Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
papapuff
New Contributor

Ask - WAN setting with IP Static from ISP

hi There,

this might be ridiculous question, but I want to make sure I didn't miss something while setup.

we use Fortigate 30E, and

we have ISP that provide IP Public static. information they given:

IP 1.1.1.1 / 29

subnet 255.255.255.248 / 29

gateway 1.1.1.2

dns 8.8.8.8 ; 8.0.8.0

 

then we made config on fortigate:

- interface WAN

IP : 1.1.1.1

subnet : 255.255.255.248

ping, https, fmg-access: checked

 

- static route

destination: 0.0.0.0

gateway: 1.1.1.2

other setting: <default>

 

- DNS

8.8.8.8, 8.0.8.0

 

now connect all cable.

LED WAN, all on.

 

but when I ping to IP 1.1.1.1 from outside network, it said:

ttl expire in transit

 

but I can ping to 1.1.1.2 and give reply.

 

am I missed something?

 

need help. thanks

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

Nothing ridiculous but a basic routing troubleshooting.

Just traceroute from ouside toward 1.1.1.1 to see if you can get to at least the GW. My guess it your ISP's routing problem.

Always check the routing table in GUI or CLI (get router info routing-table all) to make sure the static default route is pointing to the GW.

 

By the way, if it's older than 6.0, check if trusthosts are configured, then ping wouldn't get reply if the source is not in the list of trusthosts. I think they changed this behavior after 6.0.

papapuff

helllo.

thanks for response.

try tracert from outside network, time out until no end.

 

I see installed device, the connection strange to me.

 

FO (from tower base) -> Mikrotik -> RJ45

 

ths rj45 go to Fortigate

ShawnZA

If your admin account is not locked down to trusted hosts then the mikrotik must be blocking incoming traffic perhaps?

papapuff

toshiesumi wrote:

Nothing ridiculous but a basic routing troubleshooting.

Just traceroute from ouside toward 1.1.1.1 to see if you can get to at least the GW. My guess it your ISP's routing problem.

Always check the routing table in GUI or CLI (get router info routing-table all) to make sure the static default route is pointing to the GW.

 

By the way, if it's older than 6.0, check if trusthosts are configured, then ping wouldn't get reply if the source is not in the list of trusthosts. I think they changed this behavior after 6.0.

hello,

sorry missed to answer.

yes, static default route pointing to gateway 1.1.1.2 for interface WAN