Technical Tip: Modem private IPs cannot be accessed through the PPPoE interface, possible workarounds

JNDias · ‎11-03-2022

Description

This article explains how to work around the impossibility of accessing a private IP on the WAN side with PPPoE. This limitation exists because WANs with PPPoE cannot have a secondary IP.

Scope

FortiGate, WAN with PPPoE.

Tested on v6.4.8 build1914 | v6.4.10 build2000.

Solution

Adapt the configuration to limit the source in the rule so the internal clients will be able to reach that private network.

1) Create a Static Route for the network:

Go to Network -> Static Routes and select 'Create New'.

2) Create an IP pool:

Go to Policy & Objects -> Virtual IPs, select 'Create New' -> 'IP Pools'.

3) Create a Firewall Policy:

Alternatively, create the policies in the CLI with the following commands:

# config router static
edit 1
set dst 192.168.1.0 255.255.255.0
set device "wan1"
next
end

# config firewall ippool
edit "IP_Pool_192.168.1.13"
set startip 192.168.1.13
set endip 192.168.1.13
next
end

# config firewall policy
edit 1
set name "To Router"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "NET_192.168.1.0/24"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname "IP_Pool_192.168.1.13"
set nat enable
next
end

Result:

internal in 10.16.4.56 -> 192.168.1.5: icmp: echo request
wan1 out 192.168.1.13 -> 192.168.1.5: icmp: echo request
eth0 out 192.168.1.13 -> 192.168.1.5: icmp: echo request
wan1 in 192.168.1.5 -> 192.168.1.13: icmp: echo reply

Technical Tip: Modem private IPs cannot be accessed through the PPPoE interface, possible workarounds

You are leaving our website