Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
Contributor

Access via WAN Interface and VLan configuration

example.PNGHello,

 

something we never had before but the WAN Interface had to be in the same Vlan Interface with the WAN Router of the provider X.

 

Now we have the problem that we cant connect to the WAN interface via http, https (trusted network) and we cant establish SSL VPN connection via 4444.

 

Attached I send you the WAN interface config.

 

What can we do?

 

Thanks in advance 

 

 

8 REPLIES 8
Muhammad_Haiqal

Hi @RolandBaumgaertner72 ,

In my country(Malaysia), our internet is using VLAN.
Can you verify if your ISP requires VLAN too?

 


You can check with your PC this way too.

PC direct connect to your ISP router. PC <<<>>> ISP router

Set your IP, subnet, gateway accordingly.

Ping to 8.8.8.8

If your PC can go out to internet, means no VLAN required.

haiqal
RolandBaumgaertner72
Contributor

Hi,

 

yes, this ISP requires VLAN also and therfore we had to create a Vlan under the WAN Interface. Since I neved had this configuration I am wondering now what I can do, to get all the packeges through from WAN to my VLAN. I know it was working before with the Zywall Firewall since before I could access via https directly.

 

Also I see that my DDNS with Interface WAN is not getting the IP.

 

What can I do?

funkylicious

Can you reach the other peer in that /30 network ?

Also, do you have a static default route pointing to that peer / vlan interface ?

"jack of all trades, master of none"
"jack of all trades, master of none"
RolandBaumgaertner72
Contributor

Hi,

 

well it works, from inside I have access via this VLAN WAN Interface.

 

 

 

Unbenannt.PNG

 

The defaulf route goes over the VLan Interface? Is it because I dont have a route for the WAN Interface so that from outside I cant reach?

funkylicious

If you dont have this route, most likely this is your issue. You could also enable PING under the interface to check from the internet if it replies back.

"jack of all trades, master of none"
"jack of all trades, master of none"
RolandBaumgaertner72
Contributor

Hi,

 

I dont really understand. As you can see on my screenshots I have under the WAN Interface the Vlan with the IP config of the provider. I activated on the VLan PING and I cant reach from outside. 

 

What route is missing so that packeges get through to the VLan, or do I hace to change te default to WAN interface instead of the VLan?? Where is the connection between WAN Interface (no IP configured) and the VLan Wan Interface? 

 

I never had this kind of configuration and since we are requiered to use a VLan ID and I cant configure it directly on the WAN Interface I am having this issue now.

 

Thanks a lot for your help!

funkylicious

Ok, let's take it step by step.

 

You say that the ISP requires you to have a VLAN configured on the interface towards them.

On the FortiGate you have configured a vlan interface with that VLAN ID ( I guess? ) . Do you have IP reachability from the IP you have configured the VLAN interface to the ISP peer ?


Since you have configured a subinterface or VLAN interface, whatever u want to call it means the same thing, I would expect that the interface on the switch where WAN is connected is configured in trunk and that VLAN ID is permitted towards the FW and VLAN is created on the Switch.

 

After you confirm, reachability to the ISP equipment/IP , then a static route 0.0.0.0/0 with next hop IP the ISP IP, using the VLAN interface as exit interface is required.

After this, you can do a, execute ping 8.8.8.8 , from CLI and see if you can reach the internet.

If all is good with ping towards 8.8.8.8 , then all access from the Internet towards that subinterface configured with allowed administrative access protocols should work. if not, maybe the ISP is filtering them.

"jack of all trades, master of none"
"jack of all trades, master of none"
RolandBaumgaertner72

OK, it is solved. I again created the static route and than I had access via PING from outside. Also the SSL VPN is working. Something wrong with routing tables (before I had another default route)?

 

Thanks a lot!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors