Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tommaddex
New Contributor

FG60E-DSL - Assign Public IP address from ISP

Hi

 

I have a Fortigate FG60E-DSL configured with an FTTC connection and I want to assign the WAN interface with a Public IP address.

 

The DSL interface is configured using VDSL and a VLAN interface which is configured using PPPoE. The interface is obtaining an IP address automatically but it's changing and this means my site-to-site VPN doesn't stay connected.

 

I've entered a usable Public IP address in the Unnumbered IP section of the WAN interface and this now shows when I go to www.whatismyip.com but the WAN IP on the interface in the dashboard is still showing the obtained IP and the obtained IP is the only IP I can access the firewall on externally.

 

I know the Public IPs we have work because I have Virtual IPs configured for services like OWA which work.

 

Any way I can properly assign a Public IP to the firewall to achieve what I want to do?

2 Solutions
sw2090
Honored Contributor

well there is two ways here:

 

you could get yourself a static public ip from your isp and use that. Most ISP can handle that with pppoe so you you don't need to change anything.

you could - as you are doing pppoe with your FGT - use the Fortigate's built in fortinet Dyndns service to have a fqdn pointing to your public ip (and have it automagically updated when the ip changes). You could then use that fqdn as remote gw on your remote vpn site.

This won't still mean your vpn will stay up but it will disconnect and reconnect autmatically upon ip change with that.

I used this on one of our shop as long as they didn't have a static public ip and it worked fine.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
OneOfUs
New Contributor III

I see two possible options:

 

1) use the ForiGuard DDNS service found under Network | DNS.  Then configure the remote site to use the FQDN instead of IP Address.

 

2) Use one of the static IP addresses assigned to you and use the CLI to change the Local Gateway IP:

 

SXFLSDBT02F # conf vpn ipsec phase1-interface

SXFLSDBT02F (phase1-interface) # edit your-vpn-name SXFLSDBT02F (your-vpn-name) # set local-gw <class_ip> Class A,B,C ip xxx.xxx.xxx.xxx

 

 

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Web-based_Mana...

 

 

View solution in original post

6 REPLIES 6
sw2090
Honored Contributor

well there is two ways here:

 

you could get yourself a static public ip from your isp and use that. Most ISP can handle that with pppoe so you you don't need to change anything.

you could - as you are doing pppoe with your FGT - use the Fortigate's built in fortinet Dyndns service to have a fqdn pointing to your public ip (and have it automagically updated when the ip changes). You could then use that fqdn as remote gw on your remote vpn site.

This won't still mean your vpn will stay up but it will disconnect and reconnect autmatically upon ip change with that.

I used this on one of our shop as long as they didn't have a static public ip and it worked fine.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
tommaddex

Thanks sw2090 but we already have a block of static public IPs issued by the ISP and these are working because I have Virtual IPs configured which allow SMTP and OWA to come in on one and some other services on some other static public IPs.

 

My only problem is that the DSL interface on the FG60E is obtaining an IP address from the ISP which is outside of those allocated Public IPs and this means I lose the ability to administer the firewall externally and my VPN disconnects.

 

The firewall that we replaced with the FG60E was configured with it's WAN interface using one of the static public IPs so that it could be used to externally manage it and our remote site VPN tunnel used this static public IP to connect.

 

I want to do the same with the FG60E but can't find a way.

OneOfUs
New Contributor III

I see two possible options:

 

1) use the ForiGuard DDNS service found under Network | DNS.  Then configure the remote site to use the FQDN instead of IP Address.

 

2) Use one of the static IP addresses assigned to you and use the CLI to change the Local Gateway IP:

 

SXFLSDBT02F # conf vpn ipsec phase1-interface

SXFLSDBT02F (phase1-interface) # edit your-vpn-name SXFLSDBT02F (your-vpn-name) # set local-gw <class_ip> Class A,B,C ip xxx.xxx.xxx.xxx

 

 

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Web-based_Mana...

 

 

tommaddex
New Contributor

Thanks OneOfUS, the CLI command has allowed me to set the local phase-1 gateway IP as one of our static public IPs and the site-to-site VPN is now working so that's great.

 

I still want to be able to access the FG60E using HTTPS or SSH via one of our static public IPs and can't see a way to set this.

 

I've asked the question via the Technical Web Chat and was told that a static IP can't be specified when using the PPPoE addressing mode, only when Manual mode is in use on the WAN interface.

 

I explained that using Manual address mode doesn't allow me to enter the PPP credentials for the connection and I've been asked to log a support ticket.

 

I've logged a ticket so I'll post the response here when I get it. Unless anyone else has any other suggestions in the meantime!

OneOfUs
New Contributor III

Unfortunately it will not allow you to set a Secondary IP on the interface when in DHCP.  FortiGuard DDNS is your best bet. 

 

In the past I've setup HTTPS/SSH on a loopback interface, then run our management over a site-to-site IPSec tunnel.  However, this does not help if the tunnel is down.

tommaddex

OK I've got external HTTPS and SSH access working now by creating new Virtual IPs with the static public IP I want to use and created matching policies to allow me in to the internal IP of the FG60E.

 

This gives me everything I wanted to achieve today so thanks everyone for the input.

Labels
Top Kudoed Authors