DHCP Woes - Old Fortigate 80c

macy200200 · ‎09-06-2020

Hey Everyone!

So I'm not sure what I'm doing or what's going on. I had my fortigate running fine in transparent mode but I wanted to setup a ssl vpn using port forwarding from my router so I flipped it to NAT mode.

My intention is to give the wan1 interface a static ip (192.168.0.6) and then use my router as a dhcp relay. My router is at 192.168.0.1. Then things connected to my FortiGate via ethernet should get an ip address from the router right? That's what I want it to do but I'm having trouble getting it to do that.

Soon I have a fortiap coming in the mail, then I will flip my router to bridged mode but right now I don't have internet on my devices plugged right into it unless I give them a static ip. DHCP is relaying my dns server (192.168.0.7) and that's it, no ip addresses, no subnet mask, no router.

Any help would be appreciated! If you need more info or something I said doesn't make sense just ask!!!

Thank you

Toshi_Esumi · ‎09-06-2020

You need to have two different subnets on WAN and LAN sides of your FGT in NAT mode. It's same as a regular router. Then likely you need to move the DHCP server from the internet router to your FGT then set a proper static route on the router to let it route to FGT for the traffice to the subnet.

macy200200 · ‎09-06-2020

Yeah I think i got the static routes going. I can ping stuff from the fortigate cli and ping my dns server @ 192.168.0.7

So if i put all my stuff in 192.168.1.1/255.255.255.255 I have to nat it to 192.168.0.6 since thats the wan interface static ip?

I was looking stuff up and found "double nat" but I don't know how to set that up. I've honestly never had to setup a fortigate from scratch before even though I work on them all the time at work. I don't know what I'm doing lol

Toshi_Esumi · ‎09-06-2020

You don't have to have NAT (enable NAT on the policy) in NAT mode as long as you route the LAN to the router and router to LAN. Of course you can enable NAT on the FGT to hide LAN from the router. But it would add one unnecessary translation when you can simply route traffic through.

macy200200 · ‎09-06-2020

okay so I don't want nat, you're right. How do i build routes from lan to route and router to lan??? What confuses me is the gateway address, it's not supposed to be my public ip is it? It should be 192.168.0.1 right?

Because I swear I've tried that and it didn't work so now I'm back in transparent mode where are working except there's no vpn :(

Toshi_Esumi · ‎09-06-2020

I'm asuming below:

the router internal interface:192.168.0.1/24<->[FGT WAN1:192.168.0.6/24 - FGT LAN:192.168.1.1/24]<->all devices.

Then the FGT needs a default route to 192.168.0.1. And the router needs a static route 192.168.1.0/24 to GW:192.168.0.6. It it's a Cisco router it would be like below:

ip route 192.168.1.0 255.255.255.0 192.168.0.6

Then of course the FGT needs a policy from LAN interface toward WAN1 allowing all destinations without NAT.

Just run sniffing "diag sniffer packet ..." at the FGT to see packets coming in and going out while you're generating traffic like pinging toward the internet from a device on the LAN.

macy200200 · ‎09-07-2020

I finally got it running in NAT mode. I'm not sure what I did different this time but it's working!!!

The internal interface is running at the default 192.168.1.99 and I guess that was the trick. TBH I don't understand how it's working, I have one static route on wan1 going from 0.0.0.0 to 192.168.0.1 as the gateway.

I don't understand how my traffic is getting from 192.168.1.X to 192.168.0.6 (fortigate static ip) but it's going.

Now I gotta figure out this Fortiap when it gets here later today!