- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access via WAN Interface and VLan configuration
Hello,
something we never had before but the WAN Interface had to be in the same Vlan Interface with the WAN Router of the provider X.
Now we have the problem that we cant connect to the WAN interface via http, https (trusted network) and we cant establish SSL VPN connection via 4444.
Attached I send you the WAN interface config.
What can we do?
Thanks in advance
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @RolandBaumgaertner72 ,
In my country(Malaysia), our internet is using VLAN.
Can you verify if your ISP requires VLAN too?
You can check with your PC this way too.
PC direct connect to your ISP router. PC <<<>>> ISP router
Set your IP, subnet, gateway accordingly.
Ping to 8.8.8.8
If your PC can go out to internet, means no VLAN required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
yes, this ISP requires VLAN also and therfore we had to create a Vlan under the WAN Interface. Since I neved had this configuration I am wondering now what I can do, to get all the packeges through from WAN to my VLAN. I know it was working before with the Zywall Firewall since before I could access via https directly.
Also I see that my DDNS with Interface WAN is not getting the IP.
What can I do?
Created on 03-30-2023 01:36 AM Edited on 03-30-2023 01:36 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you reach the other peer in that /30 network ?
Also, do you have a static default route pointing to that peer / vlan interface ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
well it works, from inside I have access via this VLAN WAN Interface.
The defaulf route goes over the VLan Interface? Is it because I dont have a route for the WAN Interface so that from outside I cant reach?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you dont have this route, most likely this is your issue. You could also enable PING under the interface to check from the internet if it replies back.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I dont really understand. As you can see on my screenshots I have under the WAN Interface the Vlan with the IP config of the provider. I activated on the VLan PING and I cant reach from outside.
What route is missing so that packeges get through to the VLan, or do I hace to change te default to WAN interface instead of the VLan?? Where is the connection between WAN Interface (no IP configured) and the VLan Wan Interface?
I never had this kind of configuration and since we are requiered to use a VLan ID and I cant configure it directly on the WAN Interface I am having this issue now.
Thanks a lot for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, let's take it step by step.
You say that the ISP requires you to have a VLAN configured on the interface towards them.
On the FortiGate you have configured a vlan interface with that VLAN ID ( I guess? ) . Do you have IP reachability from the IP you have configured the VLAN interface to the ISP peer ?
Since you have configured a subinterface or VLAN interface, whatever u want to call it means the same thing, I would expect that the interface on the switch where WAN is connected is configured in trunk and that VLAN ID is permitted towards the FW and VLAN is created on the Switch.
After you confirm, reachability to the ISP equipment/IP , then a static route 0.0.0.0/0 with next hop IP the ISP IP, using the VLAN interface as exit interface is required.
After this, you can do a, execute ping 8.8.8.8 , from CLI and see if you can reach the internet.
If all is good with ping towards 8.8.8.8 , then all access from the Internet towards that subinterface configured with allowed administrative access protocols should work. if not, maybe the ISP is filtering them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, it is solved. I again created the static route and than I had access via PING from outside. Also the SSL VPN is working. Something wrong with routing tables (before I had another default route)?
Thanks a lot!