Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

DHCP Woes - Old Fortigate 80c

Hey Everyone!


So I'm not sure what I'm doing or what's going on. I had my fortigate running fine in transparent mode but I wanted to setup a ssl vpn using port forwarding from my router so I flipped it to NAT mode.


My intention is to give the wan1 interface a static ip ( and then use my router as a dhcp relay. My router is at Then things connected to my FortiGate via ethernet should get an ip address from the router right? That's what I want it to do but I'm having trouble getting it to do that.


Soon I have a fortiap coming in the mail, then I will flip my router to bridged mode but right now I don't have internet on my devices plugged right into it unless I give them a static ip. DHCP is relaying my dns server ( and that's it, no ip addresses, no subnet mask, no router.


Any help would be appreciated! If you need more info or something I said doesn't make sense just ask!!!

Thank you


You need to have two different subnets on WAN and LAN sides of your FGT in NAT mode. It's same as a regular router. Then likely you need to move the DHCP server from the internet router to your FGT then set a proper static route on the router to let it route to FGT for the traffice to the subnet.



Yeah I think i got the static routes going. I can ping stuff from the fortigate cli and ping my dns server @


So if i put all my stuff in I have to nat it to since thats the wan interface static ip?


I was looking stuff up and found "double nat" but I don't know how to set that up. I've honestly never had to setup a fortigate from scratch before even though I work on them all the time at work. I don't know what I'm doing lol


You don't have to have NAT (enable NAT on the policy) in NAT mode as long as you route the LAN to the router and router to LAN. Of course you can enable NAT on the FGT to hide LAN from the router. But it would add one unnecessary translation when you can simply route traffic through.


okay so I don't want nat, you're right. How do i build routes from lan to route and router to lan??? What confuses me is the gateway address, it's not supposed to be my public ip is it? It should be right? 


Because I swear I've tried that and it didn't work  so now I'm back in transparent mode where are working except there's no vpn :( 


I'm asuming below:

the router internal interface:<->[FGT WAN1: - FGT LAN:]<->all devices.

Then the FGT needs a default route to And the router needs a static route to GW: It it's a Cisco router it would be like below:

ip route


Then of course the FGT needs a policy from LAN interface toward WAN1 allowing all destinations without NAT.

Just run sniffing "diag sniffer packet ..." at the FGT to see packets coming in and going out while you're generating traffic like pinging toward the internet from a device on the LAN.




I  finally got it running in NAT mode. I'm not sure what I did different this time but it's working!!!


The internal interface is running at the default and I guess  that was the trick. TBH I  don't understand  how  it's working,  I  have one  static  route on wan1 going from to as the  gateway.


I don't understand how my traffic is getting from 192.168.1.X to  (fortigate static ip) but it's going.


Now I gotta figure out this Fortiap when it gets here later today!


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors