Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
macy200200
New Contributor

Created on ‎09-06-2020 07:08 AM

DHCP Woes - Old Fortigate 80c

Hey Everyone!

 

So I'm not sure what I'm doing or what's going on. I had my fortigate running fine in transparent mode but I wanted to setup a ssl vpn using port forwarding from my router so I flipped it to NAT mode.

 

My intention is to give the wan1 interface a static ip (192.168.0.6) and then use my router as a dhcp relay. My router is at 192.168.0.1. Then things connected to my FortiGate via ethernet should get an ip address from the router right? That's what I want it to do but I'm having trouble getting it to do that.

 

Soon I have a fortiap coming in the mail, then I will flip my router to bridged mode but right now I don't have internet on my devices plugged right into it unless I give them a static ip. DHCP is relaying my dns server (192.168.0.7) and that's it, no ip addresses, no subnet mask, no router.

 

Any help would be appreciated! If you need more info or something I said doesn't make sense just ask!!!

Thank you

4700
0 Kudos
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-06-2020 09:52 AM

You need to have two different subnets on WAN and LAN sides of your FGT in NAT mode. It's same as a regular router. Then likely you need to move the DHCP server from the internet router to your FGT then set a proper static route on the router to let it route to FGT for the traffice to the subnet.

 

3280
0 Kudos
macy200200
New Contributor
In response to Toshi_Esumi

Created on ‎09-06-2020 10:16 AM

Yeah I think i got the static routes going. I can ping stuff from the fortigate cli and ping my dns server @ 192.168.0.7

 

So if i put all my stuff in 192.168.1.1/255.255.255.255 I have to nat it to 192.168.0.6 since thats the wan interface static ip?

 

I was looking stuff up and found "double nat" but I don't know how to set that up. I've honestly never had to setup a fortigate from scratch before even though I work on them all the time at work. I don't know what I'm doing lol

3280
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to macy200200

Created on ‎09-06-2020 02:13 PM

You don't have to have NAT (enable NAT on the policy) in NAT mode as long as you route the LAN to the router and router to LAN. Of course you can enable NAT on the FGT to hide LAN from the router. But it would add one unnecessary translation when you can simply route traffic through.

3280
0 Kudos
macy200200
New Contributor
In response to Toshi_Esumi

Created on ‎09-06-2020 02:52 PM

okay so I don't want nat, you're right. How do i build routes from lan to route and router to lan??? What confuses me is the gateway address, it's not supposed to be my public ip is it? It should be 192.168.0.1 right? 

 

Because I swear I've tried that and it didn't work  so now I'm back in transparent mode where are working except there's no vpn :( 

3280
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to macy200200

Created on ‎09-06-2020 09:04 PM

I'm asuming below:

the router internal interface:192.168.0.1/24<->[FGT WAN1:192.168.0.6/24 - FGT LAN:192.168.1.1/24]<->all devices.

Then the FGT needs a default route to 192.168.0.1. And the router needs a static route 192.168.1.0/24 to GW:192.168.0.6. It it's a Cisco router it would be like below:

ip route 192.168.1.0 255.255.255.0 192.168.0.6

 

Then of course the FGT needs a policy from LAN interface toward WAN1 allowing all destinations without NAT.

Just run sniffing "diag sniffer packet ..." at the FGT to see packets coming in and going out while you're generating traffic like pinging toward the internet from a device on the LAN.

 

 

3280
0 Kudos
macy200200
New Contributor
In response to Toshi_Esumi

Created on ‎09-07-2020 04:14 AM

I  finally got it running in NAT mode. I'm not sure what I did different this time but it's working!!!

 

The internal interface is running at the default 192.168.1.99 and I guess  that was the trick. TBH I  don't understand  how  it's working,  I  have one  static  route on wan1 going from 0.0.0.0 to 192.168.0.1 as the  gateway.

 

I don't understand how my traffic is getting from 192.168.1.X to 192.168.0.6  (fortigate static ip) but it's going.

 

Now I gotta figure out this Fortiap when it gets here later today!

3280
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.