Wanting to eliminate a Fortigate acting as a Internet service provider managed router.

Forum|Forum|1 year ago
February 21, 2025
3 replies
1959 views

I have an AT&T fiber circuit where they handoff to me using a /30, but giving me an IP range in a using a /28.

So for example Handoff IP is 1.2.3.8/255.255.255.252 Handoff Gateway 1.2.3.7

Usable IP Range 1.2.3.9-1.2.3.23

Since AT&T did not install their own managed router, I opted to use a Fortigate 80E to handle the NAT.

80E Wan1 is IP'd to 1.2.3.8/255.255.255.252 Static route 0.0.0.0/0 gateway 1.2.3.7

80E Lan is IP'd to 1.2.3.9/255.255.255.240

On the internal side of the network, I have a 100F that has it's wan1 IP to 1.2.3.11/255.255.255.240

sdwan gateway 1.2.3.9

All of this was working fine, untill I could no longer establish IPSec tunnels using port 500. FortiTac says it's an AT&T problem, AT&T says it's a firewall problem.

So my question is, is there a way to eliminate the 80E as the management router for the AT&T circuit and bring the handoff strait to the 100F and still be able to use the /28 AT&T provided us? Any help would be appreciated. If any clarification is needed, please do not hesitate to ask.

Thank you.

FortiGate

Dhruvin_patel

Staff

Greetings!

To eliminate the FortiGate 80E as the management router for the AT&T circuit and bring the handoff directly to the FortiGate 100F while still utilizing the /28 IP range provided by AT&T, you can follow these steps:

1. Configure the WAN1 interface of the FortiGate 100F with the IP address 1.2.3.9/255.255.255.240, which falls within the usable IP range provided by AT&T.

2. Update the static route on the FortiGate 100F to point the default route (0.0.0.0/0) to the gateway IP 1.2.3.7, which is the handoff gateway provided by AT&T.

3. Ensure that the necessary firewall policies are in place on the FortiGate 100F to allow traffic for IPsec tunnels using port 500.

By following these steps, you can bypass the FortiGate 80E and have the FortiGate 100F directly manage the AT&T circuit while still utilizing the IP range provided by AT&T. This setup should help resolve any issues related to establishing IPsec tunnels using port 500.

Regards!

dingjerry_FTNT

Staff

Hi @UnderscoresAndDashes ,

You have to talk to AT&T first to check the handoff IPs.

Reasons:

1) 1.2.3.8/30

1.2.3.8 is the network ID and usable IPs for this subnet are 1.2.3.9 and 1.2.3.10, so I wonder why you got 1.2.3.7 as the gateway IP.

2) If 1.2.3.8 is with /28

The subnet range is 1.2.3.0 - 1.2.3.15. The usable IP range 1.2.3.9-1.2.3.23 you got is not covered by /28. It has to be /27 at least to cover the usable IP range within the same subnet.

Toshi_Esumi

SuperUser

If you got 1.2.3.7 as the interface/handoff GW and the subnet is /30, the subnet is mostlikely 1.2.3.4/30 and your FGT wan interface should have 1.2.3.6/30.
But the additional /28 is overlapping with the interface subnet, which AT&T regularly wouldn't do. As @dingjerry_FTNT suggest, talk to AT&T and verify the exact subnet for the interface as well as the aditional /28.

Toshi

Toshi_Esumi

SuperUser

Wait. I miscalculated it. If 1.2.3.4/30 is the interface subnet, the GW IP should be 1.2.3.6 because 1.2.3.7 is the broadcast IP of the /30. So the entire thing doesn't make sense.

Toshi