30.1/255.255.255.0
  • LAN 1 on the Forti still has the factory IP 192.168.1.99

 

I tested connectivity to each SSID successfully from a laptop but with no WAN connection just to verify security and connectivity to the wifi.

 

I unplugged the G3100 and plugged in the WAN connection to the FortiNet

 

The FortiNet leased a 98.113.x.x address.

 

I tried getting to the Internet with no success.

 

So questions because I am doing something wrong.

 

  1. Does it make sense to to change the IP for the LAN 1 interface to 192.168.1.1 /24?
  2. Do I need to setup static routes from the 10.1.x.x/24 networks and if so what would be the default route?

Sorry to be a noob but you have to learn somewhere :)

 

3 replies

FXLEWIS
FXLEWISAuthor
Explorer II
November 5, 2023

Update.

 

I changed the IP for the internal software switch to 192.168.1.1

 

I setup static default routes from each 10.1.x.x subnet  to my WAN interface.  Same for the 192.168.x.x subnet.

 

We'll see if this works.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 5, 2023

Try one step at a time.

1) When you swapped the router to the 40F, make sure you can get to the inter net from the 40F itself (ping something from CLI). If works, the default route is fine.

2) Connect your laptop or desk top directly to one of available lan ports or a switch behind. Make sure it pulled a lan IP over DHCP, then try reaching the internet. If that works, the NAT policy is fine.

3) then finally test from a WiFi client. You said you configured on the 40F. That means either you have a FortiAP(s) connected to it. And those must be tunnel mode SSIDs. Traceroute toward the internet from the client to see it at least shows the 40F's IP.

 

One thing you're misunderstanding is the default route is not per lan/wifi subnet. 40F needs only one. Each client needs to know only the GW IP 10.1.x.1 on the 40F. Then, the 40F needs to know where to send the traffic from the clients if the destination of the packet is not local, which is the default route/default gateway. If the WAN circuit is DHCP or PPPoE, the 40F would pull it automatically from the ISP. Only if it's static, you have to configure static default route on the 40F under Network->Static Routes in GUI. This part should be exactly the same with the FiOS router.

 

Toshi

 

 

    FXLEWIS
    FXLEWISAuthor
    Explorer II
    November 5, 2023

    Toshi  -

     

    First, thanks for responding.

     

    1) When you swapped the router to the 40F, make sure you can get to the inter net from the 40F itself (ping something from CLI). If works, the default route is fine.

     

    Successfully pinged GOOGLE.COM from the 40WF using the CLI

     

    2) Connect your laptop or desk top directly to one of available lan ports or a switch behind. Make sure it pulled a lan IP over DHCP, then try reaching the internet. If that works, the NAT policy is fine.

     

    Connected my laptop to the 40F on port 1.  Verified the laptop leased an IP from the 40F.  Successfully pinged the gateway.  Unsuccessful pinging GOOGLE.COM.

     

    I know to set the NAT policy I need to go into Firewall Policy / Create New and I believe for my purposes, create Static SNAT.  I don't have a pool of IPs from my ISP so I don't need a dynamic snat and for the sake of simplicity for now I don't think I need a central SNAT.

     

    So I'm doing something wrong in my NAT policy.

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 6, 2023

    It's called "overload" with the interface IP. GUI setting in the policy is below (this is 7.0.13).
    defaultSNAT.png

    When you test it, ping like 8.8.8.8, not Google.com. It could be your machine's DNS setting issue if you ping host name/FQDN and can't get to.

     

    Toshi

      GG-USMC
      GG-USMC
      New Member
      November 6, 2023

      I am assuming that you have already created a static route to the outside for all unknown traffic and also created a security policy for your wireless subnets from the internal interface to the outside interface and also enabled NAT for the internal subnets on that security policy?

        FXLEWIS
        FXLEWISAuthor
        Explorer II
        November 7, 2023

        I am assuming that you have already created a static route to the outside for all unknown traffic.

        NO.  Would that be destination 0.0.0.0 / 0 going to my WAN IP as the gateway on my WAN interface?

        and also created a security policy for your wireless subnets from the internal interface to the outside interface

        YES

        and also enabled NAT for the internal subnets on that security policy?

        YES

        Terms & ConditionsAccessibility statement