|
For activating a new fiber connection, a fiber optic modem ID is needed, for which a separate Optical Network Termination -an ONT device ('Glasfasermodem') is required, and serves as a demarcation point.
As the FortiGate does not contain the needed modem ID even with an SFP module, this article goes forward from the premise that an existing fiber optic modem is in place, from which a regular copper ethernet cable is connected to a FortiGate WAN interface.
- Create a VLAN subinterface with VLAN ID 7 on the WAN interface.
Deutsche Telekom requires the use of VLAN ID 7 when using a non-Telekom router. In this example, the physical WAN1 interface is used and an additional subinterface will be added on it:
config system interface
edit "Telekom_WAN_intf"
set mode pppoe
set role wan
set interface "wan1"
set vlanid 7
end
- Configure PPPoE parameters on the VLAN sub-interface.
For a successful PPPoE connection, the username and password need to be configured. For this specific case, the PPPoE username consists of a concatenation of several values received from the access data document received from Deutsche Telekom. The username needs to be combined as in the below example, to form a single string:
- Anschlusskennung: aaaaaaaaaaaaa
- Internet Zugangsnummer: bbbbbbbbbbbbb
- Mitbenutzernummer: ccccc
- Username: aaaaaaaaaaaaabbbbbbbbbbbbb#ccccc@t-online
- Password: xxxxxxx -> the "Zugangspasswort" from the received access data document.
config system interface
edit "Telekom_WAN_intf"
set username "aaaaaaaaaaaaabbbbbbbbbbbbb#ccccc@t-online"
set password xxxxxxxxx
end
Once successfully configured, the PPPoE connection can be verified either through GUI under Network -> Interfaces by editing the Telekom_WAN_intf interface, or through the CLI with the get system interface command, which should provide output like the following:
get system interface | grep Telekom_WAN_intf
== [ Telekom_WAN_intf ]
name: Telekom_WAN_intf mode: pppoe ip: 119.123.132.118 255.255.255.255 status: up netbios-forward: disable type: vlan netflow-sampler: disable sflow-sampler: disable src-check: enable switch-controller-feature: none wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable
- Ensure WAN interface is hardened.
The VLAN subinterface will be the only one used through the FortiGate for internet access and would have the public IP directly received from the internet service provider.
As such, standard best practices should be followed and administrative access should be disabled unless explicitly necessary. If HTTPS/SSH access is indeed required, trusted hosts should be configured.
Note that the parent WAN1 interface, although not directly in use, cannot be disabled as this would disable the underlying VLAN subinterface as well.
The following documentation provides additional information on how to harden the FortiGate, as well as additional security best practices:
FortiGate / FortiOS 7.6.0 Best Practices - Hardening
|
