Hello Fortinet Community,
I am seeking assistance with an issue I am facing on my FortiGate 40F running software version 6.4. Below is a detailed description of my setup and the problem I am encountering:
Network Setup:
- My FortiGate device is configured behind an ISP router.
- I have set up DDNS on the FortiGate, but it is not working.
- My public IP is not pinging.
- I have created a virtual IP (VIP) on the FortiGate.
- There are two firewall policies in place:
1. Policy 1: LAN to WAN with NAT enabled.
2. Policy 2: WAN to LAN with NAT disabled.
Issues:
1. DDNS Not Working: Despite configuring DDNS on the FortiGate, it does not seem to function as expected.
2. Public IP Not Pinging: When I try to ping my public IP address, there is no response.
Configuration Details:
- DDNS Configuration:
- Service Provider: [Your DDNS Provider]
- Domain Name: [Your DDNS Domain]
- Interface: WAN
- Virtual IP (VIP) Configuration:
- External IP: [Your Public IP]
- Mapped IP: To my PC IP
- Port Forwarding: NO
- Firewall Policies:
1. Policy 1:
- Source: LAN Subnet
- Destination: All
- Action: Allow
- NAT: Enabled
2. **Policy 2:**
- Source: WAN Subnet
- Destination: All
- Action: Allow
- NAT: Disabled
Troubleshooting Steps Taken:
- Verified the DDNS configuration settings.
- Checked the status of the DDNS service.
- Attempted to ping the public IP from an external network.
I would appreciate any guidance or suggestions on how to resolve these issues. Specifically, I am looking for advice on:
- Ensuring that the DDNS configuration is correct and functional.
- Diagnosing why the public IP is not pinging and resolving this issue.
Thank you in advance for your assistance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
A couple of things to confirm:
1. 40F's wan port is pulling "YOUR Public IP", not the ISP's router. Correct? Means your ISP's router is set up as "bridged" or "passthrough" mode.
2. You're using a third-party DDNS. Not FortiGuard's DDNS. Right? I don't remember 6.4's GUI for DDNS settings. But you might need to use CLI to configure a 3rd party DDNS.
Your 2nd policy is not right if you want to use the VIP. But I need to verify above first.
Toshi
My isp rutor is setup in default settings and providing private ip and gateway to my fortinet. I am using fortigard ddns i configerd it using gui and have not tried through cli
Even then. Got an FGT behind a FritzBox ISP router. The FB will provide for the DDNS, not the FGT. But the FGT is reachable via the DDNS name.
BTW, in recent versions of FortiOS the FGT will actively determine its public IP address, by sending a query to a public webserver (in the style of "whatismyip.com").
@bl1k00: What about the permissions on the WAN interface?
Created on 06-01-2024 04:39 PM Edited on 06-01-2024 04:41 PM
Then,
1. The public IP you're pinging is on the ISP router. Unless you set up a VIP/DNAT at the ISP router toward the FGT wan, you wouldn't be able to reach your 40F from outisde.
2. This also means if you can not ping the public IP, your ISP router is likely/has to be not allowing ping. Check the manual of the router or call in your ISP's support to troubleshoot. This has nothing to do with FGT configuration or FGT itself.
3. The FortiGuard DDNS would still work behind the ISP router/NAT device with "Use public IP address" option. But I don't know if that option exists with 6.4.
But no point using DDNS if you can not set up VIP/DNAT at the router (I'm assuming your objective is to get in your 40F from the internet). So I recommend you figure out 1 and 2 first.
Toshi
Hi
I understand that your public IP is not pinging, so if you mean your "public IP" is not pinging this doesn't mean that DDNS is not working. Actually these are two separate things and two separate problems.
To check if your DDNS is working, you should run something like nslookup <FQDN> or dig <FQDN>. Where FQDN is the DDNS hostname, like: yourdomain.ddns.net.
In addition:
1- make sure that the WAN interface has been granted permission to respond to ping (set allowaccess ping)
2- policy 2 will not work. Use the VIP as the destination address, not 'all'.
We need more info at this point. But it's certainly doable, I've had setups like this with public access via dynamic DNS, with the FGT behind a WAN router in bridged mode.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.