Hi -
New to FortiGate and a firewall newbie as well.
Current layout
Verizon FIOS G3100 router
Forti40F
I tested connectivity to each SSID successfully from a laptop but with no WAN connection just to verify security and connectivity to the wifi.
I unplugged the G3100 and plugged in the WAN connection to the FortiNet
The FortiNet leased a 98.113.x.x address.
I tried getting to the Internet with no success.
So questions because I am doing something wrong.
Sorry to be a noob but you have to learn somewhere :)
Update.
I changed the IP for the internal software switch to 192.168.1.1
I setup static default routes from each 10.1.x.x subnet to my WAN interface. Same for the 192.168.x.x subnet.
We'll see if this works.
Try one step at a time.
1) When you swapped the router to the 40F, make sure you can get to the inter net from the 40F itself (ping something from CLI). If works, the default route is fine.
2) Connect your laptop or desk top directly to one of available lan ports or a switch behind. Make sure it pulled a lan IP over DHCP, then try reaching the internet. If that works, the NAT policy is fine.
3) then finally test from a WiFi client. You said you configured on the 40F. That means either you have a FortiAP(s) connected to it. And those must be tunnel mode SSIDs. Traceroute toward the internet from the client to see it at least shows the 40F's IP.
One thing you're misunderstanding is the default route is not per lan/wifi subnet. 40F needs only one. Each client needs to know only the GW IP 10.1.x.1 on the 40F. Then, the 40F needs to know where to send the traffic from the clients if the destination of the packet is not local, which is the default route/default gateway. If the WAN circuit is DHCP or PPPoE, the 40F would pull it automatically from the ISP. Only if it's static, you have to configure static default route on the 40F under Network->Static Routes in GUI. This part should be exactly the same with the FiOS router.
Toshi
Created on 11-05-2023 11:02 AM Edited on 11-05-2023 11:02 AM
Toshi -
First, thanks for responding.
1) When you swapped the router to the 40F, make sure you can get to the inter net from the 40F itself (ping something from CLI). If works, the default route is fine.
Successfully pinged GOOGLE.COM from the 40WF using the CLI
2) Connect your laptop or desk top directly to one of available lan ports or a switch behind. Make sure it pulled a lan IP over DHCP, then try reaching the internet. If that works, the NAT policy is fine.
Connected my laptop to the 40F on port 1. Verified the laptop leased an IP from the 40F. Successfully pinged the gateway. Unsuccessful pinging GOOGLE.COM.
I know to set the NAT policy I need to go into Firewall Policy / Create New and I believe for my purposes, create Static SNAT. I don't have a pool of IPs from my ISP so I don't need a dynamic snat and for the sake of simplicity for now I don't think I need a central SNAT.
So I'm doing something wrong in my NAT policy.
It's called "overload" with the interface IP. GUI setting in the policy is below (this is 7.0.13).
When you test it, ping like 8.8.8.8, not Google.com. It could be your machine's DNS setting issue if you ping host name/FQDN and can't get to.
Toshi
Toshi -
Making progress. Never heard of "overload". I figured pinging by name would prove DNS works as well as connectivity. I did repeat successfully with pinging by IP so ICMP works.
I created policies for all 3 SSIDs and was successfully able to connect to each and reach websites from my laptop connected to each SSID.
I created a policy for the "internal" interface and I was able to access the Internet from ports 1 and 2 using my laptop connection. Need to test 3 and 4 but ran out of time.
Am I correct that my policy should use the internal interface for the switch connection to the Internet?
Are you sure it's really FortiGate 40F? If so, the default hard-switch interface on the 40F should be "lan". Did you rebuild the hard-switch interface with the name "internal"? Or did you crate a new software switch and included all lan and SSID1-3?
Either way, all 4 LAN ports are under "internal" so you don't have to test indivitual ports. If one port works, the rest should work as well. And your policy should be fine.
Toshi
It''s a WiFi40F.
I did not rebuild the hard-switch interface. I reset the FW to factory defaults once to start new.
The reference I see to a LAN interface is when I go into the policy and choose my incoming interface.  I can choose INTERNAL or LAN.
Interface options
If it's FWF40F, as in the datasheet, it supports only one/single RADIO. So either 2.4GHz or 5GHz, not both.
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-fortiwifi-40f-series.pdf
Toshi
And the Address:internal (which is a separate object, different from interface) was automatically set (probably by default) with 192.168.1.0/24. Unless you change the interface:internal" config, you can't change it.
Those physical "lan1", "lan2", "lan3" and "lan4" interface are combined in "lan" hard-switch, which you might not be able to see in GUI but under "config system virtual-switch" in CLI.
Then there should have been a default wifi interface like "wifi" after a factory reset, which you might have removed. Those "wifi" and "lan" interface should be combined into the "internal" software switch interface by default.
Toshi
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.