Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Fortigate 50E Behind NAT router for site-to-si...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 50E Behind NAT router for site-to-site VPN client
Hello all,
I have a primary non-Fortinet router that I would like to place a Fortigate 50E behind. My goal is to configure the FortiGate as a site-to-site VPN endpoint/server to utilize the route when needing VPN services. My reasoning for not using the Fortigate as the main firewall is that this is a secondary appliance and I already have an established primary router of which I am very happy using. I do not want to reconfigure my entire network with all of its VLANs, Rules, Services, etc. to be able to use a proprietary VPN appliance. I believe that to be a reasonable enough use case.
Currently, I have the following interfaces configured:
[ul]My current hiccup is that the Fortigate 50E cannot reach the internet. I've attempted the following:
[ul]Is there any hope for this scenario? I am not sure what in the 50E is preventing access to the internet unless it cannot function with an internal IP as the WAN gateway.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, Forum discussions are not tickets. Just discussion threads.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to go through regular troubleshooting process for the routing issues between the router and the 50E including the VLAN switch in-between (I assume this since there is no such thing as "untagged VLAN" on any FGTs) to make them pingable at least each others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"You need to go through regular troubleshooting process for the routing issues between the router and the 50E including the VLAN switch in-between"
I am asking what can be done on the Fortigate 50E to be able to reach anything other than an upstream ISP's gateway on the WAN interface. i.e., this device is connected to the network the same way as any other end device or network appliance and is not able to find a route to the internet. Later in the post, I detail the troubleshooting steps I have performed.
"there is no such thing as "untagged VLAN" on any FGTs"
When I say untagged, I am referring to the way that the Fortigate 50E is sitting on the internal network. It is connected to an untagged VLAN port, not tagged. This means that VLANs should be out of the picture with the 50E.
Please let me know if there is anything further I should clear up or anywhere else I can find a relevant support channel.
Regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You wrote: execute ping <local gateway on WAN interface> [FAIL]
That's why I thought they can't ping each other. Can they?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The upstream router can ping the downstream Fortigate 50E's WAN interface. The FortiGate 50E cannot ping the upstream router via the WAN interface. This is where my confusion began and is the reason for posting.
Attached is a diagram that may help explain the ping issue. In the image, Router "A" is the upstream (non-FortiGate) router, and Router "B" is the FortiGate 50E.
There are other devices on the LAN that traverse the network with ease so the one common denominator that I can see is that there is a misconfiguration with the 50E to not allow traffic outbound of the 50E's WAN port because it does not know a route to take, having no way to specify the upstream gateway's address in the 50E's Admin UI.
To clarify further, I am wondering where the setting is to configure the WAN interface's upstream gateway. That setting appears to be missing.
Thanks for the help so far toshiesumi!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Router A's GW IP should be within the subnet FGT's/Router B's WAN IP. So there is no need for a route. It's directly connected. If you set up a two sessions like console ans SSH into the 50E, then sniff the traffic on the WAN interface in one session while you run "exe ping" in the other session, you should be able to see the packets are going out. As long as the interface is UP, there is not way stopping outgoing packets initiated from inside of the FGT.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all of the help! I'd like to mark this ticket as "Cannot Reproduce" or similar if deleting is not an option. I can only see an option to resolve the thread as "Answered".
The solution to this ended up being out of the FGT's control and is inherently off-topic for this forum.
Thanks again!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, Forum discussions are not tickets. Just discussion threads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do you have a public IP in the internet interface of the router?
BR,
Gayan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,802 -
FortiClient
1,787 -
5.2
801 -
FortiManager
744 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
195 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
37 -
RADIUS
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1744 | |
| 1114 | |
| 760 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.